>Learned this one the hardway back when Welchia was a going concern for a >virus.
>Windows Login process pings all DC's that it knows about. The round trip >time of the ICMP packet is part of the selection process for DC selection. >Windows logon process assumption is no ping, no logon server available. I had observed the ping and did not know why it was doing that, thanks for the additional info. Having said that, there is still an issue either with Clean Access or AD, because just allowing pings to the server isn't enough, you have to allow ALL ICMP for Clean Access to work. I don't know if that's because Clean Access is broken in the way it handles ICMP or if some other weird ICMP based process is taking place for AD. If you have more details about this process, I would be grateful to hear them. Of course allowing unproxied full ICMP access to your DCs kind of begs the question of what NAC is for... but that's another topic altogether. Thanks again, Dan S. PS IS anyone out there doing device filtering with MAC address/IP address combinations? Mine ignores IP addresses completely and Cisco is telling me that despite the documentation, which says it can be done based on IP AND MAC (even on the setup screen!), this is "by design". I desperately need help on this one.
