Cisco Cisco NAC Appliance 4.1.0
10-3
Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
Chapter 10 Clean Access Implementation Overview
Clean Access Overview
Clean Access Agent for VPN Users
Cisco NAC Appliance enables administrators to deploy the CAS in-band behind a VPN concentrator, or
router, or multiple routers. Cisco NAC Appliance supports multi-hop Layer 3 in-band deployment by
allowing the CAM and CAS to track user sessions by unique IP address when users are separated from
the CAS by one or more routers. With layer 2-connected users, the CAM/CAS continue to manage these
user sessions based on the user MAC addresses, as before.
router, or multiple routers. Cisco NAC Appliance supports multi-hop Layer 3 in-band deployment by
allowing the CAM and CAS to track user sessions by unique IP address when users are separated from
the CAS by one or more routers. With layer 2-connected users, the CAM/CAS continue to manage these
user sessions based on the user MAC addresses, as before.
illustrates the Clean Access
Agent download and scanning process for a VPN concentrator user using the Clean Access Agent with
Single Sign-On.
Single Sign-On.
Figure 10-2
Clean Access Agent with SSO for VPN Concentrator Users
See
and “Integrating with Cisco VPN Concentrators” in the Cisco NAC
Appliance - Clean Access Server Installation and Administration Guide for further details.
Clean Access Agent for L3 OOB Users
Cisco NAC Appliance enables multi-hop L3 support for out-of-band (wired) deployments, enabling
administrators to deploy the CAS out-of-band centrally (in core or distribution layer) to support users
behind L3 switches (e.g. routed access) and remote users behind WAN routers in some instances. With
L3 OOB, users more than one L3 hop away from the CAS are supported and their traffic only has to go
through Cisco NAC Appliance for authentication/posture assessment.
administrators to deploy the CAS out-of-band centrally (in core or distribution layer) to support users
behind L3 switches (e.g. routed access) and remote users behind WAN routers in some instances. With
L3 OOB, users more than one L3 hop away from the CAS are supported and their traffic only has to go
through Cisco NAC Appliance for authentication/posture assessment.
The MAC detection mechanism of the Clean Access Agent will automatically acquire the client MAC
address in L3 OOB deployments.
address in L3 OOB deployments.
Users performing web login will download and execute either an Active X control (for IE browsers) or
Java applet (for non-IE browsers) to the client machine prior to user login to determine the user
machine’s MAC address. This information is then reported to the CAS and the CAM to provide the IP
address/ MAC address mapping.
Java applet (for non-IE browsers) to the client machine prior to user login to determine the user
machine’s MAC address. This information is then reported to the CAS and the CAM to provide the IP
address/ MAC address mapping.