Cisco Cisco NAC Appliance 4.1.0
5-14
Cisco NAC Appliance - Clean Access Server Installation and Administration Guide
OL-12213-01
Chapter 5 Clean Access Server Managed Domain
Configure Network Settings for the CAS
Note
For Clean Access Agent users, the Discovery Host field (under Device Management > Clean Access
> Clean Access Agent > Installation) automatically populates with the IP address of the CAM by
default after new install or upgrade.
> Clean Access Agent > Installation) automatically populates with the IP address of the CAM by
default after new install or upgrade.
To Disable L3 Capability:
To disable L3 discovery of the Clean Access Server at the CAS level for web login and Clean Access
Agent users:
Agent users:
1.
Go Device Management > CCA Servers > Manage [CAS_IP] > Network and uncheck the option
for “Enable L3 support” (see
for “Enable L3 support” (see
).
2.
Click Update.
3.
Click Reboot.
VPN/L3 Access for Clean Access Agent
The CAM/CAS/Agent support in-band multi-hop L3 deployment and VPN/L3 access from the Clean
Access Agent. The Agent will:
Access Agent. The Agent will:
1.
Check the client network for the Clean Access Server (L2 deployments), and if not found,
2.
Attempt to discover the CAS by sending discovery packets to the CAM. This causes the discovery
packets to go through the CAS even if the CAS is multiple hops away (multi-hop deployment) so
that the CAS will intercept these packets and respond to the Agent.
packets to go through the CAS even if the CAS is multiple hops away (multi-hop deployment) so
that the CAS will intercept these packets and respond to the Agent.
In order for clients to discover the CAS when they are one or more L3 hops away, clients must initially
download the Agent from the CAS (via download web page or auto-upgrade). Either method allows the
Agent to acquire the IP address of the CAM in order to send traffic to the CAM/CAS over the L3
network. Once installed in this way, the Agent can be used for both L3/VPN concentrator deployments
or regular L2 deployments.
download the Agent from the CAS (via download web page or auto-upgrade). Either method allows the
Agent to acquire the IP address of the CAM in order to send traffic to the CAM/CAS over the L3
network. Once installed in this way, the Agent can be used for both L3/VPN concentrator deployments
or regular L2 deployments.
Acquiring and installing the Agent on the client by means other than direct download from the CAS (e.g.
from Cisco Downloads) will not provide the necessary CAM information to the Agent and will not allow
those Agent installations to operate in a multi-hop Layer 3 deployment.
from Cisco Downloads) will not provide the necessary CAM information to the Agent and will not allow
those Agent installations to operate in a multi-hop Layer 3 deployment.
To support VPN/L3 Access, you must:
•
Check the option for “Enable L3 support” and perform an Update and Reboot under Device
Management > CCA Servers > Manage [CAS_IP] > Network > IP.
Management > CCA Servers > Manage [CAS_IP] > Network > IP.
•
There must be a valid Discovery Host under Device Management > Clean Access > Clean Access
Agent > Installation (set by default to the trusted IP address of the CAM).
Agent > Installation (set by default to the trusted IP address of the CAM).
•
Clients must initially download the Agent from the CAS, in one of two ways:
–
“Download Clean Access Agent” web page (i.e. via web login)
–
Auto-Upgrade to 4.1.0.0 Agent (3.5.1+ Agent is required for auto-upgrade).
•
SSO is only supported when integrating Cisco NAC Appliance with Cisco VPN Concentrators.
Note
•
Uninstalling the Agent while still on the VPN connection does not terminate the connection.
•
For VPN-concentrator SSO deployments, if the Agent is not downloaded from the CAS and is
instead downloaded by other methods (e.g. Cisco Downloads), the Agent will not be able to get the
runtime IP information of the CAM and will not pop up automatically nor scan the client.
instead downloaded by other methods (e.g. Cisco Downloads), the Agent will not be able to get the
runtime IP information of the CAM and will not pop up automatically nor scan the client.