>Learned this one the hardway back when Welchia was a going concern for
a
>virus.

>Windows Login process pings all DC's that it knows about. The round
trip
>time of the ICMP packet is part of the selection process for DC
selection.
>Windows logon process assumption is no ping, no logon server available.


I had observed the ping and did not know why it was doing that, thanks
for the additional info. Having said that, there is still an issue
either with Clean Access or AD, because just allowing pings to the
server isn't enough, you have to allow ALL ICMP for Clean Access to
work. I don't know if that's because Clean Access is broken in the way
it handles ICMP or if some other weird ICMP based process is taking
place for AD. If you have more details about this process, I would be
grateful to hear them. Of course allowing unproxied full ICMP access to
your DCs kind of begs the question of what NAC is for... but that's
another topic altogether.

Thanks again,

Dan S.


PS IS anyone out there doing device filtering with MAC address/IP
address combinations? Mine ignores IP addresses completely and Cisco is
telling me that despite the documentation, which says it can be done
based on IP AND MAC (even on the setup screen!), this is "by design". I
desperately need help on this one.