CLEANACCESS Archives

October 2005

CLEANACCESS@LISTSERV.MIAMIOH.EDU
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: WGA validation incomplete
From:
John Stauffacher <[log in to unmask]>
Reply To:
Perfigo SecureSmart and CleanMachines Discussion List <[log in to unmask]>
Date:
Wed, 12 Oct 2005 18:17:05 -0700
Content-Type:
multipart/signed
Parts/Attachments:
text/plain (6 kB) , smime.p7s (4 kB) 
Rajesh,

Extending the cisco_api would be a good start. Currently I find its use 
very limited and only really useful for self-service applications (such 
as users registering their own Xbox's etc). I guess my dream would be 
that the cisco_api would expose more of the core administrative api. Not 
to digress, but the current admin interface is pretty disjointed and 
shows signs of alot of chiefs, but few indians. Answering the question 
of "Why is user X in the temporary/qtine role" requires at least 6 
clicks and 2 browser windows (1 of which is a popup) and 2 search fields 
to find out that user X failed a Microsoft Hotfix. It would be nice if 
cisco_api exposed enough of the admin core api that we could query 
cisco_api and get this information back in a clear and concise format 
(be it xml or csv) [i know our helpdesk would love it, i would love it]. 
At the high level, just getting raw metrics back such as that on the 
main "online users" page and the "stats" page:

Total # of users
Max # of users since last reset
For N in Roles
do
    # of users in Role N
done

would suffice.  later on, it would be nice to have a facility to query 
the api with a given username (or key) and have it return some indicator 
as to why user X is in Role N.

Rajesh Nair (rajnair) wrote:

>John,
>
>There has been a reluctance in general to open up any information via
>SNMP because the read/write permission feature request usually follow
>the read request, if you know what I mean.  And it would worry us to
>open up any kind of write through SNMP.  
>
>One other thing I am also worried about is that SNMP is good for smaller
>pieces of data but if we try pushing large pieces of data through it
>(e.g. user lists such as online user list, certified devices list,
>etc.), it may not be very reliable.  
>
>Thoughts? 
>
>I have an alternate suggestion - let me know what your thoughts are.  If
>we can extend the API (https://<cam-adress-or-name>/admin/cisco_api.jsp)
>with these additional data gathering functions, would that satisfy your
>needs?  Output this data as XML or CSV?
>
>-Rajesh.
>
>-----Original Message-----
>From: Perfigo SecureSmart and CleanMachines Discussion List
>[mailto:[log in to unmask]] On Behalf Of John Stauffacher
>Sent: Wednesday, October 12, 2005 5:15 PM
>To: [log in to unmask]
>Subject: Re: WGA validation incomplete
>
>Rajesh,
>
>Why not -- as a stop gap, open up more of the data via snmpd. Create
>some custom scripts to pull data out of the pgsql databases and feed
>back through snmpd so we can query with our own NMS systems and get
>stuff like "Users in Quarentine Role", "Users in Temporary Role". These
>are the most common things I look at on a daily basis and I just wish I
>could integrate into my NMS which I am already staring at far too long
>during the day. Obviously if your Temporary or Qtine roles are climbing
>exponentially over time, you can predict there might be an issue at
>hand, thats usually when I start calling users in their rooms and ask
>them if they are having issues (it spooks a few of them, but most like
>the 'proactive' approach).
>
>Rajesh Nair (rajnair) wrote:
>
>  
>
>>Mike,
>>
>>Yes, it would be good to have but at this point, it will not make it 
>>into the 3.6 release.  We have already begun the testing cycle and only
>>    
>>
>
>  
>
>>minor enhancements can be made at this stage...
>>
>>But yes, we are strongly considering reporting for the following 
>>release.  One approach we are thinking of taking is that of a set of 
>>canned reports.  While probably not as useful as a full-fledged 
>>reporting package, if we can hit the 80-20 rule, i.e. provide canned 
>>reports that satisfy 80% of the requirements, we would consider it a 
>>success.  It would be interesting to hear from people as to types of 
>>reports you would like to see.
>>
>>Regards,
>>-Rajesh.
>>
>>P.S. Please don't expect immediate turnaround though.  Please remember 
>>that this will not make it into 3.6 and I am requesting input for the 
>>following release.  Thanks.
>>
>>-----Original Message-----
>>From: Perfigo SecureSmart and CleanMachines Discussion List 
>>[mailto:[log in to unmask]] On Behalf Of King, Michael
>>Sent: Wednesday, October 12, 2005 4:38 PM
>>To: [log in to unmask]
>>Subject: Re: WGA validation incomplete
>>
>>Hey Bob,
>>
>>How'd you make the nifty graphic?  (High level overview, But I'm sure 
>>We'll want the nitty gritty later.)
>>
>>Hey Rajash, this would be a great feature to put into 3.6, Reports!
>>
>>________________________________
>>
>>From: Perfigo SecureSmart and CleanMachines Discussion List on behalf 
>>of Bob Black
>>Sent: Wed 10/12/2005 7:11 PM
>>To: [log in to unmask]
>>Subject: Re: WGA validation incomplete
>>
>>
>>
>>Hi Marilee,
>>
>>It looks like you picked a tough week to roll this out.
>>
>>We're having the same problem with the newest round of windows updates.
>>It appears to be a problem on their end. It's possible it's 
>>malware/borked-IE related. I'm sure that information will calm the 
>>frustrated student masses.
>>
>>I've attached a graphic of our "Quarantine role" since yesterday 
>>afternoon.
>>X-axis is time in hours. Y-Axis is the number of unique machines 
>>failing one or more CCA rules.
>>
>>If this is your first roll-out, you might want to consider setting the 
>>windows update rule you have to not enforce while MS fixes the issues 
>>on their end.
>>
>>Hope this helps,
>>
>>Bob
>>
>>
>>
>>
>> 
>>
>>    
>>
>>>-----Original Message-----
>>>From: Perfigo SecureSmart and CleanMachines Discussion List 
>>>[mailto:[log in to unmask]] On Behalf Of Marilee Collins
>>>Sent: Wednesday, October 12, 2005 3:47 PM
>>>To: [log in to unmask]
>>>Subject: WGA validation incomplete
>>>
>>>We're attempting to roll out the Clean Access agent, but many of the 
>>>students are unable to validate Windows.
>>>
>>>They get "Validation Incomplete: Unable to Perform Validation." We 
>>>have checked that the system time/zone is correct.They say they're 
>>>installing ActiveX, but the installation period reported to me is so 
>>>quick I wonder if it's really installed.
>>>
>>>I've got all the Microsoft hosts allowed from the lists that were 
>>>posted earlier this year.
>>>
>>>We're running CAS 3.5.3.1 with the 3.5.3 agent.
>>>
>>>Has anyone else seen this?  Anyone have some suggestions?
>>>
>>>Thanks!
>>>
>>>Marilee Collins
>>>Information Technology Services
>>>Northern Arizona University
>>>   
>>>
>>>      
>>>
>
>
>--
>John Stauffacher, CISSP
>Network Administrator
>Chapman University
>[log in to unmask]
>ph: 714.628.7249
>"It's amazing how much you take for granted when you already know what
>you are doing."
>"there is no /usr/local on my C:\ drive!"
>  
>


-- 
John Stauffacher, CISSP
Network Administrator
Chapman University
[log in to unmask]
ph: 714.628.7249
"It's amazing how much you take for granted when you already know what you are doing."
"there is no /usr/local on my C:\ drive!"

ATOM RSS1 RSS2