CLEANACCESS Archives

September 2005

CLEANACCESS@LISTSERV.MIAMIOH.EDU
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: Agent 3.5.6
From:
Ryan Dorman <[log in to unmask]>
Reply To:
Perfigo SecureSmart and CleanMachines Discussion List <[log in to unmask]>
Date:
Tue, 6 Sep 2005 16:59:46 -0400
Content-Type:
text/plain
Parts/Attachments:
text/plain (124 lines) 
It does seem like something that would best be "per role"

Ryan Dorman, CCNP
Network Communications Specialist
Millersville University
717.871.5883
[log in to unmask]


On Sep 6, 2005, at 4:56 PM, Simon Bell wrote:

> It looks like you can enable it on a per CAS basis. While this  
> still kinda sux, it's better than all or nothing. I'd expect this  
> "feature" to mature over the coming months.
>
> Simon
>
>
>>>> [log in to unmask] 9/6/2005 4:44 PM >>>
>>>>
> Yes, that is my point that my Access points will continue to work. If
> the students bring in a Switch or AP they will still have to go thru
> Clean Access, if they bring a router it will not work.  This is  
> assuming
> the default setup of Clean Access with L3 disabled. Sounds Great  
> until I
> wish to deploy Clean Access thru my VPN :)
>
>
> Martin D. Flagg
> Network Engineer/Administrator
>
>
>
>
>
> -----Original Message-----
> From: Perfigo SecureSmart and CleanMachines Discussion List
> [mailto:[log in to unmask]] On Behalf Of Ryan Dorman
> Sent: Tuesday, September 06, 2005 4:27 PM
> To: [log in to unmask]
> Subject: Re: Agent 3.5.6
>
> In the case of a true access point you are correct it is a bridge/
> repeater and the MAC addresses of the wireless clients would be  
> visible
> to the server..  In the case of a NAT/Router it would be an
> L3 hop and MAC's would not come along for the ride.
>
> Ryan Dorman, CCNP
> Network Communications Specialist
> Millersville University
> 717.871.5883
> [log in to unmask]
>
>
> On Sep 6, 2005, at 4:21 PM, Flagg, Martin D. wrote:
>
>
>> Don't wireless access points actually bridge the traffic in most
>> installations?  We have Clean Access deployed on our wireless network
>> and it is the MAC address of the client getting recorded not the
>> Access point.  It is not a L3 hop, instead it is an L2 hop(bridged).
>>
>>
>> Martin D. Flagg
>> Network Engineer/Administrator
>>
>>
>>
>>
>>
>> -----Original Message-----
>> From: Perfigo SecureSmart and CleanMachines Discussion List
>> [mailto:[log in to unmask]] On Behalf Of Simon Bell
>> Sent: Tuesday, September 06, 2005 3:46 PM
>> To: [log in to unmask]
>> Subject: Re: Agent 3.5.6
>>
>> yes, it must be enabled. Upgrading by default disables it. "L3
>> capability will be disabled by default after upgrade or new  
>> install of
>>
>
>
>> 3.5(5), and enabling the feature will require an update and reboot of
>> the Clean Access Server." Having L3 enabled by default opens a
>> tremendous security hole with users of routers. Due to the nature of
>> NAT, only 1 user has to validate behind the router thus any other
>> devices are allowed out. This problem is compounded when users bring
>> wireless nat routers up.
>>
>> Simon
>>
>>
>>
>>
>>>>> [log in to unmask] 9/6/2005 1:41 PM >>>
>>>>>
>>>>>
>> We are also having trouble with Agent 3.5.6 and the use of routers.
>> When the user behind a wired or wireless router updates to v3.5.5,  
>> the
>>
>
>
>> "login"
>> remains greyed out, and they are unable to do the automatic  
>> upgrade to
>> v3.5.6 and cannot log in afterwards.  They were fine under version
>> 3.5.4!
>>
>> This may be due to the new default stance for v3.5.5 servers is that
>> support for multi-hop L3 is off by default.  Does anyone know if this
>> must be specifically enabled to allow the use of wireless or wired
>> routers on a managed network?
>>
>> -Bill
>> Network Security Administrator
>> Housing Technology
>> Colorado State University
>>
>

ATOM RSS1 RSS2