07-08-2014 02:44 PM
I'm using CPPM with Aruba 3400 controllers running 6.3.
I've got Clearpass setup to authenticate computers that are domain members.
If a user is not logged into the computer, an access list on the role allows the computer to talk to the DC.
That way a user can login to the computer, even if they have not logged in before, or if they have changed their password since last time.
The problem is that logins take quite a while. For nearly two minutes, we get to watch the Windows Welcome message with the spinning ball (vs. a few seconds with a wired connection).
Is there any way to speed this up?
Solved! Go to Solution.
07-08-2014 02:48 PM
07-08-2014 02:54 PM
Once again, you pegged it!
I put an
any any any permit
at the beginning of the ACL, and the login was speedy.
(I previously only had all traffic allowed to/from DC's).
Any idea what else needs to be allowed?
07-08-2014 03:15 PM
Here's what I usually allow:
Any file shares where login scripts or share drives live
WSUS (update server)
Inbound access from management IP space for remote management
Here's my sample ACL:
If you want to add more security, you can block things like RDP, SSH, VNC to those destinations at the top of the ACL.
07-08-2014 05:26 PM
Thanks again for the info.
I opened up access to just about every subnet I can think of that a domain computer should need to reach, when loggin in, and the login time is about 7 seconds. Not bad.
But when I do an "any any any permit" the login time is super-zippy, about 2 seconds.
I'll leave it wide open for now, until I've got time to run Wireshark on that VLAN to see what's going on.
Or have I seen somewhere, on some GUI screen, the ability to capture traffic on an AP?
07-08-2014 05:29 PM
show datapath session table