Cisco Clean Access Woes

In August, we implemented Cisco Clean Access (also knows as Network Access Control) in order to limit the school wireless network to known users and scan desktop computers for running antivirus and the latest OS patches. Unfortunately, our implementation has hit a few snags, to the point where most of our user population is pretty cynical about the impact of Clean Access on their ability to operate and the supposed benefits it brings.

We currently have the following concerns about our implementation of Clean Access.

  • It’s mid-December and Cisco has not yet released a Leopard-compatible agent.
  • CCA login times vary from a few seconds to several minutes.
  • The current agent is not dual-NIC aware, trying to authenticate users against the secondary connection.
  • The Windows client often crashes, requiring a reboot before the user may log in.
  • One or two users per day end up in the temporary role for reasons unknown.
  • The agent often becomes unresponsive when a user switches VLANs.
  • A new patch that came out in September was incompatible with AdAware 2007 and booted half our user base from the network.

How has Clean Access been for you? Are these typical problems, or do we have a unique situation?

Update 1/8/2008: We successfully installed a secure certificate and upgraded the server and agent to new versions (4.1.3.0 on the Mac). First tests show improvement in client behavior. We are looking forward to further testing with real users to see how many of our issues the new client software solves.

Update 1/10/2008: I have the new CCAAgent 4.1.3.0 running on Leopard. We noticed right away a processor utilization issue — CCAAgent was using 100% of the processor every few seconds, not good for laptops trying to conserve battery power during a long school day. Cisco sent the following fix.

First, create a preference.plist file for youself: Show Package Contents on Applications – CCAAgent and copy Resources – setting.plist to your user Library – Application Support – Cisco Systems – CCAAgent and then rename it preference.plist. Create these folders if they don’t exist.

Run the following script in terminal (all on one line):
osascript -e ‘tell application “System Events”‘ -e ‘set the thePListPath to “~/Library/Application Support/Cisco Systems/CCAAgent/preference.plist”‘ -e ‘tell application “System Events”‘ -e ‘tell property list file thePListPath’ -e ‘tell contents’ -e ‘set previousValue to value’ -e ‘set value to ({|VlanDetectInterval|:”0”} & previousValue)’ -e ‘end tell’ -e ‘end tell’ -e ‘end tell’ -e ‘end tell’

This turns off automatic VLAN detection in the Clean Access agent, which solves the processor utilization problem.

Update March 27, 2008
You can package the above into an executable AppleScript. Look closely — the shell command actually executes AppleScript!

3 comments

  1. cca says:

    Please check the new 4.1.3 version released on friday. It has Leopar support, multi-nic aware. The other issues seem like bugs, possibly resolved in 4.1.3. Would recommend opening a TAC Case.

  2. Trevor says:

    So does this mean you guys will be installing the server-side of 4.1.3 soon?

  3. rkassissieh says:

    Yes, tomorrow afternoon.

    Richard