As a matter of helping the client we do NOT restrict the client from updating their machine with Windows update or the supported AV (Symantec) we provide for free. That's a good thing for them and us. So in the unauthenticated role I have checked the following, see attached file.

A client emails me that he can connect to http://www.witn.com without first authenticating through the CCA login page. I say to myself, no way that site is not allowed, but I tell the client I will check it out. Guess what he was right, it works without authenticating. Why, Both Symantec and WITN use a DNS proxy and the same IP address is returned for both sites. This is just one example and is by no means limited to this site only.

I'm using CCA version 4.1.8, I suspect this is true for all versions of CCA? What about other NAC offerings, anyone care to test a version other than Cisco Clean Access?

Yes, I opened a TAC case, jury is still out...

Thoughts, results?

Thanks, Howard