How exactly would you do that? Turn off the wired port? Disassociate
them from the AP? I'm not sure this is a problem that CCA can solve. I
think you're best solution to prevent this is at the authentication
provider, where you can lock the account after a certain number of
attempts, or throttle repeat authentication attempts for the same account.
Personally, I am more concerned that Cisco has said that unauthenticated
users will count against your license, so if you have an open AP, or
wired ports in an open area, you could be subjected to what is
effectively a denial of service attack of too many unauthenticated
computers at one time. I haven't played with it yet, but it's possible
that an ARP spoofing program could also accomplish the same result, at
least for in-band.
Michael Grinnell
Information Security Engineer
The American University
Don Click wrote:
Interesting. I don't think Clean Access would have helped much anyway - since
it would have quarantined the user on wireless, not wired.
I agree that if a user is associated to an AP, but not attempting to
Authenticate, there should be some mechanism either in the AP's (not likely) or
in CCA that, after a period of time, drops/blocks/moves the user.
Im actually going to have to think about this one, as I am about to start
looking at configured our CCA solution for OOB Wireless/Wired. (currently, we
use in-band for VPN access only.)
From: Cisco Clean Access Users and Administrators
[mailto:[email protected]] On Behalf Of Speight, Howard
Sent: Thursday, February 19, 2009 8:24 AM
To: [email protected]
Subject: Re: Session Timer
Question - Are you using clean access for both WIRED and Wireless?
Only in the Residence Halls
If its only on wireless, what security to you enforce on the wired lan?
Group policy and logon scripts for Domain machines, filters on router and
switch interfaces.
From: Cisco Clean Access Users and Administrators
[mailto:[email protected]] On Behalf Of Speight, Howard
Sent: Wednesday, February 18, 2009 2:36 PM
To: [email protected]
Subject: Re: Session Timer
That makes sense, then there is no reason to set that timer...
Food for thought...
We had an unauthenticated client machine on the wireless network, using wired,
but associated with an AP and holding a DHCP IP address. For hours that machine
was conducting little raids here and there trying to compromise user accounts.
Once blocked in the Filters, activity ceased. What I was trying to accomplish
was if the client machine was holding an IP but not authenticating, I wanted to
send them to Quarantine or anywhere after ten minutes. How were they able to
conduct the raids, the authentication ports are open to the AD controllers in
the Unauthenticated Role...
From: Cisco Clean Access Users and Administrators
[mailto:[email protected]] On Behalf Of Jim Thomas
Sent: Wednesday, February 18, 2009 14:20
To: [email protected]
Subject: Re: Session Timer
Unauthenticated Role, it's a loop and es no bueno.
Thanks
Jim
Jim Thomas
Area Networks, Inc.
CCIE Security #16674
CCSP,CCNP,CCDP
[cid:[email protected]]
[email protected]<mailto:[email protected]>
[cid:[email protected]] Office: 650-242-8050
[cid:[email protected]] Cell: 916-342-2265
[cid:[email protected]]
[cid:[email protected]][cid:[email protected]]
-----Original Message-----
From: Cisco Clean Access Users and Administrators
[mailto:[email protected]] On Behalf Of Speight, Howard
Sent: Wednesday, February 18, 2009 1:38 PM
To: [email protected]
Subject: Session Timer
Let's say the Session Timer is set for ten minutes on the Unauthenticated Role
and the user does not authenticate within that ten minute period, where does
the user go?
Thanks, Howard
