from the release notes (http://www.cisco.com/univercd/cc/td/doc/product/vpn/ciscosec/cca/cca35/35rn.htm#wp313647):
New Enable/Disable L3 Option on CAS
Release 3.5(3) introduced support for multi-hop L3 in-band deployments, and with release 3.5(3) and 3.5(4), this feature was enabled by default. With release 3.5(5), the administrator has the option of enabling or disabling the L3 feature at the CAS level. L3 capability will be disabled by default after upgrade or new install of 3.5(5), and enabling the feature will require an update and reboot of the Clean Access Server.
To Enable L3 Capability:
1. Go Device Management > CCA Servers > Manage [IP address] > Network and click the checkbox for "Enable L3 support for Clean Access Agent."
2. Click Update.
3. Click Reboot.
Note The CAS Discovery Host field still automatically populates with the IP address of the CAM by default after new install or upgrade to 3.5(5).
To Disable L3 Capability:
To disable L3 discovery of the Clean Access Server at the CAS level for all Clean Access Agents:
1. Go Device Management > CCA Servers > Manage [IP address] > Network and make sure the checkbox for "Enable L3 support for Clean Access Agent" is NOT checked.
2. Click Update.
3. Click Reboot.
To disable L3 discovery of the Clean Access Server for NEW installs of the Clean Access Agent (3.5.3+)
1. Go Device Management > Clean Access > Clean Access Agent > Distribution.
2. Change the CAS Discovery Host field from your CAM's IP address to 127.0.0.1.
3. Click Update.
>>> [log in to unmask] 9/6/2005 4:25 PM >>>
Forgive me for not knowing this, but how does one "enable" L3 capability.
Here at UCI we do not NAT, however a bunch of our residents still insist on
pluggin in wireless routers and wonder why they have problems.
Thanks in advance,
Ted Roberge
Manager, Residential Network Services
University of Callifornia, Irvine
-----Original Message-----
From: Perfigo SecureSmart and CleanMachines Discussion List
[mailto:[log in to unmask]] On Behalf Of Hague, Jeff
Sent: Tuesday, September 06, 2005 1:16 PM
To: [log in to unmask]
Subject: Re: Agent 3.5.6
So, are you saying that users can not "hide" behind a nat router if L3 is
disabled? It seems to me that they would be able to hide because all the
Clean Access server will see is the mac and IP of the "WAN"
interface of the router and will pass all traffic from that mac.
Wouldn't be true either way?
Jeff
-----Original Message-----
From: Simon Bell [mailto:[log in to unmask]]
Sent: Tuesday, September 06, 2005 3:46 PM
To: [log in to unmask]
Subject: Re: [PERFIGO] Agent 3.5.6
yes, it must be enabled. Upgrading by default disables it. "L3 capability
will be disabled by default after upgrade or new install of 3.5(5), and
enabling the feature will require an update and reboot of the Clean Access
Server." Having L3 enabled by default opens a tremendous security hole with
users of routers. Due to the nature of NAT, only 1 user has to validate
behind the router thus any other devices are allowed out. This problem is
compounded when users bring wireless nat routers up.
Simon
>>> [log in to unmask] 9/6/2005 1:41 PM >>>
We are also having trouble with Agent 3.5.6 and the use of routers.
When
the user behind a wired or wireless router updates to v3.5.5, the "login"
remains greyed out, and they are unable to do the automatic upgrade to
v3.5.6 and cannot log in afterwards. They were fine under version 3.5.4!
This may be due to the new default stance for v3.5.5 servers is that support
for multi-hop L3 is off by default. Does anyone know if this must be
specifically enabled to allow the use of wireless or wired routers on a
managed network?
-Bill
Network Security Administrator
Housing Technology
Colorado State University
|
