Thanks for the reply Phil.

Would CCA not be the better option if no client app is required or is there things NAC can do that CCA can't, or is it more difficult to implement?

Thanks.

CCA is for the environments where you can't install the CTA, or where you can't control the client pc that connects to your network. NAC needs the CTA, therefore if it can't be installed, then all it really offers you is a kind of 802.1x authentication of new client connections.

The CCA is an appliance based solution. You put the CCA server in line with the device that the clients connect to, e.g. VPN conc. Then when they connect, the CCA server goes out and does various scans to determine the posture of the client, i believe it uses engines such as nessus (i was told this by a cisco se, although i have not seen this). With the CTA and NAC, the access device communicates with the Cisco Trust Agent, and then communicates this back to a policy server (ACS).

Hope this helps - do you want some links on CCA ??

sorry i forgot to say....

The installation of CCA is far easier than NAC. With NAC you have to configure the Access device, then the policy sevrer, then the AV server, then install the CTA on the clients..... With CCA its a one box solution (without seperate manager), therefore installation is very straight forward...

Phil

Thanks again for the reply.

It does sound confusing in terms of making a decision between the two and I guess Cisco need to address this with some kind of deployment guide on where the two technologies sit.

I see the benefits of CCA where you have no control of what device connect to your network but how do you decide on CCA or NAC if you are in a situation where you do control the devices, what would be the deciding factors here? If CSA is deployed will that only work with NAC or do you still have the choice of both?

Any link would be great, thanks again.

Nick

some link....

This is for cca

http://www.cisco.com/en/US/products/ps6128/index.html

This is for nac

http://www.cisco.com/en/US/netsol/ns466/networking_solutions_sub_solution_home.html

CSA works well with NAC and can also work with CCA. Both products will detect the presence of the CSA agent

Phil

CCA does have a client option. It works best if users do load the client. That way their PCs report back to the clean access server such status as OS and service pack, windows updates, AV signature levels. The clean access server automatically checks 4 times a day with a Cisco website that keeps tabs on Microsoft and Symantec,TrendMicro etc newly released updates. This is powerful because it ensures that the clean access server is aware of the most recent developments.

One other thing, Clean Access is a working solution now. NAC is a work in progress that is mostly (as far as I can tell) marketing hype for the time being.

I say that because Cisco doesn't offer a worthwhile policy server that contains the information about AV signatures, new Windows updates etc. Manually entering that information into ACS just isn't going to cut it. I think for NAC to be taken seriously a policy server is needed. You'd think that Cisco would adapt the clean access policy server, however I suspect there might be some inhouse turf battles going on between the different divisions.

At least, that's my evaluation of the matter.

Thanks donlon, that's really useful.

I guess CCA is the way to go then until they sort NAC.

Nick

Two few to keep in mind-

A host based firewall will defeat nessus scans. In the presence of host based firewalls, all you're getting is an authentication server.

Client/server communication occurs at L2. If you plan to deploy over serveral subnets, you will need to go with actual or nat gateway mode configuring for managed subnets.