Thank you for all the feedbacks!
I agree that we need SSO for encryption SSIDs such as WPA/WPA2. But it is still possible not using SSO for web auth SSID. The SSO is configured per SSID, not per WiSM, correct?
During my tests with SSO, I have seen one problem just once. After I logged in using WiSM web auth page, I was directed to the CCA download page directly, which means SSO worked. But after downloaded and installed the agent, the agent popped up for credentials!! Not automatically performing posture checks as expected. It looks like after downloading and installing agent, CCA lost the user authentication state somehow. I just saw this problem one, and not able to duplicate it again. Has anyone ever seen this problem when doing SSO?
Thanks!
Dennis Xu
Network Analyst(CCS)
University of Guelph
5198244120 x 56217
-----Original Message-----
From: Cisco Clean Access Users and Administrators [mailto:[log in to unmask]] On Behalf Of Jamie Sanbower
Sent: June-04-07 4:32 PM
To: [log in to unmask]
Subject: Re: Wireless & CCA SSO
Dennis,
To add onto David's statement. I have been a part of many wireless SSO
deployments. One of the biggest reasons to keep Authentication on the
wireless side and use SSO for CCA is so that you can utilize 802.11i or
other secure authen/encryption for current and future SSIDs that require
data encryption. An example would be a Staff SSID that would have data that
you wouldn't want students being able to intercept. This allows your staff
to have profiles that use "Windows Credentials" to sign into wireless and
CCA perform SSO, with an end-result of seamless login to wireless after an
authorized user logs into windows. Make Sense?
I am assuming by your last question about failure is referring to CCA SSO
adding another layer of complexity. The risk is very minimal and as long as
the configuration is not modified after getting it to work successfully. As
a side note, if you have redundant CASs, ensure that you are sending the
radius accounting packet to the CAS Trusted Service IP Address in order to
for SSO to work with either CAS. As far as troubleshooting is concerned once
the Wireless system is successfully setup to send radius accounting packets
to the CAS and the CAS is recieving them correctly, there truly isn't any
further troubleshooting.
HTH,
Jamie
>From: David Stempien <[log in to unmask]>
>Reply-To: Cisco Clean Access Users and Administrators
><[log in to unmask]>
>To: [log in to unmask]
>Subject: Re: Wireless & CCA SSO
>Date: Mon, 4 Jun 2007 15:29:22 -0400
>
>We are testing SSO and will be deploying it soon. Itıs pretty easy to
>setup
>and seems to work fine. Just create the VPN SSO auth type in the CAM and
>point your RADIUS accounting packets to the CAS.
>
>The only problem we had was in the configuration of our WiSM (acting as a
>RADIUS proxy) not sending RADIUS accounting stop packets to the CAS when a
>client disassociated with a WAP. The side effect was that the user was
>never purged from the VPN clients list of the CAS and was able to reconnect
>to any SSID on the WAP without having to reauthenticate...
>
>Without diving into the details, it had to do with the WiSM configuration
>as
>the WiSM supports both global and per-SSID RADIUS configurations.
>
>--
>Dave Stempien, Network Security Engineer
>University of Rochester Medical Center
>Information Systems Division
>585-784-2427
>
>
>
>On 6/4/07 1:13 PM, "Dennis Xu" <[log in to unmask]> wrote:
>
> > We want to use CCA with our existing wireless web auth system. We have
>two
> > options, one is keep current wireless authentication system and do SSO
>between
> > wireless and CCA; 2nd option is to change current wlan to be open
> > authentication and move the web auth page to CCA, so CCA do
>authentication.
> >
> > I feel the SSO option will introduce another failure point and make
> > troubleshooting more difficult. How do you deal with wireless and CCA
> > authentication? Anyone is using SSO?
> >
> > Many Thanks!
> >
> > Dennis Xu
> > Network Analyst(CCS)
> > University of Guelph
> > 5198244120 x 56217
> >
>
>
_________________________________________________________________
Like puzzles? Play free games & earn great prizes. Play Clink now.
http://club.live.com/clink.aspx?icid=clink_hotmailtextlink2
|