 
| Subject: | |
| From: | |
| Reply To: | |
| Date: | Mon, 27 Feb 2006 17:50:47 -0500 |
| Content-Type: | text/plain |
| Parts/Attachments: |
|
|
I"m gonna take a shot at this.. Rajesh tell me if I'm nuts....
If both are unchecked and there is a NAT router between the user and the CAS
the flow will work like this.
1. User fires up PC, gets NAT'd IP
2. NAT routers gets "external" IP from CAS
3. User attempts to web out and is forced through authentication/remediate
4. External IP of NAT and External MAC is added to the Certified Devices
list
5. User #2 plugs into NAT router, gets NAT'd IP
6. User #2 "piggy backs" on original users certified device entry and is
not required to authenticate or be remediated. To the CAS all the traffic is
coming from the original user.
On 2/27/06 5:29 PM, "Jason Richardson" <[log in to unmask]> wrote:
> OK, here's what I suppose might be a stupid question, but after reading the
> doc, my associate and I are equally unenlightened. Assuming that one is
> running CCA ver. 3.6.x (we're running 3.6.1.1 on our shiny new test
> environment :)), what is the difference between disabling L3 and enabling L2
> strict mode? The release notes for 3.6(1) state:
>
> "Enhanced L2 Strict Mode User Support (Agent Only)
> With release 3.6(0) CAM/CAS and 3.6.0.0 Agent, administrators can restrict
> Clean Access Agent clients to be connected to the Clean Access Server directly
> as their only gateway using the "Enable L2 strict mode for Clean Access
> Agent."
>
> When this feature is enabled, the Clean Access Agent will send the MAC
> addresses for all interfaces on the client machine with the login request to
> the CAS. The CAS then checks this information to ensure no NAT exists between
> the CAS and the client. The CAS verifies and compares MAC addresses to ensure
> that the MAC address seen by the CAS is the MAC address of the Agent client
> machine only. If user home-based wireless routers or NAT devices are detected
> between the client device and the CAS, the user is not allowed to log in. With
> release 3.6(0), administrators have the following options:
>
> *Enable L3 support for Clean Access Agent *The CAS allows all users from any
> hops away.
>
> *Enable L2 strict mode for Clean Access Agent * The CAS does not allow users
> who are more than one hop away from the CAS. The user will be forced to remove
> any router between the CAS and the user's client machine to gain access to the
> network.
>
> *Both options left unchecked (Default setting)* The CAS performs in L2 mode
> and expects that all clients are one hop away. The CAS will not be able to
> distinguish if a router is between the CAS and the client and will allow the
> MAC address of router as the machine of the first user who logs in and any
> subsequent users. Checks will not be performed on the actual client machines
> passing through the router as a result, as their MAC addresses will not be
> seen."
>
> We've read the last part over several times, and we just can't make sense of
> it. Would anyone care to take a shot at explaining it to us?
>
> TIA,
>
> ---
> Jason Richardson
> Manager, Security Systems
> Enterprise Systems Support
> Northern Illinois University
>
> P.S. We are happy to report that the TCP finger printing feature is working
> quite well to stop the user-agent work-around
|
|
|
