Cisco Cisco Clean Access 3.5
7-2
Cisco Clean Access Server Installation and Administration Guide
OL-7045-01
Chapter 7 Integrating with Cisco VPN Concentrators
Overview
•
The Session Timer will work the same way for multi-hop L3 In-Band deployments and L2 (In-Band
or Out-of-Band) deployments.
or Out-of-Band) deployments.
Note that when the Single Sign-On (SSO) feature is configured for multi-hop L3 VPN concentrator
integration, if the user’s session on the CAS times out but the user is still logged in on the VPN
concentrator, the user session will be restored without providing a username/password.
integration, if the user’s session on the CAS times out but the user is still logged in on the VPN
concentrator, the user session will be restored without providing a username/password.
•
The Heartbeat Timer will not function in L3 deployments, and does not apply to Out-of-Band
deployments.
deployments.
Note that the HeartBeat Timer will work if the CAS is the first hop behind the VPN concentrator.
This is because the VPN concentrator responds to the ARP queries for the IP addresses of its current
tunnel clients.
This is because the VPN concentrator responds to the ARP queries for the IP addresses of its current
tunnel clients.
The topology and configuration required is fairly straightforward.
illustrates a Cisco Clean
Access network integrated with a VPN concentrator.
illustrates the VPN concentrator
configuration “before” and
illustrates the configuration “after” integration with Cisco Clean
Access when multiple accounting servers are being used. The Clean Access Server needs to be
configured as the sole RADIUS accounting server for the VPN concentrator. If the VPN concentrator is
already configured for one or more RADIUS accounting server(s), the configuration for these needs to
be transferred from the concentrator to the CAS.
configured as the sole RADIUS accounting server for the VPN concentrator. If the VPN concentrator is
already configured for one or more RADIUS accounting server(s), the configuration for these needs to
be transferred from the concentrator to the CAS.
Single Sign-On (SSO)
In addition to being deployable with VPN concentrators, Cisco Clean Access provides the best user
experience possible for Cisco VPN concentrator users through Single Sign-On (SSO). Users logging in
through the VPN Client do not have to login again to Cisco Clean Access. Cisco Clean Access leverages
the VPN login and any VPN user group/class attributes to map the user to a particular role.
experience possible for Cisco VPN concentrator users through Single Sign-On (SSO). Users logging in
through the VPN Client do not have to login again to Cisco Clean Access. Cisco Clean Access leverages
the VPN login and any VPN user group/class attributes to map the user to a particular role.
This level of integration is achieved using RADIUS Accounting with the Clean Access Server acting as
a RADIUS accounting proxy. Cisco Clean Access supports Single Sign-On (SSO) for the following:
a RADIUS accounting proxy. Cisco Clean Access supports Single Sign-On (SSO) for the following:
•
Cisco VPN Concentrators
•
Cisco ASA 5500 Series Adaptive Security Appliances
•
Cisco Airespace Wireless LAN Controllers (3.5.8+)
•
Cisco SSL VPN Client (Full Tunnel)
•
Cisco VPN Client (IPSec)
Note
With release 3.5(5) and above, the “Enable L3 support for Clean Access Agent” option must be
checked on the CAS (under Device Management > Clean Access Servers > Manage[CAS_IP] >
Network > IP) for the Clean Access Agent to work in VPN tunnel mode.
checked on the CAS (under Device Management > Clean Access Servers > Manage[CAS_IP] >
Network > IP) for the Clean Access Agent to work in VPN tunnel mode.
Note
The Clean Access Server can acquire the client's IP address from either Calling_Station_ID or
Framed_IP_address RADIUS attributes for SSO purposes. Cisco Clean Access release 3.5(8) extends
RADIUS Accounting support for Single Sign-On (SSO) to include the Cisco Airespace Wireless LAN
Controller. For SSO to work with Cisco Clean Access, the Cisco Airespace Wireless LAN Controller
must send the Calling_Station_IP attribute as the client's IP address (as opposed to the
Framed_IP_address attribute that the VPN concentrator uses).
Framed_IP_address RADIUS attributes for SSO purposes. Cisco Clean Access release 3.5(8) extends
RADIUS Accounting support for Single Sign-On (SSO) to include the Cisco Airespace Wireless LAN
Controller. For SSO to work with Cisco Clean Access, the Cisco Airespace Wireless LAN Controller
must send the Calling_Station_IP attribute as the client's IP address (as opposed to the
Framed_IP_address attribute that the VPN concentrator uses).
See
for further details.