Re: Windows Updates and Cisco Clean Access

[Michael Grinnell <grinnell () AMERICAN EDU>]

We are currently implementing it at American, but we have not
experienced problems (yet) with the windows updates settings, though
we have experienced problems with several AV vendors that are on the
default allowed list.  Good resources to check with would be the
ResNet forum (RESNET-L () LISTSERV ND EDU) and the Perfigo and
CleanMachines discussion list (PERFIGO () LISTSERV MUOHIO EDU).  If I
remember correctly, there has been some discussion of windows update
problems in the past few days on one or both of those lists.

If you can, please file a bug report with Cisco (I've filed at least
4 in the past two weeks) as their out of the box reliability and
documentation need some serious work.

Michael Grinnell
Network Security Administrator
The American University
e-mail: grinnell () american edu


On Jul 14, 2005, at 2:13 PM, Flagg, Martin D. wrote:

> We are implementing Cisco Clean Access (formally Perfigo).  It has
> gone
> really well but we keep coming up with problems with Windows
> Update, it
> fails because CCA is blocking the IP.  When this happens, I use a
> sniffer and add the new IP address that Microsoft is using and then it
> works, until they change address's again.  Cisco says use the Host
> setting allowing requests that end in "update.microsoft.com".  This
> does
> not always work.
>
> I am really at a loss because it works for 95% of the machines but
> I can
> not afford to have 5% of the students in my office when they get back
> from the summer.
>
> Any Ideas?
>
> Martin Flagg
> Hiram College