Yes, everything went pretty smoothly. That said, we use a very vanilla installation so there's not a lot that could go wrong. We're are entirely inband (wireless and wired) and do not use VPN SSO. We do have Windows SSO running, and that's been fine. We're having some issues with the web front end redirecting systems to the capture portal, but that's legacy from before we updated. We'd hoped updating it would solve that problem but so far no...
- Sean ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Sean Hennessey, Network Engineer Network and Information Security Systems Administrator Office of Technical Support University of Portland w: (503) 943 7877, c: (503) 710 6347 -----Original Message----- From: Cisco Clean Access Users and Administrators [mailto:[email protected]] On Behalf Of Eric Kenny Sent: Wednesday, March 11, 2009 1:30 PM To: [email protected] Subject: Re: About to upgrade from 4.1.3 to 4.5.1 Thanks Sean, The upgrade process converted all of your DB schema without any problems? All of your settings remained in-tact? We are OOB for the wired network and use IB for the wireless with SSO. In particular, I am most worried about the following open caveat: - VPN SSO login does not work with VPN in managed subnet after upgrade to Cisco NAC Appliance release 4.5 Prior to release 4.5, the Clean Access Server associates the client with the VPN IP address and VPN Concentrator's MAC address after the first login. From there, the SWISS protocol only checks the IP address from the Agent and reports back to the Agent that the client is logged in (regardless of whether the client is connected via Layer 2 or Layer 3). In release 4.5, the SWISS protocol checks the MAC address for Layer 2 clients, but the MAC address reported by the Agent (which is the real client MAC address) is different from the one the CAS gets for the client (the VPN concentrator MAC address). As a result, the SWISS protocol tells the Agent that the client machine is not logged in (due to the different MAC addresses recorded) and the Agent launches the login dialog repeatedly, never able to complete login. Workaround Remove the subnet making up the client machine address pool from the collection of managed subnets and create a Layer 3 static route on the CAS untrusted interface (eth1) with VPN concentrator's IP address as the gateway for the VPN subnet using the CAM web console Device Management > CCA Servers > Manage [CAS_IP] > Advanced > Static Routes page. /Eric From: "Hennessey, Sean" <[email protected]> To: [email protected] Date: 03/11/09 11:13 AM Subject: Re: About to upgrade from 4.1.3 to 4.5.1 Hi Eric - I just did this last Friday, from 4.1.3 to 4.5.1 just like you (though we are inband only), and it went smoothly and simply. Just remember that you have to do the upgrade through the Linux shell (via console or SSH) rather than through the web client and that's about it. The steps are cleanly illustrated in the release notes. One thing to be aware of, just to save panic, is that you will get a red warning in the GUI when you first launch it after the upgrade warning you about the Perfigo certs. If you are using professionally signed certs, they are still intact, this is just because of a root cert entry in the manager (and on the servers) itself. Learned that from this here list not so long ago... :) - Sean ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Sean Hennessey, Network Engineer Network and Information Security Systems Administrator Office of Technical Support University of Portland w: (503) 943 7877, c: (503) 710 6347 -----Original Message----- From: Cisco Clean Access Users and Administrators [mailto:[email protected]] On Behalf Of Eric Kenny Sent: Wednesday, March 11, 2009 5:42 AM To: [email protected] Subject: About to upgrade from 4.1.3 to 4.5.1 We are about to take the plunge to 4.5.1 in order to resolve some open issues. Has anyone else done this? Have you run into any issues (besides it only running on the Cisco appliance hardware)?
