04-14-2005 03:17 AM - edited 03-09-2019 10:56 AM
Can someone tell me how CCA differs from NAC. The two technologies seem to have alot of overlap.
Thanks
04-14-2005 10:53 PM
Hi,
NAC needs the installation of a small client app called the CTA (Cisco Trust Agent) in order to check the security posture of the client. With CCA, the solution is clientless, and is therefore useful if you have no control over the what device the client is connecting from.
Both solutions basically provide similar services, i.e. testing remote client conformity to a security policy before allowing access to a network.
Phil
04-15-2005 12:43 AM
Thanks for the reply Phil.
Would CCA not be the better option if no client app is required or is there things NAC can do that CCA can't, or is it more difficult to implement?
Thanks.
04-15-2005 12:50 AM
CCA is for the environments where you can't install the CTA, or where you can't control the client pc that connects to your network. NAC needs the CTA, therefore if it can't be installed, then all it really offers you is a kind of 802.1x authentication of new client connections.
The CCA is an appliance based solution. You put the CCA server in line with the device that the clients connect to, e.g. VPN conc. Then when they connect, the CCA server goes out and does various scans to determine the posture of the client, i believe it uses engines such as nessus (i was told this by a cisco se, although i have not seen this). With the CTA and NAC, the access device communicates with the Cisco Trust Agent, and then communicates this back to a policy server (ACS).
Hope this helps - do you want some links on CCA ??
04-15-2005 12:56 AM
sorry i forgot to say....
The installation of CCA is far easier than NAC. With NAC you have to configure the Access device, then the policy sevrer, then the AV server, then install the CTA on the clients..... With CCA its a one box solution (without seperate manager), therefore installation is very straight forward...
Phil
04-15-2005 02:53 AM
Thanks again for the reply.
It does sound confusing in terms of making a decision between the two and I guess Cisco need to address this with some kind of deployment guide on where the two technologies sit.
I see the benefits of CCA where you have no control of what device connect to your network but how do you decide on CCA or NAC if you are in a situation where you do control the devices, what would be the deciding factors here? If CSA is deployed will that only work with NAC or do you still have the choice of both?
Any link would be great, thanks again.
Nick
04-15-2005 03:35 AM
some link....
This is for cca
http://www.cisco.com/en/US/products/ps6128/index.html
This is for nac
http://www.cisco.com/en/US/netsol/ns466/networking_solutions_sub_solution_home.html
CSA works well with NAC and can also work with CCA. Both products will detect the presence of the CSA agent
Phil
04-17-2005 03:27 PM
CCA does have a client option. It works best if users do load the client. That way their PCs report back to the clean access server such status as OS and service pack, windows updates, AV signature levels. The clean access server automatically checks 4 times a day with a Cisco website that keeps tabs on Microsoft and Symantec,TrendMicro etc newly released updates. This is powerful because it ensures that the clean access server is aware of the most recent developments.
One other thing, Clean Access is a working solution now. NAC is a work in progress that is mostly (as far as I can tell) marketing hype for the time being.
I say that because Cisco doesn't offer a worthwhile policy server that contains the information about AV signatures, new Windows updates etc. Manually entering that information into ACS just isn't going to cut it. I think for NAC to be taken seriously a policy server is needed. You'd think that Cisco would adapt the clean access policy server, however I suspect there might be some inhouse turf battles going on between the different divisions.
At least, that's my evaluation of the matter.
04-17-2005 04:54 PM
Thanks donlon, that's really useful.
I guess CCA is the way to go then until they sort NAC.
Nick
04-27-2005 07:52 AM
Two few to keep in mind-
A host based firewall will defeat nessus scans. In the presence of host based firewalls, all you're getting is an authentication server.
Client/server communication occurs at L2. If you plan to deploy over serveral subnets, you will need to go with actual or nat gateway mode configuring for managed subnets.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide