Cisco Cisco Clean Access 3.5
7-11
Cisco Clean Access Server Installation and Administration Guide
OL-7045-01
Chapter 7 Integrating with Cisco VPN Concentrators
Clean Access Agent with VPN Concentrator and SSO
Mapping rules are configured in the CAM web admin console under User Management > Auth Servers
> Mapping Rules. For complete configuration details, see “User Management: Auth Servers” in the
Cisco Clean Access Manager Installation and Administration Guide.
> Mapping Rules. For complete configuration details, see “User Management: Auth Servers” in the
Cisco Clean Access Manager Installation and Administration Guide.
Clean Access Agent with VPN Concentrator and SSO
Version 3.5.3 and above of the Clean Access Agent incorporates support for the multi-hop L3
deployment feature. VPN/L3 access from the Clean Access Agent is only supported with the 3.5.3 or
above Agent.
deployment feature. VPN/L3 access from the Clean Access Agent is only supported with the 3.5.3 or
above Agent.
Starting with release 3.5(3)+ of the CAM/CAS/Agent, the Agent will:
1.
Check the client network for the Clean Access Server (L2 deployments), and if not found,
2.
Attempt to discover the CAS by sending discovery packets to the CAM. This causes the discovery
packets to go through the CAS even if the CAS is multiple hops away (multi-hop deployment) so
that the CAS will intercept these packets and respond to the Agent.
packets to go through the CAS even if the CAS is multiple hops away (multi-hop deployment) so
that the CAS will intercept these packets and respond to the Agent.
In order for clients to discover the CAS when they are one or more L3 hops away, clients must initially
download the 3.5.3+ Agent from the CAS. This can be done in two ways:
download the 3.5.3+ Agent from the CAS. This can be done in two ways:
•
From the Download Clean Access Agent web page (i.e. via web login)
•
By client auto-upgrade to the 3.5.3 or above Agent. For this work, you must be running 3.5(3) or
above on your CAM and CAS, and clients must have the 3.5.2 or 3.5.1 Agent already installed.
above on your CAM and CAS, and clients must have the 3.5.2 or 3.5.1 Agent already installed.
Either method allows the Agent to acquire the IP address of the CAM in order to send traffic to the
CAM/CAS over the L3 network. Once installed in this way, the Agent can be used for both L3/VPN
concentrator deployments or regular L2 deployments. See
CAM/CAS over the L3 network. Once installed in this way, the Agent can be used for both L3/VPN
concentrator deployments or regular L2 deployments. See
for details
Note
For VPN-concentrator SSO deployments, if the 3.5.3+ Agent is not downloaded from the CAS and is
instead downloaded by other methods (e.g. Cisco Secure Downloads), the Agent will not be able to get
the runtime IP information of the CAM and will not pop up automatically nor scan the client.
instead downloaded by other methods (e.g. Cisco Secure Downloads), the Agent will not be able to get
the runtime IP information of the CAM and will not pop up automatically nor scan the client.
Note that:
•
Uninstalling the Agent while still on the VPN connection does not terminate the connection.
•
If a 3.5.0 or prior version of the Clean Access Agent is already installed, or if the 3.5.3+ Agent is
installed through non-CAS means, such as Cisco Secure Downloads, you must perform web login
to download the 3.5.3 or above Agent setup files from the CAS directly and reinstall the Agent to
get the L3 capability.
installed through non-CAS means, such as Cisco Secure Downloads, you must perform web login
to download the 3.5.3 or above Agent setup files from the CAS directly and reinstall the Agent to
get the L3 capability.