Cisco Cisco Clean Access 3.5
4-11
Cisco Clean Access Server Installation and Administration Guide
OL-7045-01
Chapter 4 Clean Access Server Managed Domain
Network IP Settings for the CAS
VPN/L3 Access for Clean Access Agent
Releases 3.5(3) and above of the CAM/CAS/Agent introduce support for in-band multi-hop L3
deployment. VPN/L3 access from the Clean Access Agent is only supported with the 3.5.3+ Agent.
deployment. VPN/L3 access from the Clean Access Agent is only supported with the 3.5.3+ Agent.
Starting with release 3.5(3)+ of the CAM/CAS/Agent, the Agent will:
1.
Check the client network for the Clean Access Server (L2 deployments), and if not found,
2.
Attempt to discover the CAS by sending discovery packets to the CAM. This causes the discovery
packets to go through the CAS even if the CAS is multiple hops away (multi-hop deployment) so
that the CAS will intercept these packets and respond to the Agent.
packets to go through the CAS even if the CAS is multiple hops away (multi-hop deployment) so
that the CAS will intercept these packets and respond to the Agent.
In order for clients to discover the CAS when they are one or more L3 hops away, clients must initially
download the 3.5.3+ Agent from the CAS (via download web page or auto-upgrade). Either method
allows the Agent to acquire the IP address of the CAM in order to send traffic to the CAM/CAS over the
L3 network. Once installed in this way, the Agent can be used for both L3/VPN concentrator
deployments or regular L2 deployments.
download the 3.5.3+ Agent from the CAS (via download web page or auto-upgrade). Either method
allows the Agent to acquire the IP address of the CAM in order to send traffic to the CAM/CAS over the
L3 network. Once installed in this way, the Agent can be used for both L3/VPN concentrator
deployments or regular L2 deployments.
Acquiring and installing the 3.5.3+ Agent on the client by means other than direct download from the
CAS (e.g. from Cisco Downloads) will not provide the necessary CAM information to the Agent and
will not allow those Agent installations to operate in a multi-hop Layer 3 deployment.
CAS (e.g. from Cisco Downloads) will not provide the necessary CAM information to the Agent and
will not allow those Agent installations to operate in a multi-hop Layer 3 deployment.
To support VPN/L3 Access, you must:
•
Be running 3.5(3) or above CAM/CAS/Agent.
•
For 3.5(5) or above CAM/CAS, you must check the option for “Enable L3 Support for Clean Access
Agent” and perform an Update and Reboot under Device Management > CCA Servers > Manage
[CAS_IP] > Network > IP.
Agent” and perform an Update and Reboot under Device Management > CCA Servers > Manage
[CAS_IP] > Network > IP.
Note
3.5.5+ Agents only support multi-hop L3 operation with 3.5(5)+ CAM/CAS. L3 discovery will
not work with older CAM/CAS versions.
not work with older CAM/CAS versions.
•
There must be a valid Discovery Host under Device Management > Clean Access > Clean Access
Agent > Distribution (set by default to the trusted IP address of the CAM).
Agent > Distribution (set by default to the trusted IP address of the CAM).
•
Clients must initially download the 3.5.3+ Agent from the CAS, in one of two ways:
–
“Download Clean Access Agent” web page (i.e. via web login)
–
Auto-Upgrade to 3.5.3 or above Agent. You must be running 3.5(3) or above CAM/CAS, and
clients must have 3.5.1 or above Agent already installed.
clients must have 3.5.1 or above Agent already installed.
•
SSO is only supported when integrating Cisco Clean Access with Cisco VPN Concentrators.
Note
•
Uninstalling a 3.5.3+ Agent while still on the VPN connection does not terminate the connection.
•
For VPN-concentrator SSO deployments, if the 3.5.3+ Agent is not downloaded from the CAS and
is instead downloaded by other methods (e.g. Cisco Downloads), the Agent will not be able to get
the runtime IP information of the CAM and will not pop up automatically nor scan the client.
is instead downloaded by other methods (e.g. Cisco Downloads), the Agent will not be able to get
the runtime IP information of the CAM and will not pop up automatically nor scan the client.
3.
If a 3.5.0 or prior version of the Agent is already installed, or if the 3.5.3+ Agent is installed through
non-CAS means (e.g. Cisco Downloads), you must perform web login to download the 3.5.3+ Agent
setup files from the CAS directly and reinstall the Agent to get the L3 capability.
non-CAS means (e.g. Cisco Downloads), you must perform web login to download the 3.5.3+ Agent
setup files from the CAS directly and reinstall the Agent to get the L3 capability.