Subject: | |
From: | |
Reply To: | |
Date: | Thu, 5 Jul 2007 14:46:25 -0700 |
Content-Type: | text/plain |
Parts/Attachments: |
|
|
Hi Walt,
CCA Agent does not currently support having multiple active NICs on a
single PC and what you're seeing is the expected behavior with multiple
NICs. Last I heard, this was being considered for inclusion in an
upcoming release. This is documented as feature request #CSCpe00141.
-Russ
Howd, Walt wrote:
>
> We are adding Clean Access to our wireless network and have noticed
> some issues with Clean Access when dealing with multi-homed systems.
> On many systems when the system is dual homed and concurrently
> connected to both the wired and wireless networks, Clean Access will
> continually prompt for authentication even if authentication was
> successful.
>
> We have Clean Access deployed as inband Real-IP Gateways, with one
> high availability pair for the wired network and one high availability
> pair for the wireless network. We are currently running 4.0.4 with the
> 4.0.5.1 agent.
>
> When a system is connected to a wired network protected by Clean
> Access and a wireless network protected by Clean Access the Clean
> Access Agent only sends out a CAS Agent Discovery (SWISS) UDP packet
> on the first active network interface listed by adapter order.
>
> You can view the adapter binding order by performing the following
> steps <http://support.microsoft.com/kb/894564>:
>
> 1.Click *Start*, click *Run*, type ncpa.cpl , and then click *OK*.
>
> 2.On the *Advanced* menu, click *Advanced Settings*, and then click
> the *Adapters and Bindings* tab.
>
> We notice issues when the wireless interface is listed *before* the
> wired interface as it appears to be by default on many systems.
>
> When the wireless CAS answers the SWISS packet, the Agent Login Screen
> appears. After the users enters their credentials a TLS session is
> opened to the CAM but it routes through the *wired connection *because
> the CAM is not in the same subnet as the wireless or wired interface
> and the wired interface has a lower routing metric
> <http://www.microsoft.com/technet/community/columns/cableguy/cg0405.mspx>.
> It also shows a SSL cert error, as it appears to be expecting the
> wireless CAS cert but instead sees the wired CAS cert.
>
> If authentication succeeds, the system will be logged into via the
> wired CAS with the wired MAC address. However, the agent will continue
> to prompt for logon <http://www2.truman.edu/%7Ewhowd/cca-reprompts/>
> as it is still sending out SWISS packets to the wireless CAS and the
> wireless CAS reports the wireless MAC is not logged in. At this point
> the user must either close the agent or turn of the “Popup Login
> Window”. To the user it appears logon did not work, when in fact they
> are authenticated.
>
> The best fix I have found is to ensure that the wired interface is
> listed first in the adapter order. If this is the case, everything
> works as expected. You can login to CCA when you are dual homed to the
> wired CAS, and when you disconnect the wire you are prompted for login
> to the wireless CAS.
>
> However we have a large number of unmanaged student systems and making
> sure this setting is in place on each one is a rather onerous task.
> The other solution is to tell users to disable their wireless card
> when they are connected to the wired network.
>
> Is there another solution or settings for the Agent to have it send
> out SWISS packets based on the routing metric rather then the adapter
> order?
>
|
|
|