I just discovered a major hole in the way our configuration is set.  I am
not sure if this is just a mis-configuration on our part, so any suggestions
are appreciated.  I am on version 3.5.5, and agent 3.5.7.

Situation:

If a user logs on using the Guest Role via the Web interface and then uses
the Clean Access Agent (after already installing it) to log on a second time
with a different Role, the system is not subject to the Clean Access Agent
certification rules and gives access as the new role to the user without
being scanned as required by that new role.

Details:

The user at this point has two different entries in Clean Access.  There is
a CA Agent entry in the Certified Device list as Role Guest and the system's
MAC address.  The online user list shows an entry with the user's username
with the Role "Student", and the system's same MAC address.

Normally, when the "Guest" role logs out or times out, the entry in the CA
Agent certified devices list is removed.  However, if the user had logged
into the "Student" Role after logging in as Guest, and then logs out using
the Guest Web page button, the entry in the certified devices list is NOT
removed.  At that point, whenever the user logs in on the Student Role via
the CA Agent, the system is never scanned.

In summary, if a user logs in as Guest with limited access, then logs in
using another Role via the CA Agent, the system is then not subject to those
Role's rules, and is given access rights of that Role.

Question:
How do I keep the Guest Role logins from ever being put into the certified
devices list?

The Clean Access system does not appear to differenticate between Roles when
a device is certified.  Am I doing something wrong?

-Bill
William S. Davis
Network Security Administrator
Housing Technology Services
Colorado State University
[log in to unmask]