для Cisco Cisco Clean Access 3.5
6-14
Cisco Clean Access Manager Installation and Administration Guide
OL-7044-01
Chapter 6 User Management: Auth Servers
Configure an Authentication Provider
Cisco VPN Server
Note
Cisco Clean Access supports Single Sign-On (SSO) for the following:
•
Cisco VPN Concentrators
•
Cisco ASA 5500 Series Adaptive Security Appliances
•
Cisco Airespace Wireless LAN Controllers (3.5.8+)
•
Cisco SSL VPN Client (Full Tunnel)
•
Cisco VPN Client (IPSec)
Cisco Clean Access (3.5.3 and above) provides integration with Cisco VPN concentrators and can enable
Single Sign-On capability for VPN users. This functionality is achieved using RADIUS Accounting. The
Clean Access Server can acquire the client's IP address from either Framed_IP_address or
Calling_Station_ID RADIUS attributes for SSO purposes.
Single Sign-On capability for VPN users. This functionality is achieved using RADIUS Accounting. The
Clean Access Server can acquire the client's IP address from either Framed_IP_address or
Calling_Station_ID RADIUS attributes for SSO purposes.
•
Single Sign-On (SSO) for Cisco VPN concentrator users—VPN users do not need to login to the
web browser or the Clean Access Agent because the RADIUS accounting information sent to the
CAS/CAM by the VPN concentrator provides the user ID and IP address of users logging into the
VPN concentrator (RADIUS Accounting Start Message).
web browser or the Clean Access Agent because the RADIUS accounting information sent to the
CAS/CAM by the VPN concentrator provides the user ID and IP address of users logging into the
VPN concentrator (RADIUS Accounting Start Message).
•
Single Sign-On (SSO) for Cisco Airespace Wireless LAN Controller users (3.5.8 and above) —
Release 3.5(8) extends Cisco Clean Access support for SSO for Cisco Airespace WLC. For SSO to
work, the Cisco Airespace Wireless LAN Controller must send the Calling_Station_IP attribute as
the client's IP address (as opposed to the Framed_IP_address that the VPN concentrator uses).
Release 3.5(8) extends Cisco Clean Access support for SSO for Cisco Airespace WLC. For SSO to
work, the Cisco Airespace Wireless LAN Controller must send the Calling_Station_IP attribute as
the client's IP address (as opposed to the Framed_IP_address that the VPN concentrator uses).
•
Accurate Session Timeout/Expiry—Due to the use of RADIUS accounting, the VPN concentrator
informs the Clean Access Server exactly when the user has logged out (RADIUS Accounting Stop
Message). See
informs the Clean Access Server exactly when the user has logged out (RADIUS Accounting Stop
Message). See
for additional details.
In order to enable the SSO feature for users, an authentication source of type Cisco VPN Server must be
added using the following steps.
added using the following steps.
Figure 6-9
Add Cisco VPN Auth Server
1.
Go to User Management > Auth Servers > New Server.
2.
Authentication Type — Choose Cisco VPN Server from the dropdown menu.