Thanks everyone for the responses, you guys pointed me in the right direction. I dug through the logs and found clock skew errors. Turns out clients were pointed to the domain controllers for NTP, clean access wasn't. Pointed clean access to our servers and immediately most users started SSO'ing. I've got a few strays that still aren't, I'm going to check their system times to see if that's what is amiss.
Justin ________________________________ From: Cisco Clean Access Users and Administrators [mailto:[EMAIL PROTECTED] On Behalf Of Paul Sedy Sent: Tuesday, July 15, 2008 9:20 AM To: [email protected] Subject: Re: SSO Working Intermittently? We have seen SSO behave somewhat sporadically in the past ; particularly over wireless. Initially, the system was configured with only one domain controller for authentication. After adding a couple more domain controllers, things seemed to improve significantly. R. Paul Sedy, MCSE Network Manager Computer Services The Master's College [EMAIL PROTECTED]<mailto:[EMAIL PROTECTED]> 661.362.2340 From: Cisco Clean Access Users and Administrators [mailto:[EMAIL PROTECTED] On Behalf Of Hennessey, Sean Sent: Tuesday, July 15, 2008 8:54 AM To: [email protected] Subject: Re: SSO Working Intermittently? That's been the same experience here. SSO is actually one of the few functions (praying I don't put a kuna hura on myself with this statement) of CCA that I haven't had to fight major battles with. Are you using a decent NST set up or are most of the clients managing their time settings themselves? - Sean ---- Sean Hennessey Networking and Information Security Systems Administrator The University of Portland From: Cisco Clean Access Users and Administrators [mailto:[EMAIL PROTECTED] On Behalf Of Kyle Evans Sent: Tuesday, July 15, 2008 5:54 AM To: [email protected] Subject: Re: SSO Working Intermittently? Sometimes we have machines that don't do SSO properly. I think 100% of the time it has been due to the time on the machine being more than 5 minutes out of sync with the domain controller. Kerberos requires the time to be within 5 minutes in order to work properly. Jeremy Wood wrote: Hey Justin, I have seen that too on our setup. We have 3 AD Controllers and use SSO for all of our faculty and staff members. Initially I used only a single controller to handle SSO requests but when this problem started to become more frequent I moved to a domain level SSO. This seems to have fixed most of the problems but every so often we have someone fallback to LDAP. The only thing that seems to be constant for us, in this regard, is inconsistency. I'm hoping that with the next release there are a number of little bug fixes like this that really hinder a seamless CCA experience. Jeremy Wood Norwich University
