Excellent news considering how many of our student users are using this little trick to avoid the checks.

---
Jason Richardson
Enterprise Systems Support
Northern Illinois University

>>> [log in to unmask] 12/09/05 2:08 PM >>>
Atif/Rajesh-


That¹s great news... Saw that the release is up, will the release notes be
posted today as well?

-- 
Ryan Dorman, CCNP
Network Engineering Specialist
Millersville University
717.871.5883

On 12/9/05 2:43 PM, "Atif Azim (atif)" <[log in to unmask]> wrote:

> Just an FYI.
>  
> In the new CCA release (ver 3.6) there is a feature that has been added to
> combat this particular problem.
> This release will be available shortly.
>  
> From the new release notes:
>  
> ---------------->>>
>  
> New Feature:  OS Detection
>  
> By default, the system uses the User-Agent string from the HTTP header to
> determine the client OS. Release 3.6.0 provides additional detection options
> to include using the platform information from JavaScript, or OS
> fingerprinting from the TCP/IP handshake to determine the client OS. This
> feature is intended to prevent users from changing identification of their
> client operating systems through manipulation HTTP information.
> This affects the following web console pages:
> 
> €There is a new update entry for "Current Version of OS Detection Fingerprint"
> under Device Management > Clean Access > Clean Access Agent > Updates.
> 
> €There is a new OS Detection link and page under Device Management > CCA
> Servers > Manage [CAS_IP] > Authentication > OS Detection "
> 
> ----------------->>>
>  
> Regards,
> Atif
> 
> 
> From: Perfigo SecureSmart and CleanMachines Discussion List
> [mailto:[log in to unmask]] On Behalf Of King, Michael
> Sent: Thursday, December 08, 2005 8:00 AM
> To: [log in to unmask] 
> Subject: Re: New problem
> 
> True,
>  
> But what if your device doesn't have Java installed?  What if the workaround
> is to disable/remove java now?
>  
> They might be better off using the Host Fingerprinting from NMAP
> 
>>  
>>  
>> 
>>  From: Perfigo SecureSmart and CleanMachines  Discussion List
>> [mailto:[log in to unmask]] On Behalf Of Mike  Binns
>> Sent: Thursday, December 08, 2005 10:34 AM
>> To:  [log in to unmask] 
>> Subject: Re: New  problem
>> 
>>  
>>  
>> Students on our campus figured this out immediately  during our pilot on
>> campus Its the User Agent they change, and its really  easy. I plan to combat
>> it by looking for "linux" machines and verifying they  really are using some
>> other method. there are only one or two people actually  running linux on
>> campus. If i find people doing this i will probably clear  them from the auth
>> list and if they do it again, is just refer them to the  network director for
>> a nice chat :).
>>  
>>  
>>  
>> What CCA should have is a way to verify the system OS  using java, which is
>> much harder to forge. Basically any computer that shows  to be not windows
>> should have to run an applet that could verify the OS is  truly not windows.
>>  
>>  
>>  
>> 
>> -Mike Binns
>> Internet Manager
>> Gordon  College
>> [log in to unmask] 
>>  
>>  
>> 
>>  
>>  
>> 
>>  From: Perfigo SecureSmart and CleanMachines  Discussion List
>> [mailto:[log in to unmask]] On Behalf Of  Joyce, Todd N
>> Sent: Thursday, December 08, 2005 10:28  AM
>> To: [log in to unmask] 
>> Subject: New  problem
>> 
>>  
>>  
>>  
>> 
>> I had a student this morning tell  me they had fairly easily found a
>> workaround to Clean Access.  They  modified the Information / Authentication
>> string that Internet Explorer sends  to indicate that the computer was a
>> Linux machine and therefore since Clean  Access thinks their machine is a
>> Linux machine and there are no requirements  in place on the network for
>> Linux boxes, they were able to access the network  without installing Clean
>> Access.
>>  
>>  
>>  
>>  
>>  
>> Todd Joyce
>> Network Services
>> Radford University - The Smart Choice
>> [log in to unmask] 
>> (540)  831-7777
>>  
>>  
>>  
>> I would rather be a lonely genius than a popular  idiot.
>>  
>>  
>