I know there is AD SSO in NAC. I'd like to have SSO with ACS which is integrated with AD. is there any document to show how to configure SSO with ACS Express or ACS?
In short no - or at least I should say that I don't know of any way to do it. To do SSO with ACS you're looking at logging in to Windows with Radius or TACACS+. This means that the Windows GINA (The Ctrl-Alt-Del piece of code) should be able to talk Radius or TACACS+ with the ACS server.
The only SSOs supported on CCA are AD SSO (where you login to your Windows machine and SSO happens) or Radius SSO (Wireless/VPN sort of setup). The second sort is where you can do accounting on ACS. With an AD authentication, I know of no way for it to be accounted for in ACS.
One thing you could do theoratically is to send an accounting record/packet to your ACS express from the DCs or from the machine itself, but these are far-fetched solutions and would require quite a lot of work/testing etc.
So in short, no :-)
[EDIT] One option which I completely forgot about, and could work for your customer is to configure accounting server in CCA. That way you can log in to AD and still send accounting packets to an accounting server. More information here: