CLEANACCESS Archives

May 2008

CLEANACCESS@LISTSERV.MIAMIOH.EDU
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: CLEANACCESS Digest - 20 May 2008 (#2008-92)
From:
"Osborne, Bruce W. (NS)" <[log in to unmask]>
Reply To:
Cisco Clean Access Users and Administrators <[log in to unmask]>
Date:
Wed, 21 May 2008 14:22:39 -0400
Content-Type:
text/plain
Parts/Attachments:
text/plain (67 lines) 
I beg to differ about the CCA version. I have been running SSO on 4.1.1
for a year and currently have 4.1.2.1 working IB & OOB Virtual Gateway.
You do not necessarily need the latest release & associated bugs.

Bruce Osborne
Liberty University

-----Original Message-----
From: Cisco Clean Access Users and Administrators
[mailto:[log in to unmask]] On Behalf Of Daniel Sichel
Sent: Wednesday, May 21, 2008 2:07 PM
To: [log in to unmask]
Subject: Re: [CLEANACCESS] CLEANACCESS Digest - 20 May 2008 (#2008-92)

>SSO Has anyone else beaten this beast and care to share your
experiences?

I am not sure if I have exactly beaten it, but I have it working kind
of. First off, are your clients and servers on the same IP LAN segment?
If so make SURE you are using the LATEST Clean Access release. It
contains a vital fix to the click router if you are using OOB Virtual
gateway in this mode. Otherwise authentication and redirection to the
client install page won't work. 

Second, try opening ALL ports for the unauthenticated role to the auth
server farm for testing. This eliminates the question of whether it is
SSO or not. 

When doing the ktpass thing and setting up your SSO ID for the ldap
search, FOLLOW THE INSTRUCTIONS EXACTLY ON ALL AUTH SERVERS. If you foul
it up, even once, and the ID is locked out or fails, start AGAIN with a
TOTALLY NEW USER ID. Also, use the Microsoft LDAP utility (lde.exe or
something like, I forget which) to check your LDAP name and get the OU,
CN, and other LDAP stuff correct character for character. Pay CLOSE
attention to the Cisco instructions on where all upper case and where
correct case are used. The details really matter here. 

Make sure the SNMP stuff is working for sets and gets on the test
switch. This was a pain for me, because on my old, dumb 2950 which
supports (allegedly) SNMP v1 and v2c, it works with V1, but SSO did NOT
work with V2c, at least on the IOS version I was using. Ooops. So try
back revving if the port is not switching vlan after authentication. You
can put the switch itself on some type of management vlan and trunk it
just fine so that your unencrypted SNMP strings aren't visible to end
users or hackers who can't do vlan hopping. Just make sure that your
management vlan on the trunk to the switch is not the same default vlan
that you use for the clean access server if you are doing the OOB
virtual gateway. Cisco says the Clean Access servers need a default vlan
that goes nowhere and they are specific about when to plug in the
untrusted interface. Believe them on this, they  mean it. These things
are doing weird stuff with layer 2 and wreck havoc on spanning tree and
everything else if they become visible at layer 3. Trust me don't go
there, on a 4506 it takes between 3-7 minutes for them to block IP
traffic on your LAN if they become visible. Don't ask how I know.

Finally put wireshark on the test work station in non promiscuous mode
when trying the log in. That will tell you what is really being seen no
matter what you think is being seen. The swiss packets are, I think on
port 8995 and 8996 or something like that. Wireshark doesn't know what
they are, but they do show up. 

Hope this helps a bit. 

Daniel Sichel, CCNP, MCSE,MCSA,MCTS (Windows 2008)
Network Engineer
Ponderosa Telephone (559) 868-6367

ATOM RSS1 RSS2