This document describes how to configure Secure Services Client with Cisco Trust Agent (CTA) in a Network Admission Control (NAC) environment.
This section lists the software versions used in this document.
For more information about document conventions, refer to Cisco Technical Tips Conventions.
The Cisco NAC environment is a multipartner program designed to limit damage caused by viruses and worms. In order to control network access, NAC monitors network devices to ensure they comply with network security policies. Cisco Secure Services Client and the CTA are core components of the NAC environment. Every device that seeks network access contacts a network access device (router, switch, VPN concentrator, or firewall). These devices demand endpoint security credentials through Cisco Secure Services Client and CTA. This information is relayed to policy servers in order to allow or deny admission to the network.
Note: CTA must be installed on all hosts that require validation for network access.
CTA allows the NAC application to determine if the necessary partner software products, such as antivirus software, are installed and current. CTA also determines current operating system and patch levels.
The key features and benefits of CTA include:
Small non-intrusive agent that acts as a middleware component and securely communicates host policy information to the authentication, authorization, and accounting (AAA) policy server through an 802.1X supplicant such as Cisco Secure Services Client. CTA can communicate the Cisco security, operating system, and patch versions, as well as the version of any partner software.
Interacts directly with NAC-enabled applications that run on the host without user intervention. CTA communicates with NAC-enabled applications through communication channels integrated by the NAC partners within their applications.
To set up NAC environment with Cisco Secure Services Client and CTA, complete these steps:
Download and install the Cisco Secure Services Client and CTA applications.
Download and install NAC-enabled applications from the appropriate NAC software partners.
Use Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling (EAP-FAST) in order to configure Cisco Secure Services Client to authenticate to the network. Without posture validation, users are placed in a quarantined VLAN.
Configure the CTA as instructed in Cisco Trust Agent Administrator Guide (available on the Cisco Web site).
Configure partner software to use with the CTA application as instructed in the partner documentation.
Once operational, the NAC is transparent. NAC posture messages are displayed by the CTA on the users screen.