Cisco NAC Appliance - Clean Access Server Configuration Guide, Release 4.7(5)
Integrating with Cisco VPN Concentrators
Downloads: This chapterpdf (PDF - 1.38MB) The complete bookPDF (PDF - 9.17MB) | Feedback

Integrating with Cisco VPN Concentrators

Table Of Contents

Integrating with Cisco VPN Concentrators

Overview

Single Sign-On (SSO)

Configure Cisco NAC Appliance for VPN Concentrator Integration

Add Default Login Page

Configure User Roles and Requirements

Enable L3 Support on the CAS

Verify Discovery Host

Add VPN Concentrator to Clean Access Server

Make CAS the RADIUS Accounting Server for VPN Concentrator

Add Accounting Servers to the CAS

Map VPN Concentrator(s) to Accounting Server(s)

Add VPN Concentrator as a Floating Device

Configure Single Sign-On (SSO) on the CAS/CAM

Configure SSO on the CAS

Configure SSO on the CAM

Configure VPN SSO in a FIPS 140-2 Compliant Deployment

Import a Trusted CA

Set up Identity certificate

Create a Site-to-Site VPN to CAS

Create (Optional) Auth Server Mapping Rules

Cisco NAC Appliance Agent with VPN Concentrator and SSO

Cisco NAC Appliance Agent Layer 3 VPN Concentrator User Experience

View Active VPN Clients


Integrating with Cisco VPN Concentrators


This chapter describes the configuration required to integrate the Clean Access Server with Cisco VPN Concentrators. Topics include:

Overview

Configure Cisco NAC Appliance for VPN Concentrator Integration

Cisco NAC Appliance Agent with VPN Concentrator and SSO

View Active VPN Clients

Overview

Cisco NAC Appliance enables administrators to deploy the Clean Access Server (CAS) in-band behind a VPN concentrator, or router, or multiple routers. Multi-hop Layer 3 in-band deployment is supported by allowing the Clean Access Manager (CAM) and CAS to track user sessions by unique IP address when users are separated from the CAS by one or more routers. Note that you can have a CAS supporting both L2 and L3 users. With layer 2-connected users, the CAM/CAS continue to manage these user sessions based on the user MAC addresses, as before.

For users that are one or more L3 hops away, note the following considerations:

User sessions are based on unique IP address rather than MAC address.

If the user's IP address changes (for example, the user loses VPN connectivity), the client must go through the Nessus Scanning process again.

In order for clients to discover the CAS when they are one or more L3 hops away, the Agent must be initially installed and downloaded via the CAS. This provides clients with the CAM information needed for subsequent logins when users are one or more L3 hops away from the CAS. Acquiring and installing the Agent by means other than direct download from the CAS will not provide the necessary CAM information to the Agent and will not allow those Agent installations to operate in a multi-hop Layer 3 deployment.

The Certified List tracks both L2 and L3 VPN users by MAC address, and the Certified Devices Timer will apply to these users.

All other user audit trails, such as network scanner and Agent logs, are maintained for multi-hop L3 users.

The Session Timer will work the same way for multi-hop L3 In-Band deployments and L2 (In-Band or Out-of-Band) deployments.

Note that when the Single Sign-On (SSO) feature is configured for multi-hop L3 VPN concentrator integration, if the user's session on the CAS times out but the user is still logged in on the VPN concentrator, the user session will be restored without providing a username/password.

The topology and configuration required is fairly straightforward. Figure 6-1 illustrates a Cisco NAC Appliance network integrated with a VPN concentrator. Figure 6-2 illustrates the VPN concentrator configuration "before" and Figure 6-3 illustrates the configuration "after" integration with Cisco NAC Appliance when multiple accounting servers are being used. The Clean Access Server needs to be configured as the sole RADIUS accounting server for the VPN concentrator. If the VPN concentrator is already configured for one or more RADIUS accounting server(s), the configuration for these needs to be transferred from the concentrator to the CAS.


Note If using Split Tunneling on the VPN concentrator, make sure that the split tunnel allows access to the network being used for the Discovery Host. If the Discovery Host is the same as the CAM IP address, it should allow the CAM.

Single Sign-On (SSO)

In addition to being deployable with VPN concentrators, Cisco NAC Appliance provides the best user experience possible for Cisco VPN concentrator users through Single Sign-On (SSO). Users logging in through the VPN Client do not have to login again to Cisco NAC Appliance. Cisco NAC Appliance leverages the VPN login and any VPN user group/class attributes to map the user to a particular role.

This level of integration is achieved using RADIUS Accounting with the Clean Access Server acting as a RADIUS accounting proxy. Cisco NAC Appliance supports Single Sign-On (SSO) for the following:

Cisco VPN Concentrators

Cisco ASA 5500 Series Adaptive Security Appliances

Cisco Airespace Wireless LAN Controllers

Cisco SSL VPN Client (Full Tunnel)

Cisco VPN Client (IPSec)


Note The Enable L3 support option must be checked on the CAS (under Device Management > Clean Access Servers > Manage [CAS_IP] > Network > IP) for the Agent to work in VPN tunnel mode.

Note The Clean Access Server can acquire the client's IP address from either Calling_Station_ID or Framed_IP_address RADIUS attributes for SSO purposes. Cisco NAC Appliance RADIUS Accounting support for Single Sign-On (SSO) includes the Cisco Airespace Wireless LAN Controller. For SSO to work with Cisco NAC Appliance, the Cisco Airespace Wireless LAN Controller must send the Calling_Station_IP attribute as the client's IP address (as opposed to the Framed_IP_address attribute that the VPN concentrator uses). See also View Active VPN Clients.

See Configure Single Sign-On (SSO) on the CAS/CAM for further details.

Figure 6-1 VPN Concentrator Integrated with Cisco NAC Appliance

Figure 6-2 VPN Concentrator Before Cisco NAC Appliance Integration

Figure 6-3 VPN Concentrator After Cisco NAC Appliance Integration

Configure Cisco NAC Appliance for VPN Concentrator Integration

The following steps are needed to configure Cisco NAC Appliance to work with a VPN concentrator.


Step 1 Add Default Login Page

Step 2 Configure User Roles and Requirements for your VPN users

Step 3 Enable L3 Support on the CAS

Step 4 Verify Discovery Host

Step 5 Add VPN Concentrator to Clean Access Server

Step 6 Make CAS the RADIUS Accounting Server for VPN Concentrator

Step 7 Add Accounting Servers to the CAS

Step 8 Map VPN Concentrator(s) to Accounting Server(s)

Step 9 Create (Optional) Auth Server Mapping Rules

Step 10 Add VPN Concentrator as a Floating Device

Step 11 Configure Single Sign-On (SSO) on the CAS/CAM

Step 12 Configure VPN SSO in a FIPS 140-2 Compliant Deployment (if FIPS 140-2 compliant deployment)

Step 13 Create (Optional) Auth Server Mapping Rules on the CAM for Cisco VPN SSO

Step 14 Test as Cisco NAC Appliance Agent with VPN Concentrator and SSO

Step 15 View Active VPN Clients (for troubleshooting)


Add Default Login Page

For both web login users and Agent users, a login page must be added and present in the system in order for the user to authenticate via the Agent. Go to Administration > User Pages > Login Page > Add | Add to quickly add the default user login page. See the Cisco NAC Appliance - Clean Access Manager Configuration Guide, Release 4.7(5) for complete details on login page configuration options.

Configure User Roles and Requirements

User roles must be configured along with requirements to enforce client posture assessment on VPN users. See the Cisco NAC Appliance - Clean Access Manager Configuration Guide, Release 4.7(5) for configuration details.

Enable L3 Support on the CAS

The Enable L3 support option must be checked on the IP form of the CAS for the Agent to work in VPN tunnel mode.

1. Go to Device Management > CCA Servers > List of Servers > Manage [CAS_IP] > Network > IP.

Figure 6-4 CAS Network Tab — Enable L3 Support

2. The Clean Access Server Type, Trusted Interface, and Untrusted Interface settings should already be correctly configured (from when the CAS was added).

3. Click the checkbox for Enable L3 support.

4. Click Update.

5. Click Reboot.


NoteThe enable/disable L3 feature is disabled by default, and ALWAYS requires an Update and Reboot of the CAS to take effect. Update causes the web console to retain the changed setting until the next reboot. Reboot causes the process to start in the CAS.

L3 and L2 strict options are mutually exclusive; enabling one option disables the other.


See also Enable L3 Support.

Verify Discovery Host

There must be a Discovery Host enabled in order for the Agent to discover the CAS in VPN or L3 deployments. By default, the Discovery Host field is set to the IP address of the CAM. Because the VPN concentrator acts as a router between the user and the CAS, the Agent uses the Discovery Host to direct its UDP 8906 discovery packets to the network of the CAS. The CAS uses these packets to learn that an Agent is active, and discards the packets before they ever reach the CAM. (This function does not apply to the Cisco NAC Web Agent.) The Discovery Host field should be set in the CAM before the Agent is distributed and installed on client machines.

1. Go to Device Management > Clean Access > Clean Access Agent > Distribution.

2. Verify the IP address for the Discovery Host field is either the IP address of the CAM (default), or a trusted network IP address that requires traffic to be routed/forwarded via the CAS.

3. If changing the Discovery Host, click the Update button.

See VPN/L3 Access for Agents, and the "Configuring Agent Distribution/Installation" section of the Cisco NAC Appliance - Clean Access Manager Configuration Guide, Release 4.7(5) for additional information.

Add VPN Concentrator to Clean Access Server

1. Go to Device Management > CCA Servers > List of Servers > Manage [CAS_IP] > Authentication > VPN Auth > VPN Concentrators.

Figure 6-5 Add VPN Concentrator

2. Type a Name for the concentrator.

3. Type the Private IP Address of the concentrator.

4. Type a Shared Secret between the CAS and VPN concentrator. The same secret must be configured on the concentrator itself.

5. Retype the secret in the Confirm Shared Secret field.

6. Enter an optional Description.

7. For a FIPS 140-2 compliant deployment, activate the Enable IPsec checkbox to ensure you can establish a secure IPSec tunnel for authentication traffic. See also, Configure VPN SSO in a FIPS 140-2 Compliant Deployment.

8. Click Add VPN Concentrator.

Make CAS the RADIUS Accounting Server for VPN Concentrator

Make the CAS the RADIUS accounting server on the VPN concentrator (for example, on the VPN 3000 series, this is done under Configuration > System > Servers > Accounting). It is a good idea to record the settings for each accounting server to transfer to the CAS later. The CAS should be the only accounting server for the VPN concentrator, and the VPN concentrator should be configured with the trusted-side IP address of the CAS and have the same shared secret as the CAS.

For further details, refer to the appropriate product documentation, such as:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/tsd_products_support_eol_series_home.html

http://www.cisco.com/en/US/products/ps6120/tsd_products_support_series_home.html

Add Accounting Servers to the CAS

If the VPN concentrator is configured to work with an accounting server, the information for the accounting server(s) needs to be transferred to the CAS. The CAS maintains these associations instead.

1. Go to Device Management > CCA Servers > List of Servers > Manage [CAS_IP]> Authentication > VPN Auth > Accounting Servers.

Figure 6-6 Add Accounting Server(s)

2. Type a Name for the accounting server.

3. Type the IP Address of the accounting server.

4. Type the Port of the accounting server (typically 1813)

5. Type the Retry number for the accounting server. This specifies the number of times to retry a request attempt if there is no response within the Timeout specified. For example, if the Retry is 2, and the Timeout is 3 (seconds), it will take 6 seconds for the CAS to send the request to the next accounting server on the list.

6. Type the Timeout of the accounting server (in seconds). This specifies how long the CAS should wait before retrying a request to the accounting server when there is no response.

7. Type a Shared Secret between the CAS and accounting server. You can transfer the settings from the VPN concentrator or create a new secret; however the same secret must be configured on the accounting server itself.

8. Retype the secret in the Confirm Shared Secret field.

9. Enter an optional Description.

10. For a FIPS 140-2 compliant deployment, activate the Enable IPsec checkbox to ensure you can establish a secure IPSec tunnel for authentication traffic.

11. Click Add Accounting Server.

Map VPN Concentrator(s) to Accounting Server(s)

If managing multiple VPN concentrators and multiple accounting servers, you can create mappings to associate the VPN concentrator(s) with sets of Accounting Servers. This allows the CAS to continue to the next server on the list in case an accounting server becomes unreachable.

1. Go to Device Management > CCA Servers > List of Servers > Manage [CAS_IP] > Authentication > VPN Auth > Accounting Mapping.

Figure 6-7 Accounting Mapping

2. Choose a VPN Concentrator from the dropdown menu. The menu displays all VPN concentrators added to the CAS.

3. Choose an Accounting Server from the dropdown menu. The menu displays all accounting servers configured for the CAS.

4. Click the Add Entry button to add the mapping. The list below will display all the accounting servers associated per VPN concentrator by name, IP address, and port.

Add VPN Concentrator as a Floating Device

In general, if the Clean Access Server is not on the same subnet as clients, the CAS will not obtain client MAC information for IP addresses as clients log into the system. Where there is a VPN concentrator between users and the CAS (all Server Types), the CAS will see the MAC address of the VPN concentrator with each new client IP address because the VPN concentrator performs Proxy ARP for the client IP addresses. Unless the VPN concentrator is configured as a floating device, only the first user logging into Cisco NAC Appliance will be required to meet requirements. Therefore, administrators must add the MAC address of the router/VPN concentrator to the Floating Device list under Device Management > Clean Access > Certified Devices > Add Floating Device (example entry: 00:16:21:11:4D:67 1 vpn_concentrator). See "Add Floating Devices" in the Cisco NAC Appliance - Clean Access Manager Configuration Guide, Release 4.7(5) for details.

Configure Single Sign-On (SSO) on the CAS/CAM

Single Sign-On (SSO) allows the user to login only once via the VPN client before being directed through the posture assessment process. To perform SSO, Cisco NAC Appliance takes the RADIUS accounting information from the VPN concentrator/wireless controller for the user authentication and uses it to map the user into a user role. This allows the user to go through posture assessment directly without having to also login on the Clean Access Server. SSO is configured on both the CAS and CAM as described below.

The most important attributes needed from RADIUS accounting packets are User_Name, Framed_IP_address, Calling_Station_ID. For a user to be qualified for SSO through the Clean Access Server, either the Framed_IP_address or Calling_Station_ID attribute (sent for the client's IP address) must be in the RADIUS accounting message.


Note RADIUS Accounting support for Single Sign-On (SSO) includes the Cisco Airespace Wireless LAN Controller. For SSO to work with Cisco NAC Appliance, the Cisco Airespace Wireless LAN Controller must send the Calling_Station_IP attribute as the client's IP address (as opposed to the Framed_IP_address attribute that the VPN concentrator uses).

Configure SSO on the CAS


Step 1 Go to Device Management > CCA Servers > List of Servers > Manage [CAS_IP] > Authentication > VPN Auth > General.

Figure 6-8 General Settings (SSO / Logout / RADIUS Accounting Port)

Step 2 Click the checkbox for Single Sign-On to enable VPN SSO on the CAS.

Step 3 Enter a time period (in seconds) for the Agent VPN Detection Delay value. If the CAS has not received the required RADIUS accounting information before the Agent attempts VPN SSO, the Agent will prompt for user login. The Agent VPN Detection Delay field allows you to specify the amount of time the CAS should wait before prompting for authentication from the remote user's Agent that is transmitting SWISS UDP discovery packets.

This option ensures that the CAS has time to receive updates for users who are already connected via VPN before prompting them for login credentials that the CAS normally leverages from VPN login. If the CAS learns of the existing connection during the specified waiting period, it automatically yields to the VPN SSO function. Otherwise, once the specified waiting period has passed with no indication that the user connection is already established via VPN, the CAS prompts the user to enter their login credentials.


Note The Agent VPN Detection Delay applies to all VPN SSO users until the delay expires.

When this value is 0, the CAS requests the Agent to perform VPN SSO immediately. Set this value to 0 if the first RADIUS accounting packet received by the CAS has enough information to perform VPN SSO when the VPN is connected.

When this value is any number other than 0, the CAS informs the Agent in the SWISS packet to wait for the specified delay before attempting VPN SSO login. Set this field to a non-zero value if:

The Agent is prompting for user authentication because the first RADIUS accounting packet is delayed.

The VPN concentrator requires a second accounting packet to update the VPN IP address sent in the first accounting packet. In this case, the CAS will not see this VPN connection as valid after the first accounting packet, and the Agent will prompt for user login if the Agent VPN Detection Delay is set to 0.

Step 4 Click the checkbox for Auto-Logout to automatically terminate the VPN session for users when they log out.

Step 5 Leave the default port (1813) or configure a new one for RADIUS Accounting Port.


Note A CAS deployed as a Real-IP gateway supporting VPN SSO opens the Accounting port only on the trusted (eth0) interface.

Step 6 Click Update.


Configure SSO on the CAM

To support SSO when configuring Cisco NAC Appliance VPN Concentrator integration, a Cisco VPN SSO authentication source must be added to the CAM.

1. Go to User Management > Auth Servers > New.

Figure 6-9 Add New Auth Server (in CAM)

2. Choose Cisco VPN SSO from the Authentication Type dropdown menu.

3. The Provider Name is set by default to Cisco VPN.

4. From the Default Role dropdown, choose the user role you want VPN client users to be assigned to for the posture assessment process.

5. Enter an optional Description to identify the VPN concentrator in the list of auth servers.

6. Click Add Server.

The new Cisco VPN SSO auth server appears under User Management > Auth Servers > List of Servers.

Click the Edit button next to the auth server to modify settings.

Click the Mapping button next to the auth server to configure RADIUS attribute-based mapping rules for Cisco VPN SSO.

See the Cisco NAC Appliance - Clean Access Manager Configuration Guide, Release 4.7(5) for further details.

Configure VPN SSO in a FIPS 140-2 Compliant Deployment

Setting up IPSec communication between your FIPS compliant Cisco NAC Appliance system and Cisco ASA covers three primary phases:

Import a Trusted CA

Set up Identity certificate

Create a Site-to-Site VPN to CAS

Import a Trusted CA

To import your trusted Certificate Authority (CA) into the ASA VPN concentrator:


Step 1 In ASDM, click the Configuration toolbar button.

Step 2 Select the Site-to-Site VPN tab.

Step 3 Go to Panel Certificate Management > CA Certificates (Figure 6-10).

Figure 6-10 Import CA Certificate

Step 4 Click Add and enter a trustpoint name for your CA.

Step 5 Click Browse and select your CA certificate file.

Step 6 Click Install Certificate.


Set up Identity certificate

To set up an Identity Certificate on the ASA VPN concentrator:


Step 1 Go to Certificate Management > Identity Certificates.

Step 2 Specify a trustpoint name.

Step 3 Choose the Import the identity certificate from a file option (Figure 6-11).

Figure 6-11 Import Identity Certificate

Step 4 Enter the Decryption Passphrase for your certificate (which is the password you specified when you exported the trusted CA certificate).

Step 5 Click Browse and select the identity certificate.

This certificate/key pair should be in pkcs12 format. If not, you can use the following OpenSSL command to convert separate key/certificate files into one single pkcs12 format:

openssl pkcs12 -export -in cert.pem -inkey key.pem -out ASACert.p12
 
   

Step 6 Specify the Identity Certificate password (which is the same as the Decryption Passphrase for your certificate).

Step 7 Click Add Certificate.


Create a Site-to-Site VPN to CAS


Note Use ASDM version 6.2(1) (asdm-621.bin) for the following procedure.

Step 1 Select Wizards > IPsec VPN Wizard (Figure 6-12).

Figure 6-12 VPN Wizard

Step 2 Specify the following tunnel attributes:

VPN Tunnel Type: Site-to-Site

VPN Tunnel Interface: inside

Step 3 Check the "Enable inbound IPsec sessions..." option and click Next.

Step 4 Specify the following attributes:

Peer IP Address: <CAS trusted IP address>

Authentication method: Certificate

Certificate Name: <trustpoint name you entered when importing identity certificate>

Tunnel Group Name: <CAS IP address> (default setting)

Step 5 Click Next.

Step 6 Specify the following IKE Policy attributes:

Encryption: AES-128

Authentication: SHA

Diffie-Hellman Group: 2

Step 7 Click Next.

Step 8 Specify the following IPsec Rule attributes:

Encryption: AES-128

Authentication: SHA

Check the Enable Perfect Forward Secrecy option

Diffie-Hellman Group: 2

Step 9 Click Next.

Step 10 Specify the following Hosts and Networks attributes:

Action: Protect

Local Networks: <inside IP address of ASA>

Remote Networks: <CAS IP address>

Step 11 Check the Exempt ASA side host/network option and click Next.

Step 12 Verify the configuration summary and click Finish.

Step 13 Go to Configuration > Site-to-Site VPN > Advanced > IPSec Transform Sets (Figure 6-13).

Figure 6-13 Add IPSec Transform Set

Step 14 Click Add.

Step 15 Specify the following attributes:

Set Name: NAC-AES-128-SHA

Mode: Transport

ESP Encryption: AES-128

ESP Authentication: SHA

Step 16 Click OK.

Step 17 Go to Configuration > Site-to-Site VPN > Connection Profiles.

Step 18 Select the IPSec connection you created and click Edit.

Step 19 Under Encryption Algorithms, click Manage (next to IKE Proposal).

Step 20 In the Configure IKE Proposals dialog box, click Edit.

Step 21 Select the aes-128/sha/2/rsa-sig proposal and edit it so that the Lifetime attribute is set to 8 hours.

Step 22 Click OK.

Step 23 Specify the IPSec Proposal to be NAC-AES-128-SHA and click OK.

Step 24 Click Apply.

Step 25 Select Tools > Command Line Interface and enter ping <CA Sip address>.

Be sure to verify the ping output.


Create (Optional) Auth Server Mapping Rules

For the Cisco VPN SSO type, you can create mapping rules based on the RADIUS Auth Server attributes that are passed from the VPN Concentrator to map users into roles. The following RADIUS attributes can be used to configure Cisco VPN SSO mapping rules:

Class

Framed_IP_Address

NAS_IP_Address

NAS_Port

NAS_Port_Type

User_Name

Tunnel_Client_Endpoint

Service_Type

Framed_Protocol

Acct_Authentic

Mapping rules are configured in the CAM web admin console under User Management > Auth Servers > Mapping Rules. For complete configuration details, see "User Management: Configuring Auth Servers" in the Cisco NAC Appliance - Clean Access Manager Configuration Guide, Release 4.7(5).

Cisco NAC Appliance Agent with VPN Concentrator and SSO

The Agent supports multi-hop L3 deployment and VPN/L3 access from the Agent. The Agent:

1. Checks the client network for the Clean Access Server (L2 deployments), and if not found,

2. Attempts to discover the CAS by sending discovery packets to the CAM. This causes the discovery packets to go through the CAS even if the CAS is multiple hops away (multi-hop deployment) so that the CAS will intercept these packets and respond to the Agent.

In order for clients to discover the CAS when they are one or more L3 hops away, clients must initially download the Agent from the CAS. This can be done in two ways:

From the Agent download web page (i.e. via web login)

By client upgrade to the latest Cisco NAC Agent or auto-upgrade to Agent version 4.6.2.113 or later. For the Agent auto-upgrade process to work, clients must have an earlier version of the Agent already installed.

Either method allows the Agent to acquire the IP address of the CAM in order to send traffic to the CAM/CAS over the L3 network. Once installed in this way, the Agent can be used for both L3/VPN concentrator deployments or regular L2 deployments. See Enable L3 Support for details.


Note For VPN SSO deployments, if the Agent is not downloaded from the CAS, but is instead downloaded by other means, the Agent is not able to determine the runtime IP information of the CAM and does not automatically pop up, nor does it scan the client machine. For Cisco NAC Agent users, you can work around this issue by specifying a DiscoveryHost setting in the Agent configuration XML file.

NoteUninstalling the Agent while still on the VPN connection does not terminate the VPN connection, although the (if configured) the client machine is removed from the Certified Devices List and the user is removed from the Online Users List.

If a 3.5.0 or earlier version of the Clean Access Agent is already installed, or if the Agent is installed through non-CAS means, you must perform web login to download the latest Agent setup files from the CAS directly and reinstall the Agent to get the L3 capability.


Cisco NAC Appliance Agent Layer 3 VPN Concentrator User Experience

1. Launch the VPN connection application configured to work with Cisco NAC Appliance.

2. Once logged in, open a browser and attempt to go to an intranet or extranet site.

Cisco NAC Appliance enables administrators to deploy the CAS in-band behind a VPN concentrator, or router, or multiple routers. Cisco NAC Appliance supports multi-hop Layer 3 in-band deployment by allowing the CAM and CAS to track user sessions by unique IP address when users are separated from the CAS by one or more routers. With Layer 2-connected users, the CAM/CAS continue to manage these user sessions based on the user MAC addresses, as before. Figure 6-14 illustrates the login and posture assessment process for a VPN user using the Agent with Single Sign-On. Note that the initial download of the Agent must be performed via the VPN connection.

Figure 6-14 Agent with SSO for VPN Users

With Single Sign-On, the Agent performs automatic login and scanning as shown Figure 6-15.

Figure 6-15 Agent Auto-Login Screen (User View)


Note Web login always works in Layer 2 or Layer 3 mode, and Layer 3 capability cannot be disabled.

View Active VPN Clients

The Active VPN Clients page lists IP addresses known to the CAS through VPN Single Sign-On (SSO) This page is intended for troubleshooting and is available in both the CAS management pages and CAS direct access console. The Active VPN Clients page shows a list of all users for which the CAS has received valid Radius accounting START packets.

Anytime the CAS receives a valid Radius Accounting START packet for a particular client machine, the CAS adds it to the Active VPN Clients list:

If a client appears in this list, the client is able to perform SSO.

If the client does not appear in this list, then most likely the START packet did not make it to the CAS or it was in an incorrect format.

The key things the packet format must include are:

Account-Status-type = 1 (indicating it is a START packet)

Calling-station-Id (showing end machine's IP address)

When the user tries to browse, or runs the Agent, the CAM/CAS compares the Active VPN Client information to its mapping rules to determine what role to put the user in.

To view active VPN clients:

1. Go to Device Management > CCA Servers > List of Servers > Manage [CAS_IP] > Authentication > VPN Auth > Active Clients.

Figure 6-16 Active Clients (VPN Concentrator)

2. Click the Show All button to List All VPN Clients or perform a Search. The Active Clients page remains blank until you perform one of these two actions:

a. Click Show All to display all current IP/user information from the system Single Sign-On (SSO) table.

b. Alternatively, type an IP address in the Search IP Address text field, select an operator from the dropdown menu (equals, starts with, ends with, contains), and click the Search button to display results.

3. The table at the bottom of the page is populated with the following information. Entries are sorted by Client IP address.

Total Active VPN Clients—Displays the current number of active VPN clients in the SSO table.

Client IP—The client IP address received from the RADIUS accounting packet.

Client Name—The client name received from the RADIUS accounting packet.

VPN Server IP—The IP address of the Cisco VPN SSO auth server being used for Single Sign-On.

Login Time—The date/time that the active VPN client session was established.


Note Clicking Show All or performing a new search refreshes the page with the latest SSO table information.

4. To remove entries from the Active Client page, either:

a. Click the Clear button to Clear All Active VPN Client entries from the SSO table. For example, if VPN users lose their sessions due to a VPN server crash, the RADIUS accounting stop message will not be sent to the CAS, and those users will remain in the system SSO table until manually removed. Removing all entries from the Active VPN Clients page allows the system to restart from a fresh SSO table.

b. Click the checkbox for an individual entry and click the Delete button at the top of the column to remove that entry from the SSO table.


Note Clicking the Clear or Delete button only removes the user(s) from the system's current SSO client table; it does not remove the user(s) from the Online Users list.

Tip You can also view active VPN clients from the direct console of the CAS (https://<CAS_eth0_IP_address>/admin), from the Monitoring > Active VPN Clients page (Figure 6-17).

Figure 6-17 CAS Direct Access Console—Monitoring Active VPN Clients