Re: Windows Updates and Cisco Clean Access

[Charlie Prothero <Charlie.Prothero () KEYSTONE EDU>]

Martin,

We have the same product, and I think we got around this by allowing 8
minutes of network access for machines that fail scanning.  This gives
enough time to download OS & AV updates before the system kills the
connection, necessitating a reboot or re-login (sorry, I can't recall
the specifics).

- Charlie.

-----Original Message-----
From: Flagg, Martin D. [mailto:FlaggMD () HIRAM EDU] 
Sent: Thursday, July 14, 2005 2:13 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Windows Updates and Cisco Clean Access

 
We are implementing Cisco Clean Access (formally Perfigo).  It has gone
really well but we keep coming up with problems with Windows Update, it
fails because CCA is blocking the IP.  When this happens, I use a
sniffer and add the new IP address that Microsoft is using and then it
works, until they change address's again.  Cisco says use the Host
setting allowing requests that end in "update.microsoft.com".  This does
not always work.

I am really at a loss because it works for 95% of the machines but I can
not afford to have 5% of the students in my office when they get back
from the summer.

Any Ideas?

Martin Flagg
Hiram College