LISTSERV - CLEANACCESS Archives - LISTSERV.MIAMIOH.EDU

CLEANACCESS Archives

February 2009

CLEANACCESS@LISTSERV.MIAMIOH.EDU

	LISTSERV Archives
	CLEANACCESS Home
	CLEANACCESS February 2009

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Session Timer
From:	"Alok Agrawal (alagrawa)" <[log in to unmask]>
Reply To:	Cisco Clean Access Users and Administrators <[log in to unmask]>
Date:	Thu, 19 Feb 2009 21:45:37 -0800
Content-Type:	text/plain
Parts/Attachments:	text/plain (129 lines)

Hey Michael,
I will get it changed. We should not count unauthenticated users against
the license. Doesn't make sense to me.

Thanks
-alok


-----Original Message-----
From: Cisco Clean Access Users and Administrators
[mailto:[log in to unmask]] On Behalf Of Michael Grinnell
Sent: Thursday, February 19, 2009 3:29 PM
To: [log in to unmask]
Subject: Re: Session Timer

How exactly would you do that?  Turn off the wired port?  Disassociate 
them from the AP?  I'm not sure this is a problem that CCA can solve.  I

think you're best solution to prevent this is at the authentication 
provider, where you can lock the account after a certain number of 
attempts, or throttle repeat authentication attempts for the same
account.

Personally, I am more concerned that Cisco has said that unauthenticated

users will count against your license, so if you have an open AP, or 
wired ports in an open area, you could be subjected to what is 
effectively a denial of service attack of too many unauthenticated 
computers at one time.  I haven't played with it yet, but it's possible 
that an ARP spoofing program could also accomplish the same result, at 
least for in-band.

Michael Grinnell
Information Security Engineer
The American University

Don Click wrote:
> Interesting. I don't think Clean Access would have helped much anyway
- since it would have quarantined the user on wireless, not wired.
> 
> I agree that if a user is associated to an AP, but not attempting to
Authenticate, there should be some mechanism either in the AP's (not
likely) or in CCA that, after a period of time, drops/blocks/moves the
user.
> 
> Im actually going to have to think about this one, as I am about to
start looking at configured our CCA solution for OOB Wireless/Wired.
(currently, we use in-band for VPN access only.)
> 
> From: Cisco Clean Access Users and Administrators
[mailto:[log in to unmask]] On Behalf Of Speight, Howard
> Sent: Thursday, February 19, 2009 8:24 AM
> To: [log in to unmask]
> Subject: Re: Session Timer
> 
>> Question -  Are you using clean access for both WIRED and Wireless?
> Only in the Residence Halls
> 
>> If its only on wireless, what security to  you enforce on the wired
lan?
> Group policy and logon scripts for Domain machines, filters on router
and switch interfaces.
> 
> 
> From: Cisco Clean Access Users and Administrators
[mailto:[log in to unmask]] On Behalf Of Speight, Howard
> Sent: Wednesday, February 18, 2009 2:36 PM
> To: [log in to unmask]
> Subject: Re: Session Timer
> 
> That makes sense, then there is no reason to set that timer...
> 
> Food for thought...
> 
> We had an unauthenticated client machine on the wireless network,
using wired, but associated with an AP and holding a DHCP IP address.
For hours that machine was conducting little raids here and there trying
to compromise user accounts. Once blocked in the Filters, activity
ceased. What I was trying to accomplish was if the client machine was
holding an IP but not authenticating, I wanted to send them to
Quarantine or anywhere after ten minutes. How were they able to conduct
the raids, the authentication ports are open to the AD controllers in
the Unauthenticated Role...
> 
> From: Cisco Clean Access Users and Administrators
[mailto:[log in to unmask]] On Behalf Of Jim Thomas
> Sent: Wednesday, February 18, 2009 14:20
> To: [log in to unmask]
> Subject: Re: Session Timer
> 
> 
> Unauthenticated Role, it's a loop and es no bueno.
> 
> 
> Thanks
> Jim
> 
> Jim Thomas
> Area Networks, Inc.
> CCIE Security #16674
> CCSP,CCNP,CCDP
> [cid:image001.gif@01C992AE.C6BD4F70]
[log in to unmask]<mailto:[log in to unmask]>
> [cid:image002.gif@01C992AE.C6BD4F70]    Office: 650-242-8050
> [cid:image002.gif@01C992AE.C6BD4F70]    Cell: 916-342-2265
> [cid:image003.jpg@01C992AE.C6BD4F70]
>
[cid:image004.jpg@01C992AE.C6BD4F70][cid:image005.png@01C992AE.C6BD4F70]
> 
> 
> 
> -----Original Message-----
> From: Cisco Clean Access Users and Administrators
[mailto:[log in to unmask]] On Behalf Of Speight, Howard
> Sent: Wednesday, February 18, 2009 1:38 PM
> To: [log in to unmask]
> Subject: Session Timer
> 
> 
> 
> Let's say the Session Timer is set for ten minutes on the
Unauthenticated Role and the user does not authenticate within that ten
minute period, where does the user go?
> 
> 
> 
> Thanks, Howard
>

ATOM RSS1 RSS2

LISTSERV.MIAMIOH.EDU