Integrating with Cisco VPN Concentrators
This chapter describes the configuration required to integrate the Clean Access Server with Cisco VPN Concentrators. Topics include:
•Configure Cisco NAC Appliance for VPN Concentrator Integration
•Cisco NAC Appliance Agent with VPN Concentrator and SSO
•View Active VPN Clients
Cisco NAC Appliance enables administrators to deploy the Clean Access Server (CAS) in-band behind a VPN concentrator, or router, or multiple routers. Multi-hop Layer 3 in-band deployment is supported by allowing the Clean Access Manager (CAM) and CAS to track user sessions by unique IP address when users are separated from the CAS by one or more routers. Note that you can have a CAS supporting both L2 and L3 users. With layer 2-connected users, the CAM/CAS continue to manage these user sessions based on the user MAC addresses, as before.
For users that are one or more L3 hops away, note the following considerations:
•User sessions are based on unique IP address rather than MAC address.
•If the user's IP address changes (for example, the user loses VPN connectivity), the client must go through the Nessus Scanning process again.
•In order for clients to discover the CAS when they are one or more L3 hops away, the Agent must be initially installed and downloaded via the CAS. This provides clients with the CAM information needed for subsequent logins when users are one or more L3 hops away from the CAS. Acquiring and installing the Agent by means other than direct download from the CAS will not provide the necessary CAM information to the Agent and will not allow those Agent installations to operate in a multi-hop Layer 3 deployment.
•The Certified List tracks both L2 and L3 VPN users by MAC address, and the Certified Devices Timer will apply to these users.
•All other user audit trails, such as network scanner and Agent logs, are maintained for multi-hop L3 users.
•The Session Timer will work the same way for multi-hop L3 In-Band deployments and L2 (In-Band or Out-of-Band) deployments.
Note that when the Single Sign-On (SSO) feature is configured for multi-hop L3 VPN concentrator integration, if the user's session on the CAS times out but the user is still logged in on the VPN concentrator, the user session will be restored without providing a username/password.
•The Heartbeat Timer will not function in L3 deployments, and does not apply to Out-of-Band deployments.
Note that the HeartBeat Timer will work if the CAS is the first hop behind the VPN concentrator. This is because the VPN concentrator responds to the ARP queries for the IP addresses of its current tunnel clients.
The topology and configuration required is fairly straightforward. Figure 7-1 illustrates a Cisco NAC Appliance network integrated with a VPN concentrator. Figure 7-2 illustrates the VPN concentrator configuration "before" and Figure 7-3 illustrates the configuration "after" integration with Cisco NAC Appliance when multiple accounting servers are being used. The Clean Access Server needs to be configured as the sole RADIUS accounting server for the VPN concentrator. If the VPN concentrator is already configured for one or more RADIUS accounting server(s), the configuration for these needs to be transferred from the concentrator to the CAS.
Note If using Split Tunneling on the VPN concentrator, make sure that the split tunnel allows access to the network being used for the Discovery Host. If the Discovery Host is the same as the CAM IP address, it should allow the CAM.
Single Sign-On (SSO)
In addition to being deployable with VPN concentrators, Cisco NAC Appliance provides the best user experience possible for Cisco VPN concentrator users through Single Sign-On (SSO). Users logging in through the VPN Client do not have to login again to Cisco NAC Appliance. Cisco NAC Appliance leverages the VPN login and any VPN user group/class attributes to map the user to a particular role.
This level of integration is achieved using RADIUS Accounting with the Clean Access Server acting as a RADIUS accounting proxy. Cisco NAC Appliance supports Single Sign-On (SSO) for the following:
•Cisco VPN Concentrators
•Cisco ASA 5500 Series Adaptive Security Appliances
•Cisco Airespace Wireless LAN Controllers
•Cisco SSL VPN Client (Full Tunnel)
•Cisco VPN Client (IPSec)
Note The Enable L3 support option must be checked on the CAS (under Device Management > Clean Access Servers > Manage [CAS_IP] > Network > IP) for the Agent to work in VPN tunnel mode.
Note The Clean Access Server can acquire the client's IP address from either Calling_Station_ID or Framed_IP_address RADIUS attributes for SSO purposes. Cisco NAC Appliance RADIUS Accounting support for Single Sign-On (SSO) includes the Cisco Airespace Wireless LAN Controller. For SSO to work with Cisco NAC Appliance, the Cisco Airespace Wireless LAN Controller must send the Calling_Station_IP attribute as the client's IP address (as opposed to the Framed_IP_address attribute that the VPN concentrator uses). See also View Active VPN Clients.
See Configure Single Sign-On (SSO) on the CAS/CAM for further details.
Figure 7-1 VPN Concentrator Integrated with Cisco NAC Appliance
Figure 7-2 VPN Concentrator Before Cisco NAC Appliance Integration
Figure 7-3 VPN Concentrator After Cisco NAC Appliance Integration
Configure Cisco NAC Appliance for VPN Concentrator Integration
The following steps are needed to configure Cisco NAC Appliance to work with a VPN concentrator.
Step 1 Add Default Login Page
Step 2 Configure User Roles and Requirements for your VPN users
Step 3 Enable L3 Support on the CAS
Step 4 Verify Discovery Host
Step 5 Add VPN Concentrator to Clean Access Server
Step 6 Make CAS the RADIUS Accounting Server for VPN Concentrator
Step 7 Add Accounting Servers to the CAS
Step 8 Map VPN Concentrator(s) to Accounting Server(s)
Step 9 Create (Optional) Auth Server Mapping Rules
Step 10 Add VPN Concentrator as a Floating Device
Step 11 Configure Single Sign-On (SSO) on the CAS/CAM
Step 12 Create (Optional) Auth Server Mapping Rules on the CAM for Cisco VPN SSO
Step 13 Test as Cisco NAC Appliance Agent with VPN Concentrator and SSO
Step 14 View Active VPN Clients (for troubleshooting)
Add Default Login Page
For both web login users and Agent users, a login page must be added and present in the system in order for the user to authenticate via the Agent. Go to Administration > User Pages > Login Page > Add | Add to quickly add the default user login page. See the Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide, Release 4.6(1) for complete details on login page configuration options.
Configure User Roles and Requirements
User roles must be configured along with requirements to enforce client posture assessment on VPN users. See the Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide, Release 4.6(1) for configuration details.
Enable L3 Support on the CAS
The Enable L3 support option must be checked on the IP form of the CAS for the Agent to work in VPN tunnel mode.
1. Go to Device Management > CCA Servers > List of Servers > Manage [CAS_IP] > Network > IP.
Figure 7-4 CAS Network Tab — Enable L3 Support
2. The Clean Access Server Type, Trusted Interface, and Untrusted Interface settings should already be correctly configured (from when the CAS was added).
3. Click the checkbox for Enable L3 support.
4. Click Update.
5. Click Reboot.
Note•The enable/disable L3 feature is disabled by default, and ALWAYS requires an Update and Reboot of the CAS to take effect. Update causes the web console to retain the changed setting until the next reboot. Reboot causes the process to start in the CAS.
•L3 and L2 strict options are mutually exclusive; enabling one option disables the other.
See also Enable L3 Support, page 5-16.
Verify Discovery Host
There must be a Discovery Host enabled in order for the Agent to discover the CAS in VPN or L3 deployments. By default, the Discovery Host field is set to the IP address of the CAM. Because the VPN concentrator acts as a router between the user and the CAS, the Agent uses the Discovery Host to direct its UDP 8906 discovery packets to the network of the CAS. The CAS uses these packets to learn that an Agent is active, and discards the packets before they ever reach the CAM. (This function does not apply to the Cisco NAC Web Agent.) The Discovery Host field should be set in the CAM before the Agent is distributed and installed on client machines.
1. Go to Device Management > Clean Access > Clean Access Agent > Distribution.
2. Verify the IP address for the Discovery Host field is either the IP address of the CAM (default), or a trusted network IP address that requires traffic to be routed/forwarded via the CAS.
3. If changing the Discovery Host, click the Update button.
See VPN/L3 Access for Agents, page 5-17, and the "Configuring Agent Distribution/Installation" section of the Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide, Release 4.6(1) for additional information.
Add VPN Concentrator to Clean Access Server
1. Go to Device Management > CCA Servers > List of Servers > Manage [CAS_IP] > Authentication > VPN Auth > VPN Concentrators.
Figure 7-5 Add VPN Concentrator
2. Type a Name for the concentrator.
3. Type the Private IP Address of the concentrator.
4. Type a Shared Secret between the CAS and VPN concentrator. The same secret must be configured on the concentrator itself.
5. Retype the secret in the Confirm Shared Secret field.
6. Enter an optional Description.
7. Click Add VPN Concentrator.
Make CAS the RADIUS Accounting Server for VPN Concentrator
Make the CAS the RADIUS accounting server on the VPN concentrator (for example, on the VPN 3000 series, this is done under Configuration > System > Servers > Accounting). It is a good idea to record the settings for each accounting server to transfer to the CAS later. The CAS should be the only accounting server for the VPN concentrator, and the VPN concentrator should be configured with the trusted-side IP address of the CAS and have the same shared secret as the CAS.
For further details, refer to the appropriate product documentation, such as:
Add Accounting Servers to the CAS
If the VPN concentrator is configured to work with an accounting server, the information for the accounting server(s) needs to be transferred to the CAS. The CAS maintains these associations instead.
1. Go to Device Management > CCA Servers > List of Servers > Manage [CAS_IP]> Authentication > VPN Auth > Accounting Servers.
Figure 7-6 Add Accounting Server(s)
2. Type a Name for the accounting server.
3. Type the IP Address of the accounting server.
4. Type the Port of the accounting server (typically 1813)
5. Type the Retry number for the accounting server. This specifies the number of times to retry a request attempt if there is no response within the Timeout specified. For example, if the Retry is 2, and the Timeout is 3 (seconds), it will take 6 seconds for the CAS to send the request to the next accounting server on the list.
6. Type the Timeout of the accounting server (in seconds). This specifies how long the CAS should wait before retrying a request to the accounting server when there is no response.
7. Type a Shared Secret between the CAS and accounting server. You can transfer the settings from the VPN concentrator or create a new secret; however the same secret must be configured on the accounting server itself.
8. Retype the secret in the Confirm Shared Secret field.
9. Enter an optional Description.
10. Click Add Accounting Server.
Map VPN Concentrator(s) to Accounting Server(s)
If managing multiple VPN concentrators and multiple accounting servers, you can create mappings to associate the VPN concentrator(s) with sets of Accounting Servers. This allows the CAS to continue to the next server on the list in case an accounting server becomes unreachable.
1. Go to Device Management > CCA Servers > List of Servers > Manage [CAS_IP] > Authentication > VPN Auth > Accounting Mapping.
Figure 7-7 Accounting Mapping
2. Choose a VPN Concentrator from the dropdown menu. The menu displays all VPN concentrators added to the CAS.
3. Choose an Accounting Server from the dropdown menu. The menu displays all accounting servers configured for the CAS.
4. Click the Add Entry button to add the mapping. The list below will display all the accounting servers associated per VPN concentrator by name, IP address, and port.
Add VPN Concentrator as a Floating Device
In general, if the Clean Access Server is not on the same subnet as clients, the CAS will not obtain client MAC information for IP addresses as clients log into the system. Where there is a VPN concentrator between users and the CAS (all Server Types), the CAS will see the MAC address of the VPN concentrator with each new client IP address because the VPN concentrator performs Proxy ARP for the client IP addresses. Unless the VPN concentrator is configured as a floating device, only the first user logging into Cisco NAC Appliance will be required to meet requirements. Therefore, administrators must add the MAC address of the router/VPN concentrator to the Floating Device list under Device Management > Clean Access > Certified Devices > Add Floating Device (example entry: 00:16:21:11:4D:67 1 vpn_concentrator). See "Add Floating Devices" in the Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide, Release 4.6(1) for details.
Configure Single Sign-On (SSO) on the CAS/CAM
Single Sign-On (SSO) allows the user to login only once via the VPN client before being directed through the posture assessment process. To perform SSO, Cisco NAC Appliance takes the RADIUS accounting information from the VPN concentrator/wireless controller for the user authentication and uses it to map the user into a user role. This allows the user to go through posture assessment directly without having to also login on the Clean Access Server. SSO is configured on both the CAS and CAM as described below.
The most important attributes needed from RADIUS accounting packets are User_Name, Framed_IP_address, Calling_Station_ID. For a user to be qualified for SSO through the Clean Access Server, either the Framed_IP_address or Calling_Station_ID attribute (sent for the client's IP address) must be in the RADIUS accounting message.
Note RADIUS Accounting support for Single Sign-On (SSO) includes the Cisco Airespace Wireless LAN Controller. For SSO to work with Cisco NAC Appliance, the Cisco Airespace Wireless LAN Controller must send the Calling_Station_IP attribute as the client's IP address (as opposed to the Framed_IP_address attribute that the VPN concentrator uses).
Configure SSO on the CAS
Step 1 Go to Device Management > CCA Servers > List of Servers > Manage [CAS_IP] > Authentication > VPN Auth > General.
Figure 7-8 General Settings (SSO / Logout / RADIUS Accounting Port)
Step 2 Click the checkbox for Single Sign-On to enable VPN SSO on the CAS.
Step 3 Enter a time period (in seconds) for the Agent VPN Detection Delay value. If the CAS has not received the required RADIUS accounting information before the Agent attempts VPN SSO, the Agent will prompt for user login. The Agent VPN Detection Delay field allows you to specify the amount of time the CAS should wait before prompting for authentication from the remote user's Agent that is transmitting SWISS UDP discovery packets.
This option ensures that the CAS has time to receive updates for users who are already connected via VPN before prompting them for login credentials that the CAS normally leverages from VPN login. If the CAS learns of the existing connection during the specified waiting period, it automatically yields to the VPN SSO function. Otherwise, once the specified waiting period has passed with no indication that the user connection is already established via VPN, the CAS prompts the user to enter their login credentials.
Note The Agent VPN Detection Delay applies to all VPN SSO users until the delay expires.
When this value is 0, the CAS requests the Agent to perform VPN SSO immediately. Set this value to 0 if the first RADIUS accounting packet received by the CAS has enough information to perform VPN SSO when the VPN is connected.
When this value is any number other than 0, the CAS informs the Agent in the SWISS packet to wait for the specified delay before attempting VPN SSO login. Set this field to a non-zero value if:
•The Agent is prompting for user authentication because the first RADIUS accounting packet is delayed.
•The VPN concentrator requires a second accounting packet to update the VPN IP address sent in the first accounting packet. In this case, the CAS will not see this VPN connection as valid after the first accounting packet, and the Agent will prompt for user login if the Agent VPN Detection Delay is set to 0.
Step 4 Click the checkbox for Auto-Logout to automatically terminate the VPN session for users when they log out.
Step 5 Leave the default port (1813) or configure a new one for RADIUS Accounting Port.
Note A CAS deployed as a Real-IP gateway supporting VPN SSO opens the Accounting port only on the trusted (eth0) interface.
Step 6 Click Update.
Configure SSO on the CAM
To support SSO when configuring Cisco NAC Appliance VPN Concentrator integration, a Cisco VPN SSO authentication source must be added to the CAM.
1. Go to User Management > Auth Servers > New.
Figure 7-9 Add New Auth Server (in CAM)
2. Choose Cisco VPN SSO from the Authentication Type dropdown menu.
3. The Provider Name is set by default to Cisco VPN.
4. From the Default Role dropdown, choose the user role you want VPN client users to be assigned to for the posture assessment process.
5. Enter an optional Description to identify the VPN concentrator in the list of auth servers.
6. Click Add Server.
The new Cisco VPN SSO auth server appears under User Management > Auth Servers > List of Servers.
•Click the Edit button next to the auth server to modify settings.
•Click the Mapping button next to the auth server to configure RADIUS attribute-based mapping rules for Cisco VPN SSO.
See the Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide, Release 4.6(1) for further details.
Create (Optional) Auth Server Mapping Rules
For the Cisco VPN SSO type, you can create mapping rules based on the RADIUS Auth Server attributes that are passed from the VPN Concentrator to map users into roles. The following RADIUS attributes can be used to configure Cisco VPN SSO mapping rules:
Mapping rules are configured in the CAM web admin console under User Management > Auth Servers > Mapping Rules. For complete configuration details, see "User Management: Configuring Auth Servers" in the Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide, Release 4.6(1).
Cisco NAC Appliance Agent with VPN Concentrator and SSO
The Agent supports multi-hop L3 deployment and VPN/L3 access from the Agent. The Agent:
1. Checks the client network for the Clean Access Server (L2 deployments), and if not found,
2. Attempts to discover the CAS by sending discovery packets to the CAM. This causes the discovery packets to go through the CAS even if the CAS is multiple hops away (multi-hop deployment) so that the CAS will intercept these packets and respond to the Agent.
In order for clients to discover the CAS when they are one or more L3 hops away, clients must initially download the Agent from the CAS. This can be done in two ways:
•From the Agent download web page (i.e. via web login)
•By client upgrade to the latest Cisco NAC Agent or auto-upgrade to Clean Access Agent version 18.104.22.168 or later. For the Clean Access Agent auto-upgrade process to work, clients must have an earlier version of the Clean Access Agent already installed.
Either method allows the Agent to acquire the IP address of the CAM in order to send traffic to the CAM/CAS over the L3 network. Once installed in this way, the Agent can be used for both L3/VPN concentrator deployments or regular L2 deployments. See Enable L3 Support, page 5-16 for details.
Note For VPN-concentrator SSO deployments, if the Clean Access Agent is not downloaded from the CAS, but is instead downloaded by other means, the Agent is not able to determine the runtime IP information of the CAM and does not automatically pop up, nor does it scan the client machine.
For Ciso NAC Agent users, you can work around this issue by specifying a DiscoveryHost setting in the Agent configuration XML file.
Note•Uninstalling the Agent while still on the VPN connection does not terminate the VPN connection, although the (if configured) the client machine is removed from the Certified Devices List and the user is removed from the Online Users List.
•If a 3.5.0 or earlier version of the Clean Access Agent is already installed, or if the Agent is installed through non-CAS means, you must perform web login to download the latest Agent setup files from the CAS directly and reinstall the Agent to get the L3 capability.
Cisco NAC Appliance Agent Layer 3 VPN Concentrator User Experience
1. Launch the VPN connection application configured to work with Cisco NAC Appliance.
2. Once logged in, open a browser and attempt to go to an intranet or extranet site.
Cisco NAC Appliance enables administrators to deploy the CAS in-band behind a VPN concentrator, or router, or multiple routers. Cisco NAC Appliance supports multi-hop Layer 3 in-band deployment by allowing the CAM and CAS to track user sessions by unique IP address when users are separated from the CAS by one or more routers. With Layer 2-connected users, the CAM/CAS continue to manage these user sessions based on the user MAC addresses, as before. Figure 7-10 illustrates the login and posture assessment process for a VPN user using the Agent with Single Sign-On. Note that the initial download of the Agent must be performed via the VPN connection.
Figure 7-10 Agent with SSO for VPN Users
With Single Sign-On, the Agent performs automatic login and scanning as shown Figure 7-11.
Figure 7-11 Agent Auto-Login Screen (User View)
Note Web login always works in Layer 2 or Layer 3 mode, and Layer 3 capability cannot be disabled.
View Active VPN Clients
The Active VPN Clients page lists IP addresses known to the CAS through VPN Single Sign-On (SSO) This page is intended for troubleshooting and is available in both the CAS management pages and CAS direct access console. The Active VPN Clients page shows a list of all users for which the CAS has received valid Radius accounting START packets.
Anytime the CAS receives a valid Radius Accounting START packet for a particular client machine, the CAS adds it to the Active VPN Clients list:
•If a client appears in this list, the client is able to perform SSO.
•If the client does not appear in this list, then most likely the START packet did not make it to the CAS or it was in an incorrect format.
The key things the packet format must include are:
•Account-Status-type = 1 (indicating it is a START packet)
•Calling-station-Id (showing end machine's IP address)
When the user tries to browse, or runs the Agent, the CAM/CAS compares the Active VPN Client information to its mapping rules to determine what role to put the user in.
To view active VPN clients:
1. Go to Device Management > CCA Servers > List of Servers > Manage [CAS_IP] > Authentication > VPN Auth > Active Clients.
Figure 7-12 Active Clients (VPN Concentrator)
2. Click the Show All button to List All VPN Clients or perform a Search. The Active Clients page remains blank until you perform one of these two actions:
a. Click Show All to display all current IP/user information from the system Single Sign-On (SSO) table.
b. Alternatively, type an IP address in the Search IP Address text field, select an operator from the dropdown menu (equals, starts with, ends with, contains), and click the Search button to display results.
3. The table at the bottom of the page is populated with the following information. Entries are sorted by Client IP address.
–Total Active VPN Clients—Displays the current number of active VPN clients in the SSO table.
–Client IP—The client IP address received from the RADIUS accounting packet.
–Client Name—The client name received from the RADIUS accounting packet.
–VPN Server IP—The IP address of the Cisco VPN SSO auth server being used for Single Sign-On.
–Login Time—The date/time that the active VPN client session was established.
Note Clicking Show All or performing a new search refreshes the page with the latest SSO table information.
4. To remove entries from the Active Client page, either:
a. Click the Clear button to Clear All Active VPN Client entries from the SSO table. For example, if VPN users lose their sessions due to a VPN server crash, the RADIUS accounting stop message will not be sent to the CAS, and those users will remain in the system SSO table until manually removed. Removing all entries from the Active VPN Clients page allows the system to restart from a fresh SSO table.
b. Click the checkbox for an individual entry and click the Delete button at the top of the column to remove that entry from the SSO table.
Note Clicking the Clear or Delete button only removes the user(s) from the system's current SSO client table; it does not remove the user(s) from the Online Users list.
Tip You can also view active VPN clients from the direct console of the CAS (https://<CAS_eth0_IP_address>/admin), from the Monitoring > Active VPN Clients page (Figure 7-13).
Figure 7-13 CAS Direct Access Console—Monitoring Active VPN Clients