> > We are a medium commercial business, and currently trying to deploy NAC > = > in our environment. We are running into various issues, mainly due to = > the fact that users do not want anything to interfere with the work. = > Things like having to wait until the CCA completes is validation checks > = > before they can start any applications is causing a headache. Also the > = > fact that users sometimes have there wireless enable when they connect > = > to their docs and the CCA cannot connect to the CAM causes and issue, = > and a reboot is required. (we dont want the user to see the icon so we > = > removed it, thus they cannot stop & start the agent themselves, thus > the = > reboot). There are other small issues but to a user is it big. We are = > afraid that this will not go over well with the population but at the = > same time we want the security of what NAC an provide. So if anyone in > a = > similar situation has any ideas to make this go more smoothly would be > = > helpful. > > Thank you > > David Maas > Sr. Security Engineer > Merkle Inc >
The connectivity to the CAM should be resolvable if you configure your vlans properly and have some type of routing device available. Clean Access does some weird stuff to Ethernet to work right and a proper topology is critical. Check the click router tables on the Clean Access units, there used to be a bug that broke Clean Access (don't ask how I know, just trust me) but the current version resolves that. Connectivity, when properly set up does work. Finding the proper topology for your environment to support it however, can be a real journey of personal discovery. For the wireless part, we are looking for a utility to sense a wired connection and turn off wireless when it is connected. My Toshiba Portege does this automatically, my Dell Inspirons don't. As to your issue of starting applications there is one answer, but IMHO, it sucks and we WON'T do it here. You allow access, rather than deny it, during the Clean Access validation; thereafter removing any unqualified machines to quarantine. This gives hackers about two minutes or so of access each time they connect. Not OK. This is also the only way to have log in scripts work normally. We are using a script (compiled to exe format) that runs from the start up folder automatically to run the log in script later in the process after validation, allowing the first attempt to fail. The script also stops and then restarts file synchronization. This is only a so so solution. I was going to have the stub agent launch the script as part of remediation, but Cisco nailed me there too. Everything the stub agent runs for non admin users seems to run with the user SYSTEM credentials. That means that drive mappings, or any other activity are done for user SYSTEM, not the logged in user. This leads to the curious situation where a user sees all network drives as disconnected, but they cannot be remapped by the user(error 53), and oddly, when you click on them in Windows, they work. However any application or automation that references them will almost certainly fail, since they are reported as disconnected for the user (Some guy named SYSTEM has already mapped those drives, so you can't). The Cisco solution for the moment, is to use a fairly lame mechanism involving two scripts and allowing unvalidated machines access to the SYSVOL share. I have heard there are supposed to be some fixes in an upcoming release for this issue. BTW, the guys at TAC were incredibly patient and persistent in helping me ascertain this information. It sounds like you can resolve your issues, but it may take some doing. The manual is incredibly unhelpful on the topology issue, it seems contradictory or at best, muddled. I would suggest calling TAC, but you may need to be REALLY insistent that you are NOT going to reconfigure your entire network for this, you just need them to make it work for you. They are quite ingenious at getting it going. I also finally broke down and took the CANAC class. It was really helpful, I had a good instructor and seeing the other people in the class have their labs blow up the way my test system at work did was most instructive. There are work arounds for most issues, and a class can really help you find them. Sorry for the long post, but there are big issues with Clean Access in the corporate environment and I wanted to let you know you are not alone, and that the issues are resolvable. Cheers, Daniel Sichel, CCNP, MCSE,MCSA,MCTS (Windows 2008) Network Engineer Ponderosa Telephone (559) 868-6367
