Hi Walt,

CCA Agent does not currently support having multiple active NICs on a 
single PC and what you're seeing is the expected behavior with multiple 
NICs. Last I heard, this was being considered for inclusion in an 
upcoming release. This is documented as feature request #CSCpe00141.

-Russ

Howd, Walt wrote:
>
> We are adding Clean Access to our wireless network and have noticed 
> some issues with Clean Access when dealing with multi-homed systems. 
> On many systems when the system is dual homed and concurrently 
> connected to both the wired and wireless networks, Clean Access will 
> continually prompt for authentication even if authentication was 
> successful.
>
> We have Clean Access deployed as inband Real-IP Gateways, with one 
> high availability pair for the wired network and one high availability 
> pair for the wireless network. We are currently running 4.0.4 with the 
> 4.0.5.1 agent.
>
> When a system is connected to a wired network protected by Clean 
> Access and a wireless network protected by Clean Access the Clean 
> Access Agent only sends out a CAS Agent Discovery (SWISS) UDP packet 
> on the first active network interface listed by adapter order.
>
> You can view the adapter binding order by performing the following 
> steps <http://support.microsoft.com/kb/894564>:
>
> 1.Click *Start*, click *Run*, type ncpa.cpl , and then click *OK*.
>
> 2.On the *Advanced* menu, click *Advanced Settings*, and then click 
> the *Adapters and Bindings* tab.
>
> We notice issues when the wireless interface is listed *before* the 
> wired interface as it appears to be by default on many systems.
>
> When the wireless CAS answers the SWISS packet, the Agent Login Screen 
> appears. After the users enters their credentials a TLS session is 
> opened to the CAM but it routes through the *wired connection *because 
> the CAM is not in the same subnet as the wireless or wired interface 
> and the wired interface has a lower routing metric 
> <http://www.microsoft.com/technet/community/columns/cableguy/cg0405.mspx>. 
> It also shows a SSL cert error, as it appears to be expecting the 
> wireless CAS cert but instead sees the wired CAS cert.
>
> If authentication succeeds, the system will be logged into via the 
> wired CAS with the wired MAC address. However, the agent will continue 
> to prompt for logon <http://www2.truman.edu/%7Ewhowd/cca-reprompts/> 
> as it is still sending out SWISS packets to the wireless CAS and the 
> wireless CAS reports the wireless MAC is not logged in. At this point 
> the user must either close the agent or turn of the “Popup Login 
> Window”. To the user it appears logon did not work, when in fact they 
> are authenticated.
>
> The best fix I have found is to ensure that the wired interface is 
> listed first in the adapter order. If this is the case, everything 
> works as expected. You can login to CCA when you are dual homed to the 
> wired CAS, and when you disconnect the wire you are prompted for login 
> to the wireless CAS.
>
> However we have a large number of unmanaged student systems and making 
> sure this setting is in place on each one is a rather onerous task. 
> The other solution is to tell users to disable their wireless card 
> when they are connected to the wired network.
>
> Is there another solution or settings for the Agent to have it send 
> out SWISS packets based on the routing metric rather then the adapter 
> order?
>