This document describes how to configure Secure Services Client with
Cisco Trust Agent (CTA) in a Network Admission Control (NAC)
This section lists the software versions used in this document.
For more information about document conventions, refer to
Technical Tips Conventions.
The Cisco NAC environment is a multipartner program designed to limit
damage caused by viruses and worms. In order to control network access, NAC
monitors network devices to ensure they comply with network security policies.
Cisco Secure Services Client and the CTA are core components of the NAC
environment. Every device that seeks network access contacts a network access
device (router, switch, VPN concentrator, or firewall). These devices demand
endpoint security credentials through Cisco Secure Services Client and CTA.
This information is relayed to policy servers in order to allow or deny
admission to the network.
Note: CTA must be installed on all hosts that require validation for
CTA allows the NAC application to determine if the necessary partner
software products, such as antivirus software, are installed and current. CTA
also determines current operating system and patch levels.
The key features and benefits of CTA include:
Small non-intrusive agent that acts as a middleware component and
securely communicates host policy information to the authentication,
authorization, and accounting (AAA) policy server through an 802.1X supplicant
such as Cisco Secure Services Client. CTA can communicate the Cisco security,
operating system, and patch versions, as well as the version of any partner
Interacts directly with NAC-enabled applications that run on the
host without user intervention. CTA communicates with NAC-enabled applications
through communication channels integrated by the NAC partners within their
To set up NAC environment with Cisco Secure Services Client and CTA,
complete these steps:
Download and install the Cisco Secure Services Client and CTA
Download and install NAC-enabled applications from the appropriate
NAC software partners.
Use Extensible Authentication Protocol-Flexible Authentication via
Secure Tunneling (EAP-FAST) in order to configure Cisco Secure Services Client
to authenticate to the network. Without posture validation, users are placed in
a quarantined VLAN.
Configure the CTA as instructed in Cisco Trust Agent
Administrator Guide (available on the
Configure partner software to use with the CTA application as
instructed in the partner documentation.
Once operational, the NAC is transparent. NAC posture messages are
displayed by the CTA on the users screen.