Cisco Cisco Clean Access 3.5
C H A P T E R
7-1
Cisco Clean Access Server Installation and Administration Guide
OL-7045-01
7
Integrating with Cisco VPN Concentrators
This chapter describes the configuration required to integrate the Clean Access Server with Cisco VPN
Concentrators. Topics include:
Concentrators. Topics include:
•
•
•
Overview
Cisco Clean Access (3.5(3) and above) enables administrators to deploy the Clean Access Server (CAS)
in-band behind a VPN concentrator, or router, or multiple routers. Prior to 3.5(3), Clean Access Server(s)
needed to be deployed either as a bridge (Virtual Gateway) or first-hop default gateway with Layer 2
proximity to users, in order for user MAC addresses to be visible to the CAS. Release 3.5(3) and above
add the capability of multi-hop Layer 3 in-band deployment by allowing the Clean Access Manager
(CAM) and CAS to track user sessions by unique IP address when users are separated from the CAS by
one or more routers. Note that you can have a CAS supporting both L2 and L3 users. With layer
2-connected users, the CAM/CAS continue to manage these user sessions based on the user MAC
addresses, as before.
in-band behind a VPN concentrator, or router, or multiple routers. Prior to 3.5(3), Clean Access Server(s)
needed to be deployed either as a bridge (Virtual Gateway) or first-hop default gateway with Layer 2
proximity to users, in order for user MAC addresses to be visible to the CAS. Release 3.5(3) and above
add the capability of multi-hop Layer 3 in-band deployment by allowing the Clean Access Manager
(CAM) and CAS to track user sessions by unique IP address when users are separated from the CAS by
one or more routers. Note that you can have a CAS supporting both L2 and L3 users. With layer
2-connected users, the CAM/CAS continue to manage these user sessions based on the user MAC
addresses, as before.
For users that are one or more L3 hops away, note the following considerations:
•
User sessions are based on unique IP address rather than MAC address.
•
If the user’s IP address changes (for example, the user loses VPN connectivity), the client must go
through the Clean Access certification process again.
through the Clean Access certification process again.
•
In order for clients to discover the CAS when they are one or more L3 hops away, the 3.5.3 (or
above) Clean Access Agent must be initially installed and downloaded via the CAS. This provides
clients with the CAM information needed for subsequent logins when users are one or more L3 hops
away from the CAS. Acquiring and installing the 3.5.3+ Agent by means other than direct download
from the CAS (for example, Cisco Secure Downloads) will not provide the necessary CAM
information to the Agent and will not allow those Agent installations to operate in a multi-hop Layer
3 deployment.
above) Clean Access Agent must be initially installed and downloaded via the CAS. This provides
clients with the CAM information needed for subsequent logins when users are one or more L3 hops
away from the CAS. Acquiring and installing the 3.5.3+ Agent by means other than direct download
from the CAS (for example, Cisco Secure Downloads) will not provide the necessary CAM
information to the Agent and will not allow those Agent installations to operate in a multi-hop Layer
3 deployment.
•
Since the Certified List tracks L2 users by MAC address, multi-hop L3 users do not appear on the
Certified Devices List and the Certified Devices Timer does not apply to these users. The L3 users
will only be on the Online User list (In-Band).
Certified Devices List and the Certified Devices Timer does not apply to these users. The L3 users
will only be on the Online User list (In-Band).
•
All other user audit trails, such as network scanner and Clean Access Agent logs, are maintained for
multi-hop L3 users.
multi-hop L3 users.