Re: wireless re-auth every session

Tue, 10 Aug 2010 12:44:19 -0700

Ditto (essentially). We require the agent for MAC_OSX -- no other requirements. 

Bill
--
Bill Eben
Coordinator, Residential Computing
Kutztown University
610.683.4974
[email protected]

On Aug 10, 2010, at 1:38 PM, Dan Taube wrote:


Aaron,


Our setup under Clean Access >> General Setup >> Agent Login  
requires the agent for MAC_OSX, but not for MAC_ALL. Then under  
Clean Access >> General Setup >> Web Login is where we determine  
that the MAC_ALL will add their address to the filters list.



For our Mac OS X clients, we require that the have McAfee Security  
for Mac installed and not any previous version of McAfee anti-virus  
software (we previously supplied VirusScan and Virex, but both have  
been replaced with Security for Mac).



Also, for our configuration I require that the "Network Scanner User  
Agreement page" is shown for these web login devices so I can  
provide a display of information after they are authenticated.


Dan
 Dan Taube
Call Center Supervisor :: Associate IT Support
University Computer Help Desk :: Illinois State University
309-438-8985 [direct] :: 309-438-4357 [support]
[email protected]

On 8/10/2010 12:02 PM, Aaron Abitia wrote:


Bill and Dan,


This means that you're exempting all Macintosh devices, not just  
your iPhones and iPads and such, correct?  If so, you're cool with  
that?  Just wondering what the pros/cons of that would be.


-Aaron



On Tue, Aug 10, 2010 at 6:54 AM, Bill Eben <[email protected]> wrote:

We're running inband 4.8. To help with iPhones/iPod touches, we  
exempt them (i.e. MAC_ALL) from web logins by having them  
automatically added to the MAC filter list. Because we clear  
certified devices every 7 days, iPhone users only need to log in  
once (per CCA server) per week.



The exempt checkbox is under Device Management -> Clean Access ->  
General Setup -> Web Login


Bill
--
Bill Eben
Coordinator, Residential Computing
Kutztown University
610.683.4974
[email protected]


On Aug 9, 2010, at 8:37 PM, Jeremy Wood wrote:

We had some of these same issues with our wireless IB clients.
Disabling the heartbeat timer solved the problem for us. Although
depending on how your using NAC you might need this (but I honestly
don't know which situations the heartbeat timer solves that aren't
solved by another feature)

--Jeremy


On Mon, Aug 9, 2010 at 19:32, Aaron Abitia <[email protected]>  
wrote:
We are running inband 4.6.1 but have seen similar things and we  
have a case
open with Cisco.  It's related to the powersave modes of these  
small devices
and/or the various nuances of how these PDA devices operate and  
manage
connections...the devices disable the wireless card to save power  
if idle,
for example, so when they do that, CCA sees that as a log off, and  
when they
wake up, it makes them log in again.  Cisco said it's really a  
client side
issue, that is, the user shouldn't let the device go idle and  
disable the
wifi in the process, so it's also a user behavior issue too.  We  
are still

pushing to see what else Cisco knows.

We are looking at the various timers, and in particular under "User
Management" --> "User Roles" --> "Schedule" --> "Heartbeat Timer".

According to Cisco, there's 3 timers to work with:  Session Timer,  
Heartbeat
Timer, Certified Device Timer.  In particular, configuring the  
Heartbeat
Timer will boot the PDA user's connection for good at the 30 min  
mark if
you've got that set for 30 min, or whatever time you choose, but  
we're not
sure if that means that if the user goes idle and CCA doesn't see  
them as
logging off (for whatever reason), then it actually preserves that  
session,
which is what we'd want, thus keeping the users from having to log  
in over

and over in a day because their device goes idle while they are doing
something else.


When it comes to session issues like this, you also have to  
consider what
you have available in your DHCP pool...if want want to allow  
sessions to
stay open, that could impact the number of DHCP leases you have  
available

for other users.

Don't know if this helps at all, but good luck.

-Aaron



On Mon, Aug 9, 2010 at 2:24 PM, Branden Kirk <[email protected] 
>

wrote:


We just started using NAC 4.8 Out-of-band Virtual Gateway and  
applied NAC

to our encrypted

SSID running on WCS/WLC 6.0 with 1142/1131 LWAPs.  This is our  
first use

off NAC 4.1 and also

deploying OOB.  We seem to have a problem, especially on mobile  
devices

like the iPhone, where

each session is requiring the device to re-auth regardless of being  
on the

CDL.  Creating a device

filter as a workaround works.  I'm having trouble finding the root  
issue

as it seems not all users of

the same device type have the issue.  For instance, I have an  
iPhone 4

user who gets locked in a

safari page titled "Log In" showing the apple.com site, but none of  
that

behavior on another iPhone

4.  Re-auth and page re-direction seems to happen more for some  
iPhone 3GS

users than others.

I've seen my macbook re-auth me after waking from sleep last week,  
but

today none of the
behavior exists.  We have had the OOB port profile option "Change to
Access VLAN if the device is

certified but not in the out-of-band user list" set this whole time  
but

have still had this issue on

wireless.  None of the disconnect options for port profile are  
enabled.



Any ideas?  Anyone encounter an issue similar to this experience or  
know

what the root

cause/solution could be?  I'm making a TAC case, but thought I'd  
hit this

list as well.

Thanks in advance.

--
Branden Kirk
Network Administrator, IT Operations
Biola University
(562)944-0351 x5032



--
Aaron Abitia
Network Analyst
Network Administration, ITS
Cal Poly State University
Tel: 805.756.1295




--
Aaron Abitia
Network Analyst
Network Administration, ITS
Cal Poly State University
Tel: 805.756.1295
























					Reply via email to