Shut it down

After three weeks of random errors, I had to shut down the Cisco NAC installation.Â I hated to do it but it had to be done.Â The errors were so inconsistent that it made fixing them almost impossible.Â Here’s a quick run down of some of the problems:

Users that worked fine one day would stop having access the next day even though the Clean Access Agent showed them logged on and in the proper role.
Printers would randomly drop off the network but still show up in their role/VLAN.
Moving a laptop from a docked, wired network, connection to undocked, wireless connection, was hit or miss. If the user just undocked, they definitely would lose network connection. If the user clicked Start and then Undock Computer, they would get network connection about 60% of the time.
Logon scripts would randomly fail to run.

The last issue was (somewhat) fixed by doing two things. One, changing the script so that it would ping multiple servers and only initiate the script when a ping was successful (i.e. the user was placed into the proper user role). Two, pushing out a registry change for Windows XP that would introduce a group policy timeout (GpNetworkStartTimeoutPolicyValue). The timeout made it so that the group policy would keep trying to run the logon script for up to 60 seconds, trying to contact the server every two seconds, before failing.

The company we purchased the equipment from is supposed to send some of their technicians out next week in order to try and fix the problems. They are also supposed to send out a Cisco technician. I hope they can get it to work. If they don’t, this is going to look really bad on the IT department because of all of the issues the users are having to deal with during the installation.

There is no failure except in no longer trying. – Elbert Hubbard

18.Sep.08 Networking, Security