Cisco Cisco Clean Access 3.5

Single Sign-On (SSO) allows the user to login only once via the VPN client before being directed 
through the Clean Access process. To perform SSO, Cisco Clean Access takes the RADIUS accounting 
information from the VPN concentrator/wireless controller for the user authentication and uses it to map 
the user into a user role. This allows the user to go through the Clean Access process directly without 
having to also login on the Clean Access Server. SSO is configured on both the CAS and CAM as 
described below. The Clean Access Server can acquire the client's IP address from either 
Calling_Station_ID or Framed_IP_address RADIUS attributes for SSO purposes.

Release 3.5(8) extends RADIUS Accounting support for Single Sign-On (SSO) to include the Cisco 
Airespace Wireless LAN Controller. For SSO to work with Cisco Clean Access, the Cisco Airespace 
Wireless LAN Controller must send the Calling_Station_IP attribute as the client's IP address (as 
opposed to the Framed_IP_address attribute that the VPN concentrator uses).

Go to Device Management > CCA Servers > List of Servers > Manage [CAS_IP] > 
Authentication > VPN Auth > General.

Click the checkboxes for Single Sign-On and Auto-Logout to enable these features for VPN users. 

Leave the default port (1813) or configure a new one for RADIUS Accounting Port.

Click Update. 

To support SSO when configuring Cisco Clean Access VPN Concentrator integration, a Cisco VPN 
Server authentication source must be added to the CAM. 

Go to User Management > Auth Servers > New Server.