We just thought of something: won't we have a problem with dhcp renewals once authentication is passed and the PROD vlan is set on the user port without the use of the webclient on OSX? We don't currently have a widespread issue by not enabling the "Use web client to release and renew IP address when necessary (OOB)" option, but from what we remember from our tests, we may have shown that not using the webclient broke the user experience b/c of the need to renew. Unfortunately, we don't have a test environment where we can try all this out before our live-fire change later tonight.
What are other schools seeing on their OSX clients? --Homer Manila, CISSP Information Security Engineer Office of Information Technology American University 202-885-2209 * AU IT will never ask for your password via e-mail. * Don't share your password with anyone! From: Homer Manila <[email protected]> To: [email protected] Date: 08/13/2010 09:28 AM Subject: Re: OSX Java issues with weblogin Sent by: Cisco Clean Access Users and Administrators <[email protected]> Yeah, that's what we're planning on doing tonight, Bob; we heard the same advice from Cisco. We'll also be creating a MAC_OSX userpage to specifically not use the java webclient for logins on OSX machines, since we don't use the agent currently and don't have any requirements beyond authentication. We expect that these changes, along with the iPad patch, should clear up most of our java concerns on apple devices for now. --Homer Manila, CISSP Information Security Engineer Office of Information Technology American University 202-885-2209 * AU IT will never ask for your password via e-mail. * Don't share your password with anyone! Inactive hide details for "Biddle, Rob" ---08/12/2010 12:00:46 PM---Homer, Create a new Login Page, select MAC_ALL as the Opera"Biddle, Rob" ---08/12/2010 12:00:46 PM---Homer, Create a new Login Page, select MAC_ALL as the Operating System and uncheck the "Use web clie From: "Biddle, Rob" <[email protected]> To: [email protected] Date: 08/12/2010 12:00 PM Subject: Re: OSX Java issues with weblogin Sent by: Cisco Clean Access Users and Administrators <[email protected]> Homer, Create a new Login Page, select MAC_ALL as the Operating System and uncheck the “Use web client to detect client MAC address and Operating System.” Check box. Move the new Login Page up the list so that it is above the one that applies to ALL. As long as you set the Default Provider for the Login Page the same for both pages then users will still be authenticated just as before. The only difference will be that the Mac users will have their OS version determined by browser agent detection instead of using the web agent detection. _____________________________ Rob Biddle Network Systems Engineer / Administrator College of Mount St. Joseph From: Cisco Clean Access Users and Administrators [ mailto:[email protected]] On Behalf Of Homer Manila Sent: Thursday, August 12, 2010 11:46 AM To: [email protected] Subject: Re: OSX Java issues with weblogin Dan, We currently only have one user page for the whole user community, and yes, the web client is enabled for it. Are you suggesting we turn off the web client for problematic OSes? Doesn't that mean we'd have to disable the login page for those devices, and preclude authentication? --Homer Manila, CISSP Information Security Engineer Office of Information Technology American University 202-885-2209 * AU IT will never ask for your password via e-mail. * Don't share your password with anyone! Inactive hide details for Dan Taube ---08/11/2010 04:13:03 PM--- Homer, Do you have the web client enabled for your user page?Dan Taube ---08/11/2010 04:13:03 PM--- Homer, Do you have the web client enabled for your user page? From: Dan Taube <[email protected]> To: [email protected] Date: 08/11/2010 04:13 PM Subject: Re: OSX Java issues with weblogin Sent by: Cisco Clean Access Users and Administrators <[email protected]> Homer, Do you have the web client enabled for your user page? For example, our users that are put into a web login path (iPhones, iPads, BlackBerry & Android devices, etc.) do not have the web client enabled for their user pages. This means when the NAC appliance is figuring out what OS the user has it does not require the Java applet, but rather other means (browser useragent). Dan Taube Call Center Supervisor :: Associate IT Support University Computer Help Desk :: Illinois State University 309-438-8985 [direct] :: 309-438-4357 [support] [email protected] On 8/11/2010 12:50 PM, Homer Manila wrote: We are experiencing random problems on OSX's weblogin. In general, many of our OSX (and iPad) users are unable to login successfully, even when fully up-to-date, java and OSX-wise. We are forced to grant exemptions. We don't mandate any requirements for OSX users except for authentication (through weblogin, we don't push the agent yet), but users will experience one or a combination of the following errors when attempting to do so: weblogin will work in Firefox, but not in Safari weblogin will work in Safari, but not Firefox weblogin page will give out java applet error messages (error that most get) We're on 4.7.2. Anybody else getting this problem? --Homer Manila, CISSP Information Security Engineer Office of Information Technology American University 202-885-2209 * AU IT will never ask for your password via e-mail. * Don't share your password with anyone!
<<inline: graycol.gif>>
