Cisco Cisco NAC Appliance 4.1.0
8-12
Cisco NAC Appliance - Clean Access Server Installation and Administration Guide
OL-12213-01
Chapter 8 Integrating with Cisco VPN Concentrators
Clean Access Agent with VPN Concentrator and SSO
Mapping rules are configured in the CAM web admin console under User Management > Auth Servers
> Mapping Rules. For complete configuration details, see “User Management: Configuring Auth
Servers” in the Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide.
> Mapping Rules. For complete configuration details, see “User Management: Configuring Auth
Servers” in the Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide.
Clean Access Agent with VPN Concentrator and SSO
The Clean Access Agent supports multi-hop L3 deployment and VPN/L3 access from the Agent. The
Agent will:
Agent will:
1.
Check the client network for the Clean Access Server (L2 deployments), and if not found,
2.
Attempt to discover the CAS by sending discovery packets to the CAM. This causes the discovery
packets to go through the CAS even if the CAS is multiple hops away (multi-hop deployment) so
that the CAS will intercept these packets and respond to the Agent.
packets to go through the CAS even if the CAS is multiple hops away (multi-hop deployment) so
that the CAS will intercept these packets and respond to the Agent.
In order for clients to discover the CAS when they are one or more L3 hops away, clients must initially
download the Agent from the CAS. This can be done in two ways:
download the Agent from the CAS. This can be done in two ways:
•
From the Download Clean Access Agent web page (i.e. via web login)
•
By client auto-upgrade to the 4.1.0.0 or above Agent. For this work, clients must have the 3.5.1 or
above Agent already installed.
above Agent already installed.
Either method allows the Agent to acquire the IP address of the CAM in order to send traffic to the
CAM/CAS over the L3 network. Once installed in this way, the Agent can be used for both L3/VPN
concentrator deployments or regular L2 deployments. See
CAM/CAS over the L3 network. Once installed in this way, the Agent can be used for both L3/VPN
concentrator deployments or regular L2 deployments. See
for details
Note
For VPN-concentrator SSO deployments, if the Agent is not downloaded from the CAS and is instead
downloaded by other methods (e.g. Cisco Secure Downloads), the Agent will not be able to get the
runtime IP information of the CAM and will not pop up automatically nor scan the client.
downloaded by other methods (e.g. Cisco Secure Downloads), the Agent will not be able to get the
runtime IP information of the CAM and will not pop up automatically nor scan the client.
Note that:
•
Uninstalling the Agent while still on the VPN connection does not terminate the connection.
•
If a 3.5.0 or prior version of the Agent is already installed, or if the Agent is installed through
non-CAS means, such as Cisco Secure Downloads, you must perform web login to download the
latest Agent setup files from the CAS directly and reinstall the Agent to get the L3 capability.
non-CAS means, such as Cisco Secure Downloads, you must perform web login to download the
latest Agent setup files from the CAS directly and reinstall the Agent to get the L3 capability.
Clean Access Agent L3 VPN Concentrator User Experience
1.
From the VPN Client, double-click the VPN connection entry for the VPN Concentrator configured
for Cisco NAC Appliance.
for Cisco NAC Appliance.
2.
Login as a user to the VPN Client | User Authentication dialog
3.
Once logged in, open a browser and attempt to go to an intranet or extranet site.
illustrates the Clean Access process for a VPN user using the Clean Access Agent with
Single Sign-On. Note that the initial download of the Clean Access Agent must be performed via the
VPN connection.
VPN connection.