Cal,
CAS's are restricted by MAC's. Only CAM's
> -----Original Message-----
> From: Perfigo SecureSmart and CleanMachines Discussion List
> [mailto:[log in to unmask]] On Behalf Of Cal Frye
> Sent: Wednesday, August 16, 2006 10:49 AM
> To: [log in to unmask]
> Subject: Re: LDAP has broken
>
> Bad night. Here's where it came down.
> The upgrade from 3.5.4 to 3.5.11 scrambled the password for
> the proxy user who is authorized to make LDAP lookups for
> Clean Access. I called Cisco TAC, and the engineer ALSO
> altered the Search Filter for me, which was incorrect. This
> morning, when our LDAP administrator returned, we were able
> to correct both errors and restore service. The certificate
> came through properly.
>
> The major issue was one of our CASs failed altogether,
> disconnecting our main campus subnet for several hours. Few
> were affected, but still...
> We changed our routing setup and removed the CAS altogether
> to restore service. The CAS remains in contact with the CAM,
> but directly connecting a laptop (with a crossover or direct
> cable!) to the untrusted interface still produces no results.
> The laptop cannot ping the CAS interface, and the CAS cannot
> ping the laptop. Both interfaces show links and speed
> negotiation was proper, but no traffic passes. Sounds like
> hardware to me, complicated by the fact that replacing the
> CAS requires a new license, since the MAC addresses of the
> interfaces will change. I know why that's done, but it's
> stupid, especially so at 11:00 pm...
>
> Sorry, I'm short on sleep this morning; I'll stop ranting.
>
> Rajesh Nair (rajnair) ventured to comment, at 8/15/06 8:55 PM:
> > Cal,
> >
> > What does Auth Test do? Same thing?
> > If you are using LDAP over SSL, can you re-import your LDAP
> server's
> > SSL cert (although this should have been preserved)? Is it
> possible
> > that your LDAP server's cert may have expired?
> >
> > -Rajesh.
> >
> > -----Original Message-----
> > From: Perfigo SecureSmart and CleanMachines Discussion List
> > [mailto:[log in to unmask]] On Behalf Of Cal Frye
> > Sent: Tuesday, August 15, 2006 4:23 PM
> > To: [log in to unmask]
> > Subject: LDAP has broken
> >
> > Anybody here?
> >
> > As part of our upgrade to 4.0.2, I just took our NAC
> Appliances ;-) up
> > to
> > 3.5.11 from 3.5.4. Now my LDAP authentication has broken.
> All the LDAP
> > server settings survived the update, everything looks as before,
> > except for the "Authentication failed" message. Did I forget
> > something? I'm scanning the archives, but not seeing much
> of anything
> > right at the moment...
>
>
> --
> -- Cal Frye, Network Administrator, Oberlin College
> www.ouuf.org, www.calfrye.com, www.pitalabs.com
>
> "The life of the nation is secure only while the nation is
> honest, truthful, and virtuous." --Frederick Douglass.
>
|