CSSC fixed some stuff but broke a big thing

Unanswered Question
Mar 25th, 2008
User Badges:

Hi All,

We use Cisco Secure Services Client, we are currently using 4.2, 4.051 and 4.2.1. We found that going from 4.051 to 4.2 really fixed a lot of issues but it broke one major option.

Going from 4.051 to 4.2 or 4.2.1 the client does not allow the computer to access the guest or auth-fail vlans prelogin. This is an issue in an environment that runs updates while the computer sits at the login screen. With 4.051 after a few seconds the computer would pop onto the guest vlan, if a user logged in it would pop them off the guest vlan and then onto the vlan they should be on.

So the question is can 4.2 and 4.2.1 be configured to allow access to the guest or auth-fail vlans prior to login or is this a hard coded issue?

I have already tried setting the login to machine/user thinking the machine would attempt login and knock it onto the auth fail vlan, which seems but now the regular user login doesn't work.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
blittrell Tue, 03/25/2008 - 08:28
User Badges:

Hi All,

If I set the switchport access vlan to the guest network that seems to get the prelogin network access to work. 802.1x still changes the vlan when a user logs in to their apropriate vlan.

So the next question is wether this is a good idea? Is there more of a security risk by adding the "switchport access vlan " command then there is for having the guest vlan and auth-fail vlan? I am setting the switchport access vlan to the guest net, so I am guesing there are no extra security risks then there already are when dealing with vlans.


blittrell Tue, 03/25/2008 - 08:44
User Badges:

Sorry, I may have spoken too soon, this did not work. It seems the act of adding the switchport access vlan command while the computer was at the login caused the CSSC client to allow access to the network but when I restarted the computer it is still not allowing access to the guest vlan even though the show vlan show that interface on the guest net and the sho int shows the interface is up and connected.

So it looks like I am up for any ideas again:(



This Discussion