LISTSERV - CLEANACCESS Archives - LISTSERV.MIAMIOH.EDU

CLEANACCESS Archives

June 2007

CLEANACCESS@LISTSERV.MIAMIOH.EDU

	LISTSERV Archives
	CLEANACCESS Home
	CLEANACCESS June 2007

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Wireless & CCA SSO
From:	Dennis Xu <[log in to unmask]>
Reply To:	Cisco Clean Access Users and Administrators <[log in to unmask]>
Date:	Tue, 5 Jun 2007 10:44:56 -0400
Content-Type:	text/plain
Parts/Attachments:	text/plain (105 lines)

Thank you for all the feedbacks!

I agree that we need SSO for encryption SSIDs such as WPA/WPA2. But it is still possible not using SSO for web auth SSID. The SSO is configured per SSID, not per WiSM, correct?

During my tests with SSO, I have seen one problem just once. After I logged in using WiSM web auth page, I was directed to the CCA download page directly, which means SSO worked. But after downloaded and installed the agent, the agent popped up for credentials!! Not automatically performing posture checks as expected. It looks like after downloading and installing agent, CCA lost the user authentication state somehow. I just saw this problem one, and not able to duplicate it again. Has anyone ever seen this problem when doing SSO?

Thanks!

Dennis Xu
Network Analyst(CCS)
University of Guelph
5198244120 x 56217

-----Original Message-----
From: Cisco Clean Access Users and Administrators [mailto:[log in to unmask]] On Behalf Of Jamie Sanbower
Sent: June-04-07 4:32 PM
To: [log in to unmask]
Subject: Re: Wireless & CCA SSO

Dennis,

To add onto David's statement. I have been a part of many wireless SSO 
deployments. One of the biggest reasons to keep Authentication on the 
wireless side and use SSO for CCA is so that you can utilize 802.11i or 
other secure authen/encryption for current and future SSIDs that require 
data encryption. An example would be a Staff SSID that would have data that 
you wouldn't want students being able to intercept. This allows your staff 
to have profiles that use "Windows Credentials" to sign into wireless and 
CCA perform SSO, with an end-result of seamless login to wireless after an 
authorized user logs into windows. Make Sense?

I am assuming by your last question about failure is referring to CCA SSO 
adding another layer of complexity. The risk is very minimal and as long as 
the configuration is not modified after getting it to work successfully. As 
a side note, if you have redundant CASs, ensure that you are sending the 
radius accounting packet to the CAS Trusted Service IP Address in order to 
for SSO to work with either CAS. As far as troubleshooting is concerned once 
the Wireless system is successfully setup to send radius accounting packets 
to the CAS and the CAS is recieving them correctly, there truly isn't any 
further troubleshooting.

HTH,

Jamie

>From: David Stempien <[log in to unmask]>
>Reply-To: Cisco Clean Access Users and Administrators              
><[log in to unmask]>
>To: [log in to unmask]
>Subject: Re: Wireless & CCA SSO
>Date: Mon, 4 Jun 2007 15:29:22 -0400
>
>We are testing SSO and will be deploying it soon.  It¹s pretty easy to 
>setup
>and seems to work fine.  Just create the VPN SSO auth type in the CAM and
>point your RADIUS accounting packets to the CAS.
>
>The only problem we had was in the configuration of our WiSM (acting as a
>RADIUS proxy) not sending RADIUS accounting stop packets to the CAS when a
>client disassociated with a WAP.  The side effect was that the user was
>never purged from the VPN clients list of the CAS and was able to reconnect
>to any SSID on the WAP without having to reauthenticate...
>
>Without diving into the details, it had to do with the WiSM configuration 
>as
>the WiSM supports both global and per-SSID RADIUS configurations.
>
>--
>Dave Stempien, Network Security Engineer
>University of Rochester Medical Center
>Information Systems Division
>585-784-2427
>
>
>
>On 6/4/07 1:13 PM, "Dennis Xu" <[log in to unmask]> wrote:
>
> > We want to use CCA with our existing wireless web auth system. We have 
>two
> > options, one is keep current wireless authentication system and do SSO 
>between
> > wireless and CCA; 2nd option is to change current wlan to be open
> > authentication and move the web auth page to CCA, so CCA do 
>authentication.
> >
> > I feel the SSO option will introduce another failure point and make
> > troubleshooting more difficult. How do you deal with wireless and CCA
> > authentication? Anyone is using SSO?
> >
> > Many Thanks!
> >
> > Dennis Xu
> > Network Analyst(CCS)
> > University of Guelph
> > 5198244120 x 56217
> >
>
>

_________________________________________________________________
Like puzzles? Play free games & earn great prizes. Play Clink now. 
http://club.live.com/clink.aspx?icid=clink_hotmailtextlink2

ATOM RSS1 RSS2

LISTSERV.MIAMIOH.EDU