Cisco Cisco NAC Appliance 4.1.0
8-2
Cisco NAC Appliance - Clean Access Server Installation and Administration Guide
OL-12213-01
Chapter 8 Integrating with Cisco VPN Concentrators
Overview
Note that when the Single Sign-On (SSO) feature is configured for multi-hop L3 VPN concentrator
integration, if the user’s session on the CAS times out but the user is still logged in on the VPN
concentrator, the user session will be restored without providing a username/password.
integration, if the user’s session on the CAS times out but the user is still logged in on the VPN
concentrator, the user session will be restored without providing a username/password.
•
The Heartbeat Timer will not function in L3 deployments, and does not apply to Out-of-Band
deployments.
deployments.
Note that the HeartBeat Timer will work if the CAS is the first hop behind the VPN concentrator.
This is because the VPN concentrator responds to the ARP queries for the IP addresses of its current
tunnel clients.
This is because the VPN concentrator responds to the ARP queries for the IP addresses of its current
tunnel clients.
The topology and configuration required is fairly straightforward.
illustrates a Cisco NAC
illustrates the VPN concentrator
configuration “before” and
illustrates the configuration “after” integration with Cisco NAC
Appliance when multiple accounting servers are being used. The Clean Access Server needs to be
configured as the sole RADIUS accounting server for the VPN concentrator. If the VPN concentrator is
already configured for one or more RADIUS accounting server(s), the configuration for these needs to
be transferred from the concentrator to the CAS.
configured as the sole RADIUS accounting server for the VPN concentrator. If the VPN concentrator is
already configured for one or more RADIUS accounting server(s), the configuration for these needs to
be transferred from the concentrator to the CAS.
Note
If using Split Tunneling on the VPN concentrator, make sure that the split tunnel allows access to the
network being used for the Discovery Host. If the Discovery Host is the same as the CAM IP address, it
should allow the CAM.
network being used for the Discovery Host. If the Discovery Host is the same as the CAM IP address, it
should allow the CAM.
Single Sign-On (SSO)
In addition to being deployable with VPN concentrators, Cisco NAC Appliance provides the best user
experience possible for Cisco VPN concentrator users through Single Sign-On (SSO). Users logging in
through the VPN Client do not have to login again to Cisco NAC Appliance. Cisco NAC Appliance
leverages the VPN login and any VPN user group/class attributes to map the user to a particular role.
experience possible for Cisco VPN concentrator users through Single Sign-On (SSO). Users logging in
through the VPN Client do not have to login again to Cisco NAC Appliance. Cisco NAC Appliance
leverages the VPN login and any VPN user group/class attributes to map the user to a particular role.
This level of integration is achieved using RADIUS Accounting with the Clean Access Server acting as
a RADIUS accounting proxy. Cisco NAC Appliance supports Single Sign-On (SSO) for the following:
a RADIUS accounting proxy. Cisco NAC Appliance supports Single Sign-On (SSO) for the following:
•
Cisco VPN Concentrators
•
Cisco ASA 5500 Series Adaptive Security Appliances
•
Cisco Airespace Wireless LAN Controllers
•
Cisco SSL VPN Client (Full Tunnel)
•
Cisco VPN Client (IPSec)
Note
The “Enable L3 support” option must be checked on the CAS (under Device Management > Clean
Access Servers > Manage[CAS_IP] > Network > IP) for the Clean Access Agent to work in VPN
tunnel mode.
Access Servers > Manage[CAS_IP] > Network > IP) for the Clean Access Agent to work in VPN
tunnel mode.
Note
The Clean Access Server can acquire the client's IP address from either Calling_Station_ID or
Framed_IP_address RADIUS attributes for SSO purposes. Cisco NAC Appliance RADIUS Accounting
support for Single Sign-On (SSO) includes the Cisco Airespace Wireless LAN Controller. For SSO to
work with Cisco NAC Appliance, the Cisco Airespace Wireless LAN Controller must send the
Calling_Station_IP attribute as the client's IP address (as opposed to the Framed_IP_address attribute
that the VPN concentrator uses). See also
Framed_IP_address RADIUS attributes for SSO purposes. Cisco NAC Appliance RADIUS Accounting
support for Single Sign-On (SSO) includes the Cisco Airespace Wireless LAN Controller. For SSO to
work with Cisco NAC Appliance, the Cisco Airespace Wireless LAN Controller must send the
Calling_Station_IP attribute as the client's IP address (as opposed to the Framed_IP_address attribute
that the VPN concentrator uses). See also
.