LISTSERV - CLEANACCESS Archives - LISTSERV.MIAMIOH.EDU

CLEANACCESS Archives

August 2006

CLEANACCESS@LISTSERV.MIAMIOH.EDU

	LISTSERV Archives
	CLEANACCESS Home
	CLEANACCESS August 2006

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: LDAP has broken
From:	"King, Michael" <[log in to unmask]>
Reply To:	Perfigo SecureSmart and CleanMachines Discussion List <[log in to unmask]>
Date:	Wed, 16 Aug 2006 12:46:26 -0400
Content-Type:	text/plain
Parts/Attachments:	text/plain (78 lines)

Cal,

CAS's are restricted by MAC's.   Only CAM's 

> -----Original Message-----
> From: Perfigo SecureSmart and CleanMachines Discussion List 
> [mailto:[log in to unmask]] On Behalf Of Cal Frye
> Sent: Wednesday, August 16, 2006 10:49 AM
> To: [log in to unmask]
> Subject: Re: LDAP has broken
> 
> Bad night. Here's where it came down.
> The upgrade from 3.5.4 to 3.5.11 scrambled the password for 
> the proxy user who is authorized to make LDAP lookups for 
> Clean Access. I called Cisco TAC, and the engineer ALSO 
> altered the Search Filter for me, which was incorrect. This 
> morning, when our LDAP administrator returned, we were able 
> to correct both errors and restore service. The certificate 
> came through properly.
> 
> The major issue was one of our CASs failed altogether, 
> disconnecting our main campus subnet for several hours. Few 
> were affected, but still...
> We changed our routing setup and removed the CAS altogether 
> to restore service. The CAS remains in contact with the CAM, 
> but directly connecting a laptop (with a crossover or direct 
> cable!) to the untrusted interface still produces no results. 
> The laptop cannot ping the CAS interface, and the CAS cannot 
> ping the laptop. Both interfaces show links and speed 
> negotiation was proper, but no traffic passes. Sounds like 
> hardware to me, complicated by the fact that replacing the 
> CAS requires a new license, since the MAC addresses of the 
> interfaces will change. I know why that's done, but it's 
> stupid, especially so at 11:00 pm...
> 
> Sorry, I'm short on sleep this morning; I'll stop ranting.
> 
>  Rajesh Nair (rajnair) ventured to comment, at 8/15/06 8:55 PM:
> > Cal,
> > 
> > What does Auth Test do?  Same thing? 
> > If you are using LDAP over SSL, can you re-import your LDAP 
> server's 
> > SSL cert (although this should have been preserved)?  Is it 
> possible 
> > that your LDAP server's cert may have expired?
> > 
> > -Rajesh. 
> > 
> > -----Original Message-----
> > From: Perfigo SecureSmart and CleanMachines Discussion List 
> > [mailto:[log in to unmask]] On Behalf Of Cal Frye
> > Sent: Tuesday, August 15, 2006 4:23 PM
> > To: [log in to unmask]
> > Subject: LDAP has broken
> > 
> > Anybody here?
> > 
> > As part of our upgrade to 4.0.2, I just took our NAC 
> Appliances ;-) up 
> > to
> > 3.5.11 from 3.5.4. Now my LDAP authentication has broken. 
> All the LDAP 
> > server settings survived the update, everything looks as before, 
> > except for the "Authentication failed" message. Did I forget 
> > something? I'm scanning the archives, but not seeing much 
> of anything 
> > right at the moment...
> 
> 
> --
> -- Cal Frye, Network Administrator, Oberlin College
>     www.ouuf.org,  www.calfrye.com,  www.pitalabs.com
> 
> "The life of the nation is secure only while the nation is 
> honest, truthful, and virtuous." --Frederick Douglass.
>

ATOM RSS1 RSS2

LISTSERV.MIAMIOH.EDU