LISTSERV - CLEANACCESS Archives - LISTSERV.MIAMIOH.EDU

CLEANACCESS Archives

September 2005

CLEANACCESS@LISTSERV.MIAMIOH.EDU

	LISTSERV Archives
	CLEANACCESS Home
	CLEANACCESS September 2005

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Agent 3.5.6
From:	"Hague, Jeff" <[log in to unmask]>
Reply To:	Perfigo SecureSmart and CleanMachines Discussion List <[log in to unmask]>
Date:	Tue, 6 Sep 2005 16:37:38 -0400
Content-Type:	text/plain
Parts/Attachments:	text/plain (82 lines)

That's assuming the agent is installed and someone tries to login. If,
on the other hand, someone were to set up a nat router and plug in OSX
or Linux (or even Windows and go through the Clean Access process), the
Clean access server would add the mac of the router as a certified
device. Once that happens, any machine connecting to the nat router
would be able to access the network with no challenge.

Jeff

-----Original Message-----
From: Ryan Dorman [mailto:[log in to unmask]] 
Sent: Tuesday, September 06, 2005 4:19 PM
To: [log in to unmask]
Subject: Re: [PERFIGO] Agent 3.5.6

I think that the deal is the Agent will not allow a login unless that  
"proprietary UDP packet" is received from the router.  Since it is  
most likely being sent as a broadcast, it would not traverse the NAT  
into the 1918 subnet and so the user would not be able to log in.

For us, this is a feature :)

Ryan Dorman, CCNP
Network Communications Specialist
Millersville University
717.871.5883
[log in to unmask]


On Sep 6, 2005, at 4:16 PM, Hague, Jeff wrote:

> So, are you saying that users can not "hide" behind a nat router if L3
> is disabled? It seems to me that they would be able to hide because  
> all
> the Clean Access server will see is the mac and IP of the "WAN"
> interface of the router and will pass all traffic from that mac.
> Wouldn't be true either way?
>
> Jeff
>
> -----Original Message-----
> From: Simon Bell [mailto:[log in to unmask]]
> Sent: Tuesday, September 06, 2005 3:46 PM
> To: [log in to unmask]
> Subject: Re: [PERFIGO] Agent 3.5.6
>
> yes, it must be enabled. Upgrading by default disables it. "L3
> capability will be disabled by default after upgrade or new install of
> 3.5(5), and enabling the feature will require an update and reboot of
> the Clean Access Server." Having L3 enabled by default opens a
> tremendous security hole with users of routers. Due to the nature of
> NAT, only 1 user has to validate behind the router thus any other
> devices are allowed out. This problem is compounded when users bring
> wireless nat routers up.
>
> Simon
>
>
>
>>>> [log in to unmask] 9/6/2005 1:41 PM >>>
>>>>
> We are also having trouble with Agent 3.5.6 and the use of routers.
> When
> the user behind a wired or wireless router updates to v3.5.5, the
> "login"
> remains greyed out, and they are unable to do the automatic upgrade to
> v3.5.6 and cannot log in afterwards.  They were fine under version
> 3.5.4!
>
> This may be due to the new default stance for v3.5.5 servers is that
> support
> for multi-hop L3 is off by default.  Does anyone know if this must be
> specifically enabled to allow the use of wireless or wired routers  
> on a
> managed network?
>
> -Bill
> Network Security Administrator
> Housing Technology
> Colorado State University
>

ATOM RSS1 RSS2

LISTSERV.MIAMIOH.EDU