Cisco Cisco NAC Appliance 4.1.0
11-9
Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
Chapter 11 Distributing the Clean Access Agent
Enable Network Access (L3 or L2)
The Agent always sends the MAC/IP address pair of the client at login request regardless of the CAS
configuration. The CAS then determines what to read or discard. If the CAS is enabled for L3
deployment, the CAS takes the MAC/IP address of the Agent at UDP discovery and at login request.
If the CAS is configured for L2 Strict mode, the CAS discards all IP addresses, because they are not
needed (see also
configuration. The CAS then determines what to read or discard. If the CAS is enabled for L3
deployment, the CAS takes the MAC/IP address of the Agent at UDP discovery and at login request.
If the CAS is configured for L2 Strict mode, the CAS discards all IP addresses, because they are not
needed (see also
).
For additional information on L3 OOB, see “Configuring Layer 3 Out-of Band (L3 OOB) in the
Cisco NAC Appliance - Cisco Clean Access Server Installation and Administration Guide.
Cisco NAC Appliance - Cisco Clean Access Server Installation and Administration Guide.
VPN/L3 Access for Clean Access Agent
The Clean Access Manager, Server, and Agent support multi-hop L3 deployment. The Agent:
1.
Checks the client network for the Clean Access Server (L2 deployments), and if not found,
2.
Attempts to discover the CAS by sending discovery packets to the CAM. This causes the discovery
packets to go through the CAS even if the CAS is multiple hops away (multi-hop deployment) so
that the CAS will intercept these packets and respond to the Agent.
packets to go through the CAS even if the CAS is multiple hops away (multi-hop deployment) so
that the CAS will intercept these packets and respond to the Agent.
In order for clients to discover the CAS when they are one or more L3 hops away, clients must initially
download the Agent from the CAS through the Download Clean Access Agent page after web login or
through auto-upgrade. Either method allows the Agent to acquire the IP address of the Discovery Host
(by default, the CAM) in order to send traffic to the CAM/CAS over the L3 network. Once installed in
this way, the Agent can be used for L3/VPN concentrator deployments or regular L2 deployments.
download the Agent from the CAS through the Download Clean Access Agent page after web login or
through auto-upgrade. Either method allows the Agent to acquire the IP address of the Discovery Host
(by default, the CAM) in order to send traffic to the CAM/CAS over the L3 network. Once installed in
this way, the Agent can be used for L3/VPN concentrator deployments or regular L2 deployments.
Acquiring and installing the Agent on the client by means other than direct download from the CAS (e.g.
from Cisco Secure Downloads) will not provide the necessary Discovery information to the Agent and
will not allow those Agent installations to operate in a multi-hop Layer 3 deployment.
from Cisco Secure Downloads) will not provide the necessary Discovery information to the Agent and
will not allow those Agent installations to operate in a multi-hop Layer 3 deployment.
To support VPN/L3 Access, you must:
1.
Check the option for “
” and perform an Update and Reboot of the
CAS under Device Management > CCA Servers > Manage [CAS_IP] > Network > IP.
2.
Specify a valid Discovery Host under Device Management > Clean Access > Clean Access Agent
> Installation (set by default to the trusted IP address of the CAM).
> Installation (set by default to the trusted IP address of the CAM).
3.
Clients must initially download the Agent from the CAS, in one of two ways:
–
“Download Clean Access Agent” web page (i.e. via web login)
–
Auto-Upgrade to 4.1.0.0 or above Agent.
4.
SSO is only supported when integrating Cisco NAC Appliance with Cisco VPN Concentrators.
Note
•
Uninstalling the Agent while still on the VPN connection does not terminate the connection.
•
For VPN-concentrator SSO deployments, if the Agent is not downloaded from the CAS and is
instead downloaded by other methods (e.g. Cisco Secure Downloads), the Agent will not be able to
get the runtime IP information of the CAM and will not pop up automatically nor scan the client.
instead downloaded by other methods (e.g. Cisco Secure Downloads), the Agent will not be able to
get the runtime IP information of the CAM and will not pop up automatically nor scan the client.
•
If a 3.5.0 or prior version of the Agent is already installed, or if the Agent is installed through
non-CAS means (e.g. Cisco Secure Downloads), you must perform web login to download the Agent
setup files from the CAS directly and reinstall the Agent to get the L3 capability.
non-CAS means (e.g. Cisco Secure Downloads), you must perform web login to download the Agent
setup files from the CAS directly and reinstall the Agent to get the L3 capability.