LISTSERV - CLEANACCESS Archives - LISTSERV.MIAMIOH.EDU

CLEANACCESS Archives

September 2005

CLEANACCESS@LISTSERV.MIAMIOH.EDU

	LISTSERV Archives
	CLEANACCESS Home
	CLEANACCESS September 2005

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Agent 3.5.6
From:	"Flagg, Martin D." <[log in to unmask]>
Reply To:	Perfigo SecureSmart and CleanMachines Discussion List <[log in to unmask]>
Date:	Tue, 6 Sep 2005 16:44:21 -0400
Content-Type:	text/plain
Parts/Attachments:	text/plain (90 lines)

Yes, that is my point that my Access points will continue to work. If
the students bring in a Switch or AP they will still have to go thru
Clean Access, if they bring a router it will not work.  This is assuming
the default setup of Clean Access with L3 disabled. Sounds Great until I
wish to deploy Clean Access thru my VPN :)


Martin D. Flagg
Network Engineer/Administrator


 


-----Original Message-----
From: Perfigo SecureSmart and CleanMachines Discussion List
[mailto:[log in to unmask]] On Behalf Of Ryan Dorman
Sent: Tuesday, September 06, 2005 4:27 PM
To: [log in to unmask]
Subject: Re: Agent 3.5.6

In the case of a true access point you are correct it is a bridge/
repeater and the MAC addresses of the wireless clients would be visible
to the server..  In the case of a NAT/Router it would be an
L3 hop and MAC's would not come along for the ride.

Ryan Dorman, CCNP
Network Communications Specialist
Millersville University
717.871.5883
[log in to unmask]


On Sep 6, 2005, at 4:21 PM, Flagg, Martin D. wrote:

> Don't wireless access points actually bridge the traffic in most 
> installations?  We have Clean Access deployed on our wireless network 
> and it is the MAC address of the client getting recorded not the 
> Access point.  It is not a L3 hop, instead it is an L2 hop(bridged).
>
>
> Martin D. Flagg
> Network Engineer/Administrator
>
>
>
>
>
> -----Original Message-----
> From: Perfigo SecureSmart and CleanMachines Discussion List 
> [mailto:[log in to unmask]] On Behalf Of Simon Bell
> Sent: Tuesday, September 06, 2005 3:46 PM
> To: [log in to unmask]
> Subject: Re: Agent 3.5.6
>
> yes, it must be enabled. Upgrading by default disables it. "L3 
> capability will be disabled by default after upgrade or new install of

> 3.5(5), and enabling the feature will require an update and reboot of 
> the Clean Access Server." Having L3 enabled by default opens a 
> tremendous security hole with users of routers. Due to the nature of 
> NAT, only 1 user has to validate behind the router thus any other 
> devices are allowed out. This problem is compounded when users bring 
> wireless nat routers up.
>
> Simon
>
>
>
>>>> [log in to unmask] 9/6/2005 1:41 PM >>>
>>>>
> We are also having trouble with Agent 3.5.6 and the use of routers.
> When the user behind a wired or wireless router updates to v3.5.5, the

> "login"
> remains greyed out, and they are unable to do the automatic upgrade to
> v3.5.6 and cannot log in afterwards.  They were fine under version 
> 3.5.4!
>
> This may be due to the new default stance for v3.5.5 servers is that 
> support for multi-hop L3 is off by default.  Does anyone know if this 
> must be specifically enabled to allow the use of wireless or wired 
> routers on a managed network?
>
> -Bill
> Network Security Administrator
> Housing Technology
> Colorado State University
>

ATOM RSS1 RSS2

LISTSERV.MIAMIOH.EDU