NAC: How to reduce login time of Windows Client Machines in Authentication VLAN

Answered Question
May 24th, 2010

Hi All,

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin;} I am trying to reduce the log in time the client machines take when they are in the authentication vlan.  The login time increases from 5 minutes to 7 minutes when machines are managed by the NAC. 

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin;}

We need for the NAC Agent to perform AD SSO and posture assessment before login scripts or other processes execute.  It is critical for us to delay other processes from executing until after NAC places client machines on the access vlan because those processes would hang & fail while they are in the authentication vlan. One of the process that hung & failed is the mapping of different network drives when login scripts are executed.

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin;}

We ran a test script and discovered that the NAC Agent will not execute until it inserts itself into Window's system tray which requires the execution of Window's iExplorer process.  However, executing Window's iExplorer process also means executing many other processes that should not be executed (since they will hang & fail) until after NAC moves those client machines into the access vlan. 

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin;}

I need to know if it is possible to execute the NAC Agent w/o it inserting itself into the system tray.  If possible, how is this achieved?

Any help is appreciated.

Thank you 

I have this problem too.
0 votes
Correct Answer by Faisal Sehbai about 6 years 8 months ago

David,

Currently not possible. NAC agent runs as a program and has to run under user credentials for it to be able to identify the user correctly that is being NAC'd. In later versions there's a service component of the agent, but the SSO functionality still relies on the Agent being loaded correctly. Your option is to run a delay script (detailed here: http://tinyurl.com/25d2aua ) and once that passes, then call your other scripts which do the mapping.

Also if you're having such inordinate delays in the initial SSO process, ensure you have all the ports open that need to be open, including the IP FRAGMENTS and ICMP to all your DCs in the Unauthenticated Role.

HTH,

Faisal

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Faisal Sehbai Mon, 05/24/2010 - 22:46

David,

Currently not possible. NAC agent runs as a program and has to run under user credentials for it to be able to identify the user correctly that is being NAC'd. In later versions there's a service component of the agent, but the SSO functionality still relies on the Agent being loaded correctly. Your option is to run a delay script (detailed here: http://tinyurl.com/25d2aua ) and once that passes, then call your other scripts which do the mapping.

Also if you're having such inordinate delays in the initial SSO process, ensure you have all the ports open that need to be open, including the IP FRAGMENTS and ICMP to all your DCs in the Unauthenticated Role.

HTH,

Faisal

yuchenglai Thu, 05/27/2010 - 11:10

Faisal,

We also have another client form factor that needs to be NAC'd as well.

It appears to me that the issue lies in that NAC requires the iexplore.exe to be the user shell. When ever a user logs in with an alternative shell such as CMD.exe NAC fails and throws the error message "it is unable to place it self in the taskbar". We have other Windows client form factors that have alternative shells, and we still want their access to be controlled by the NAC.  We are hoping that there is an alternative method to authenticate or  a work around to this issue. Please advise.

Faisal Sehbai Thu, 05/27/2010 - 11:22

David,

That might be problematic too. Agent is supported on certain OS's, and the agent actually does a lot of communication using the IE engine with the CAS using HTTPS, so if that particular mode of communication isn't available to the agent, it won't work.

Your best bet then is to filter those alternate devices, or if they support any sort of browsing, to do web-login with them.

HTH,

Faisal

yuchenglai Fri, 05/28/2010 - 09:44

Faisal,

If we do web-login, can AD-SSO be used as the provider instead of the NAC's Local Database?

Actions

This Discussion