Cisco Cisco Clean Access 3.5

Cisco Clean Access supports Single Sign-On (SSO) for the following:

Cisco VPN Concentrators 

Cisco ASA 5500 Series Adaptive Security Appliances

Cisco Airespace Wireless LAN Controllers (3.5.8+)

Cisco SSL VPN Client (Full Tunnel) 

Cisco VPN Client (IPSec)

Cisco Clean Access (3.5.3 and above) provides integration with Cisco VPN concentrators and can enable 
Single Sign-On capability for VPN users. This functionality is achieved using RADIUS Accounting. The 
Clean Access Server can acquire the client's IP address from either Framed_IP_address or 
Calling_Station_ID RADIUS attributes for SSO purposes. 

Single Sign-On (SSO) for Cisco VPN concentrator users—VPN users do not need to login to the 
web browser or the Clean Access Agent because the RADIUS accounting information sent to the 
CAS/CAM by the VPN concentrator provides the user ID and IP address of users logging into the 
VPN concentrator (RADIUS Accounting Start Message). 

Single Sign-On (SSO) for Cisco Airespace Wireless LAN Controller users (3.5.8 and above) — 
Release 3.5(8) extends Cisco Clean Access support for SSO for Cisco Airespace WLC. For SSO to 
work, the Cisco Airespace Wireless LAN Controller must send the Calling_Station_IP attribute as 
the client's IP address (as opposed to the Framed_IP_address that the VPN concentrator uses).

Accurate Session Timeout/Expiry—Due to the use of RADIUS accounting, the VPN concentrator 
informs the Clean Access Server exactly when the user has logged out (RADIUS Accounting Stop 
Message). See 

 for additional details. 

In order to enable the SSO feature for users, an authentication source of type Cisco VPN Server must be 
added using the following steps. 

Go to User Management > Auth Servers > New Server.

Authentication Type — Choose Cisco VPN Server from the dropdown menu.