Bill and Dan, This means that you're exempting all Macintosh devices, not just your iPhones and iPads and such, correct? If so, you're cool with that? Just wondering what the pros/cons of that would be.
-Aaron On Tue, Aug 10, 2010 at 6:54 AM, Bill Eben <[email protected]> wrote: > We're running inband 4.8. To help with iPhones/iPod touches, we exempt them > (i.e. MAC_ALL) from web logins by having them automatically added to the MAC > filter list. Because we clear certified devices every 7 days, iPhone users > only need to log in once (per CCA server) per week. > > The exempt checkbox is under Device Management -> Clean Access -> General > Setup -> Web Login > > Bill > -- > Bill Eben > Coordinator, Residential Computing > Kutztown University > 610.683.4974 > [email protected] > > > On Aug 9, 2010, at 8:37 PM, Jeremy Wood wrote: > > We had some of these same issues with our wireless IB clients. >> Disabling the heartbeat timer solved the problem for us. Although >> depending on how your using NAC you might need this (but I honestly >> don't know which situations the heartbeat timer solves that aren't >> solved by another feature) >> >> --Jeremy >> >> On Mon, Aug 9, 2010 at 19:32, Aaron Abitia <[email protected]> wrote: >> >>> We are running inband 4.6.1 but have seen similar things and we have a >>> case >>> open with Cisco. It's related to the powersave modes of these small >>> devices >>> and/or the various nuances of how these PDA devices operate and manage >>> connections...the devices disable the wireless card to save power if >>> idle, >>> for example, so when they do that, CCA sees that as a log off, and when >>> they >>> wake up, it makes them log in again. Cisco said it's really a client >>> side >>> issue, that is, the user shouldn't let the device go idle and disable the >>> wifi in the process, so it's also a user behavior issue too. We are >>> still >>> pushing to see what else Cisco knows. >>> >>> We are looking at the various timers, and in particular under "User >>> Management" --> "User Roles" --> "Schedule" --> "Heartbeat Timer". >>> According to Cisco, there's 3 timers to work with: Session Timer, >>> Heartbeat >>> Timer, Certified Device Timer. In particular, configuring the Heartbeat >>> Timer will boot the PDA user's connection for good at the 30 min mark if >>> you've got that set for 30 min, or whatever time you choose, but we're >>> not >>> sure if that means that if the user goes idle and CCA doesn't see them as >>> logging off (for whatever reason), then it actually preserves that >>> session, >>> which is what we'd want, thus keeping the users from having to log in >>> over >>> and over in a day because their device goes idle while they are doing >>> something else. >>> >>> When it comes to session issues like this, you also have to consider what >>> you have available in your DHCP pool...if want want to allow sessions to >>> stay open, that could impact the number of DHCP leases you have available >>> for other users. >>> >>> Don't know if this helps at all, but good luck. >>> >>> -Aaron >>> >>> >>> On Mon, Aug 9, 2010 at 2:24 PM, Branden Kirk <[email protected]> >>> wrote: >>> >>>> >>>> We just started using NAC 4.8 Out-of-band Virtual Gateway and applied >>>> NAC >>>> to our encrypted >>>> SSID running on WCS/WLC 6.0 with 1142/1131 LWAPs. This is our first use >>>> off NAC 4.1 and also >>>> deploying OOB. We seem to have a problem, especially on mobile devices >>>> like the iPhone, where >>>> each session is requiring the device to re-auth regardless of being on >>>> the >>>> CDL. Creating a device >>>> filter as a workaround works. I'm having trouble finding the root issue >>>> as it seems not all users of >>>> the same device type have the issue. For instance, I have an iPhone 4 >>>> user who gets locked in a >>>> safari page titled "Log In" showing the apple.com site, but none of >>>> that >>>> behavior on another iPhone >>>> 4. Re-auth and page re-direction seems to happen more for some iPhone >>>> 3GS >>>> users than others. >>>> I've seen my macbook re-auth me after waking from sleep last week, but >>>> today none of the >>>> behavior exists. We have had the OOB port profile option "Change to >>>> Access VLAN if the device is >>>> certified but not in the out-of-band user list" set this whole time but >>>> have still had this issue on >>>> wireless. None of the disconnect options for port profile are enabled. >>>> >>>> Any ideas? Anyone encounter an issue similar to this experience or know >>>> what the root >>>> cause/solution could be? I'm making a TAC case, but thought I'd hit >>>> this >>>> list as well. >>>> >>>> Thanks in advance. >>>> >>>> -- >>>> Branden Kirk >>>> Network Administrator, IT Operations >>>> Biola University >>>> (562)944-0351 x5032 >>>> >>> >>> >>> >>> -- >>> Aaron Abitia >>> Network Analyst >>> Network Administration, ITS >>> Cal Poly State University >>> Tel: 805.756.1295 >>> >>> -- Aaron Abitia Network Analyst Network Administration, ITS Cal Poly State University Tel: 805.756.1295
