So, are you saying that users can not "hide" behind a nat router if L3
is disabled? It seems to me that they would be able to hide because all
the Clean Access server will see is the mac and IP of the "WAN"
interface of the router and will pass all traffic from that mac.
Wouldn't be true either way?

Jeff

-----Original Message-----
From: Simon Bell [mailto:[log in to unmask]] 
Sent: Tuesday, September 06, 2005 3:46 PM
To: [log in to unmask]
Subject: Re: [PERFIGO] Agent 3.5.6

yes, it must be enabled. Upgrading by default disables it. "L3
capability will be disabled by default after upgrade or new install of
3.5(5), and enabling the feature will require an update and reboot of
the Clean Access Server." Having L3 enabled by default opens a
tremendous security hole with users of routers. Due to the nature of
NAT, only 1 user has to validate behind the router thus any other
devices are allowed out. This problem is compounded when users bring
wireless nat routers up.

Simon


>>> [log in to unmask] 9/6/2005 1:41 PM >>>
We are also having trouble with Agent 3.5.6 and the use of routers.
When
the user behind a wired or wireless router updates to v3.5.5, the
"login"
remains greyed out, and they are unable to do the automatic upgrade to
v3.5.6 and cannot log in afterwards.  They were fine under version
3.5.4!

This may be due to the new default stance for v3.5.5 servers is that
support
for multi-hop L3 is off by default.  Does anyone know if this must be
specifically enabled to allow the use of wireless or wired routers on a
managed network?

-Bill
Network Security Administrator
Housing Technology
Colorado State University