Aaron,
Our setup under Clean Access >> General Setup >> Agent Login requires
the agent for MAC_OSX, but not for MAC_ALL. Then under Clean Access >>
General Setup >> Web Login is where we determine that the MAC_ALL will
add their address to the filters list.
For our Mac OS X clients, we require that the have McAfee Security for
Mac installed and not any previous version of McAfee anti-virus software
(we previously supplied VirusScan and Virex, but both have been replaced
with Security for Mac).
Also, for our configuration I require that the "Network Scanner User
Agreement page" is shown for these web login devices so I can provide a
display of information after they are authenticated.
Dan
Dan Taube
Call Center Supervisor :: Associate IT Support
University Computer Help Desk :: Illinois State University
309-438-8985 [direct] :: 309-438-4357 [support]
[email protected]
On 8/10/2010 12:02 PM, Aaron Abitia wrote:
Bill and Dan,
This means that you're exempting all Macintosh devices, not just your
iPhones and iPads and such, correct? If so, you're cool with that?
Just wondering what the pros/cons of that would be.
-Aaron
On Tue, Aug 10, 2010 at 6:54 AM, Bill Eben <[email protected]
<mailto:[email protected]>> wrote:
We're running inband 4.8. To help with iPhones/iPod touches, we
exempt them (i.e. MAC_ALL) from web logins by having them
automatically added to the MAC filter list. Because we clear
certified devices every 7 days, iPhone users only need to log in
once (per CCA server) per week.
The exempt checkbox is under Device Management -> Clean Access ->
General Setup -> Web Login
Bill
--
Bill Eben
Coordinator, Residential Computing
Kutztown University
610.683.4974
[email protected] <mailto:[email protected]>
On Aug 9, 2010, at 8:37 PM, Jeremy Wood wrote:
We had some of these same issues with our wireless IB clients.
Disabling the heartbeat timer solved the problem for us. Although
depending on how your using NAC you might need this (but I
honestly
don't know which situations the heartbeat timer solves that aren't
solved by another feature)
--Jeremy
On Mon, Aug 9, 2010 at 19:32, Aaron Abitia
<[email protected] <mailto:[email protected]>> wrote:
We are running inband 4.6.1 but have seen similar things
and we have a case
open with Cisco. It's related to the powersave modes of
these small devices
and/or the various nuances of how these PDA devices
operate and manage
connections...the devices disable the wireless card to
save power if idle,
for example, so when they do that, CCA sees that as a log
off, and when they
wake up, it makes them log in again. Cisco said it's
really a client side
issue, that is, the user shouldn't let the device go idle
and disable the
wifi in the process, so it's also a user behavior issue
too. We are still
pushing to see what else Cisco knows.
We are looking at the various timers, and in particular
under "User
Management" --> "User Roles" --> "Schedule" --> "Heartbeat
Timer".
According to Cisco, there's 3 timers to work with:
Session Timer, Heartbeat
Timer, Certified Device Timer. In particular, configuring
the Heartbeat
Timer will boot the PDA user's connection for good at the
30 min mark if
you've got that set for 30 min, or whatever time you
choose, but we're not
sure if that means that if the user goes idle and CCA
doesn't see them as
logging off (for whatever reason), then it actually
preserves that session,
which is what we'd want, thus keeping the users from
having to log in over
and over in a day because their device goes idle while
they are doing
something else.
When it comes to session issues like this, you also have
to consider what
you have available in your DHCP pool...if want want to
allow sessions to
stay open, that could impact the number of DHCP leases you
have available
for other users.
Don't know if this helps at all, but good luck.
-Aaron
On Mon, Aug 9, 2010 at 2:24 PM, Branden Kirk
<[email protected] <mailto:[email protected]>>
wrote:
We just started using NAC 4.8 Out-of-band Virtual
Gateway and applied NAC
to our encrypted
SSID running on WCS/WLC 6.0 with 1142/1131 LWAPs.
This is our first use
off NAC 4.1 and also
deploying OOB. We seem to have a problem, especially
on mobile devices
like the iPhone, where
each session is requiring the device to re-auth
regardless of being on the
CDL. Creating a device
filter as a workaround works. I'm having trouble
finding the root issue
as it seems not all users of
the same device type have the issue. For instance, I
have an iPhone 4
user who gets locked in a
safari page titled "Log In" showing the apple.com
<http://apple.com> site, but none of that
behavior on another iPhone
4. Re-auth and page re-direction seems to happen more
for some iPhone 3GS
users than others.
I've seen my macbook re-auth me after waking from
sleep last week, but
today none of the
behavior exists. We have had the OOB port profile
option "Change to
Access VLAN if the device is
certified but not in the out-of-band user list" set
this whole time but
have still had this issue on
wireless. None of the disconnect options for port
profile are enabled.
Any ideas? Anyone encounter an issue similar to this
experience or know
what the root
cause/solution could be? I'm making a TAC case, but
thought I'd hit this
list as well.
Thanks in advance.
--
Branden Kirk
Network Administrator, IT Operations
Biola University
(562)944-0351 x5032
--
Aaron Abitia
Network Analyst
Network Administration, ITS
Cal Poly State University
Tel: 805.756.1295
--
Aaron Abitia
Network Analyst
Network Administration, ITS
Cal Poly State University
Tel: 805.756.1295
