Home | Skip to Content | Skip to Search | Skip to Navigation | Skip to Footer |
Worldwide [change] |Register |About Cisco
Guest

Hierarchical Navigation

Cisco Trust Agent

Release Notes for Cisco Trust Agent, Release 2.1, With Bundled Supplicant

Downloads

Table Of Contents

Release Notes for Cisco Trust Agent, Release 2.1, With Bundled Supplicant

Contents

Cisco Trust Agent 2.1 Release

Qualified Deployments of CTA 2.1

Obtaining the CTA 2.1 Release

Product Versioning

CTA 2.1 Product Limitations

CTA 802.1x Wired Client Service Fails to Start Following Upgrade from CTA 2.0 to CTA 2.1

New Authentication Profiles Required with Upgrade from CTA 2.0 to CTA 2.1

Configuring Machine Authentication

Windows NT is Not Supported

CTA is No Longer Bundled with CSA

New Features Introduced in CTA 2.1

New Product Versioning Methodology

Documentation Title Changes

Single RPM Installation File for Linux Installations

Support for CTA on Mac OS X Operating Systems

Microsoft Windows Installer (MSI) Installation Files

New Configuration Options in CTA

Standardized Naming Convention for ctad.ini Template Files

New Naming Convention for ctalogd.ini Template File

Configuring User Notifications

Configuring CTA and Posture Plugin Interaction

Configuring Posture Plugin Message Size

Configuring CTA for Use with the Windows XP Firewall

Configuring Logging for Large Deployments

New Posture Plugin Features

Host Posture Plugin Now Returns MAC Address

Package Information Returned by Host Posture Plugin For Mac OS X

New Features Introduced in CTA 802.1x Wired Client

Differentiating Connected States

Realtime Information on Connection Process

Connection Status Dialog Enhancements

Authentication Retries Enhancement

New "User Identity Protection" Area on Station Policy Window

New "Allow Unprotected Client Cert" Area on Station Policy Window

Global Enable Client Control Enhancements

Popup Notifications

New Features Introduced in CTA 2.0.1

CTA 802.1x Wired Client System Report Tool

CTA 802.1x Wired Client Technical Log

Machine Authentication Methods

Authentication Using Machine Password

Machine Authentication Only

Configurable Outer Tunnel Identity for EAP-FAST

System Requirements

System Requirements for Installations on Linux

System Requirements for Installations on Mac OS X

System Requirements for Installation on Windows

Installation Notes

Obtaining the Latest Release of CTA

Upgrade Support

Upgrading CTA 2.0 to CTA 2.1

Upgrading CTA without the CTA 802.1x Wired Client

Upgrading CTA with the CTA 802.1x Wired Client

Upgrading from Selective Availability and Beta Releases to CTA 2.1

Upgrading CTA without the CTA 802.1x Wired Client

Upgrading CTA with the CTA 802.1x Wired Client

Known Defects in CTA 2.1 Posture Agent

Known Defects in CTA 802.1x Wired Client

Closed and Resolved Defects in CTA

Defects Closed or Resolved in CTA 2.1 Posture Agent

Defects Closed or Resolved in CTA 802.1x Wired Client

All Defects Closed or Resolved by CTA Release 2.0.1

Closed or Resolved Cisco Product Defects that Affected CTA Performance

Closed or Resolved NAC-Partner Defects that Affected CTA Performance

Obtaining Documentation, Obtaining Support, and Security Guidelines


Release Notes for Cisco Trust Agent, Release 2.1, With Bundled Supplicant

Released for Use with Network Admission Control Framework 2.1

Revised: May 23, 2008

Contents

These release notes are for use with Cisco Trust Agent (CTA), Release 2.1, With Bundled Supplicant. The following information is provided:

Cisco Trust Agent 2.1 Release

Qualified Deployments of CTA 2.1

Obtaining the CTA 2.1 Release

Product Versioning

CTA 2.1 Product Limitations

CTA 802.1x Wired Client Service Fails to Start Following Upgrade from CTA 2.0 to CTA 2.1

New Authentication Profiles Required with Upgrade from CTA 2.0 to CTA 2.1

Configuring Machine Authentication

Windows NT is Not Supported

CTA is No Longer Bundled with CSA

New Features Introduced in CTA 2.1

New Product Versioning Methodology

Documentation Title Changes

Single RPM Installation File for Linux Installations

Support for CTA on Mac OS X Operating Systems

Microsoft Windows Installer (MSI) Installation Files

New Configuration Options in CTA

New Posture Plugin Features

New Features Introduced in CTA 802.1x Wired Client

New Features Introduced in CTA 2.0.1

CTA 802.1x Wired Client System Report Tool

CTA 802.1x Wired Client Technical Log

Machine Authentication Methods

Configurable Outer Tunnel Identity for EAP-FAST

System Requirements

System Requirements for Installations on Linux

System Requirements for Installations on Mac OS X

System Requirements for Installation on Windows

Installation Notes

Obtaining the Latest Release of CTA

Upgrade Support

Upgrading CTA 2.0 to CTA 2.1

Upgrading from Selective Availability and Beta Releases to CTA 2.1

Known Defects in CTA 2.1 Posture Agent

Known Defects in CTA 802.1x Wired Client

Closed and Resolved Defects in CTA

Defects Closed or Resolved in CTA 2.1 Posture Agent

Defects Closed or Resolved in CTA 802.1x Wired Client

All Defects Closed or Resolved by CTA Release 2.0.1

Obtaining Documentation, Obtaining Support, and Security Guidelines

Cisco Trust Agent 2.1 Release

The goals of Cisco Trust Agent, Release 2.1.103.0 (CTA 2.1) are to improve on the CTA 2.1.18.0 selective availability release by resolving outstanding product defects and to provide new functionality from that offered in the CTA 2.0.0.30 release. Cisco Trust Agent release 2.1 is an integral component of the Network Admission Control Framework 2.1 solution.

The CTA 802.1x Wired Client supplicant is bundled with this offering of CTA 2.1.103.0. The CTA 802.1x Wired Client is available for use on Windows operating systems.

Qualified Deployments of CTA 2.1

Cisco Trust Agent 2.1.103.0 will be distributed to existing customers of CTA and those customers evaluating the NAC Framework 2.1 programs.

CTA 2.1 is not intended for distribution to new customers of CTA nor new customers of the NAC 2.1 Framework solution. New customers to CTA and NAC should work with their Cisco Account Team representative to evaluate their NAC Framework-qualified infrastructure and use-case scenarios.

We are making an extra effort to qualify our customers' infrastructure and goals to ensure that the components in their network are compatible with the NAC Framework, that their goals will be met by the NAC Framework, and that the deployment of the NAC Framework will be successful.

Obtaining the CTA 2.1 Release

CTA 2.1.103.0 is available for download in this location:

http://www.cisco.com/pcgi-bin/tablebuild.pl/cta

You must agree to the following terms before downloading Cisco Trust Agent Software Update (the "Software"):

In as much as this release of Cisco Trust Agent is intended for existing deployments, by clicking "Accept" below, in addition to any other license terms provided by Cisco with this Software, you on behalf of yourself and the organization you represent (collectively "You") agree to each of the following:

That You on behalf of yourself and the entity You represent already have Cisco Trust Agent installed and You will use this Cisco Trust Agent download (the "Software") only for the purpose of upgrading Your previously installed version of Cisco Trust Agent (which You are using in accordance with the Cisco license terms governing the previously installed version of Cisco Trust Agent).

You will keep this Software image confidential and will not provide it to any third party.

If you are unable to agree to the above terms of use do not download the Software. Please contact your Cisco account team for further assistance.

Product Versioning

The full version number of this release is CTA 2.1.103.0. The full release number is used in installation files names and in the text of the Administrator Guide for Cisco Trust Agent, Release 2.1 and the Release Notes for Cisco Trust Agent, Release 2.1 when it is important to distinguish the version of CTA being discussed. Any references in the documentation to CTA 2.1 are referring to CTA 2.1.103.0 unless otherwise noted.

CTA 2.1 Product Limitations

Review these limitations of CTA 2.1 before installing or upgrading to the new release.

CTA 802.1x Wired Client Service Fails to Start Following Upgrade from CTA 2.0 to CTA 2.1

The CTA 802.1x Wired Client fails to start after an upgrade attempt from CTA 2.0.0.30 (CTA 2.0) to CTA 2.1.103.0 (CTA 2.1). In order to upgrade from CTA 2.0 with the CTA 802.1x Wired Client to CTA 2.1 with the CTA 802.1x Wired Client, you will need to uninstall CTA 2.0, delete leftover directories, and then install CTA 2.1 from scratch. See the "Upgrading CTA 2.0 to CTA 2.1" section for this upgrade procedure.

New Authentication Profiles Required with Upgrade from CTA 2.0 to CTA 2.1

The user and machine authentication profiles that were created for use with CTA 2.0 are not compatible with CTA 2.1. During an upgrade from CTA 2.0 to CTA 2.1, the authentication profile files are deleted. New authentication profile files will need to be created after upgrading to CTA 2.1 to perform 802.1x authentication with CTA 2.1.

Configuring Machine Authentication

Cisco Trust Agent 2.1 supports machine authentication. However, you should be aware of these caveats when planning the deployment of machine authentication in your NAC environment:

Some applications may not be appropriate choices to provide posture credentials during machine authentication. Such applications may be slow to start, for example, and they will not be ready to provide posture credentials immediately for machine authentication.

In this case, machine authentication could fail, not because of a security problem but because the application was not available to provide its posture credentials in time.

In order to perform machine authentication, the EAP-FAST Configuration in ACS must allow machine authentication.

Machine authentication can be performed on networks where Windows Active Directory is in use.

Windows NT is Not Supported

CTA 2.1 does not support Windows NT 4.0 Server or Windows NT 4.0 Workstation.

CTA is No Longer Bundled with CSA

In the past, CTA installation files have been distributed along with Cisco Security Agent (CSA). This allowed CTA to be distributed in Agent Kits produced and managed by the Cisco Security Agent Management Center. Though CTA may still be incorporated in an Agent Kit and distributed through CSA MC, the CTA installation files are no longer included in CSA distributions.

The CSA 5.1.0.88 and 5.0.0.205 hotfixes have removed all CTA installation files.

Customers who want to distribute CTA through an Agent Kit may do so by downloading the CTA software separately and following the instructions in Appendix B of the Administrator's Guide for Cisco Trust Agent, Release 2.1.

New Features Introduced in CTA 2.1

The following sections describe the new features available in Cisco Trust Agent, Release 2.1.

New Product Versioning Methodology

In previous releases of CTA, including the beta delivery of CTA 2.1, CTA product versions were expressed using a four field number; for example, CTA 2.1.0.10 was the product version of a beta release of CTA 2.1. The fields in the version number represent this information:

[Major Version].[Minor Version].[Maintenance Version].[Build Version].

Microsoft Installer (.msi) files are now used to install CTA on Windows operating systems. The Microsoft Installer expects a three field product version number and ignores the fourth field. This would prevent an upgrade of CTA from a release numbered CTA 2.1.0.10 to CTA 2.1.0.103. Microsoft Installer would see these two product builds as identical.

To accommodate the Microsoft Installer files, the product's version number is now represented by a four field number where the first three fields are significant and the last is populated with a zero.

[Major Version].[Minor Version].[Build Version].[0]

Using this new system, CTA can be upgraded from releases CTA 2.1.0.10, CTA 2.1.18.0, or CTA 2.1.100.0, to CTA 2.1.103.0 without uninstalling the previous release.

This number is used in the file naming conventions for the installation files of CTA on all operating systems.

Documentation Title Changes

This release note document, with part number, OL-11311-01, were previously entitled, Release Notes for Cisco Trust Agent, Release 2.1. It is now entitled Release Notes for Cisco Trust Agent, Release 2.1, With Bundled Supplicant.

The administrator guide, with part number, OL-11310-01, was previous entitled Administrator Guide for Cisco Trust Agent, Release 2.1. It is now entitled Administrator Guide for Cisco Trust Agent, Release 2.1, With Bundled Supplicant.

These changes are made to distinguish this CTA 2.1.103.0 product offering which includes the CTA 802.1x Wired Supplicant, from the latest CTA 2.1.103.0 product offering which does not include the CTA 802.1x Wired Client. The latest offering of CTA 2.1.103.0 removes the bundled supplicant and recommends the use of Cisco Secure Services Client as the supplicant to be used in a NAC environment.

Single RPM Installation File for Linux Installations

The installation files for CTA for Linux are contained in the ctaadminex-linux-2.1.103-0.tar.gz file which can be downloaded from Cisco.com. After downloading the ctaadminex-linux-2.1.103-0.tar.gz file, the administrator uncompress the file and runs the ctaadminex-linux-2.1.103-0.sh file to accept the license agreement and extract the cta-linux-2.1.103-0.i386.rpm. The cta-linux-2.1.103-0.i386.rpm file is then used to install CTA for Linux using standard RPM commands.

The CTA Scripting Interface feature is now installed by default on Linux platforms. There is no CTA 802.1x Wired Client for use with Linux platforms.

Support for CTA on Mac OS X Operating Systems

Cisco Trust Agent, with its standard features and the optional Scripting Interface feature, is now available for installation on Mac OS X operating systems. There is no CTA 802.1x Wired Client for use with Mac OS X platforms.

Microsoft Windows Installer (MSI) Installation Files

There are now two files which you can download and use to install CTA on Windows operating systems:

CtaAdminEx-win-2.1.103.0.exe

CtaAdminEx-supplicant-win-2.1.103.0.exe

CtaAdminEx-win-2.1.103.0.exe contains the CTA end-user license agreement (EULA) and the ctasetup-win-2.1.103.0.msi installation file.

After running the CtaAdminEx-win-2.1.103.0.exe file, the administrator accepts the EULA for all users and the ctasetup-win-2.1.103.0.msi is extracted to the same directory as the CtaAdminEx-win-2.1.103.0.exe file. You use the ctasetup-win-2.1.103.0.msi file to install CTA using standard MSI commands.

You can use the ctasetup-win-2.1.103.0.msi file to install the CTA Scripting Interface feature, however, you can not use the file to install the 802.1x Wired Client feature.

CtaAdminex-supplicant-win-2.1.103.0.exe contains the EULA and the ctasetup-supplicant-win-2.1.103.0.msi installation file. By running the CtaAdminEx-supplicant-win-2.1.103.0.exe file, you accept the EULA for all users and extract the ctasetup-supplicant-win-2.1.103.0.msi installation file. By default, the ctasetup-supplicant-win-2.1.103.0.msi file installs Cisco Trust Agent with the CTA 802.1x Wired Client and provides an option to install Scripting Interface feature. If you do not intend to install the CTA 802.1x Wired Client on some end-points, that feature may also be suppressed using standard MSI commands.

Note Previously the CTA features could be enabled using the "/si" argument to install the scripting interface, and the "/ls" argument for CTA 802.1x Wired Client. Now that the installation files uses standard MSI commands, the /si and /ls arguments are no longer used. See, the Administrator Guide for Cisco Trust Agent, Release 2.1, Chapter 4, "Installing Optional Features During CTA Installation" for the new commands used to install these features.

New Configuration Options in CTA

Standardized Naming Convention for ctad.ini Template Files

The names of the template files used to create ctad.ini files have been standardized across all platforms. The new name for the file is ctad-temp.ini on all operating systems.

Table 1 ctad-temp.ini Naming Convention and File Location

New Template Name is Standard for All Operating Systems
Old Template Names Used for Different Operating Systems
Location of New Template File

ctad-temp.ini

ctad.ini.windows

\Program Files\Cisco Systems\CiscoTrustAgent\

ctad-temp.ini

ctad.ini.linux

/etc/opt/CiscoTrustAgent/

ctad-temp.ini

ctad.inin.macosx

/etc/opt/CiscoTrustAgent/


New Naming Convention for ctalogd.ini Template File

The names of the template file one could use to create the ctalogd.ini file has been changed to reflect a new file-naming convention in configuration files. The new name of the template file used to create the ctalogd.ini is ctalogd-temp.ini.

Table 2 ctalogd-temp.ini Naming Convention and File Location

New Template Name for All Operating Systems
Old Template Names Used for all Operating Systems
Location of New Template File

ctalogd-temp.ini

ctalogd.tmp

Location on Windows:

\Program Files\Cisco Systems\CiscoTrustAgent\Logging\

ctalogd-temp.ini

ctalogd.tmp

Location on Linux:

/etc/opt/CiscoTrustAgent/

ctalogd-temp.ini

ctalogd.tmp

Location on Mac OS X:

/etc/opt/CiscoTrustAgent/


Configuring User Notifications

The user notification parameters are configured in the ctad.ini file. See the Administrator Guide for Cisco Trust Agent, Release 2.1, Chapter 5, "Configuring User Notifications" for more information about these and other notification parameters.

UserActionDelayTimeout

The UserActionDelayTimeout parameter allows you to delay the launch of the browser window so that the host has more time to obtain an IP address. This parameter was added to the ctad.ini file because if the browser that displays the posture message is launched before the host obtains an IP address, the browser will fail to open the URL contained in the posture message This feature is available on Linux, Mac OS X, and Windows operating systems.

EnableLogonNotifies

The behavior of the EnableLogonNotifies parameter is now the same on all operating systems. The parameter enables or disables user notification received before the user is logged on. User notifications received before the user is logged on can be saved or discarded.

LogonMsgTimeout

The behavior of the LogonMsgTimeout parameter is now the same on all operating systems. The default value of the parameter on all operating systems is 86,400 seconds. The parameter specifies how long, in seconds, a message is saved when no user is logged on and when EnableLogonNotifies enabled.

Configuring CTA and Posture Plugin Interaction

CTA and the posture plugins interact for the transfer of posture data, posture notifications, and status updates. Two new parameters, PPInterfaceType and PPWaitTimeout, are used together to determine how CTA interacts with the plugins and how long the interaction with all plugins lasts.

See the Administrator Guide for Cisco Trust Agent, Release 2.1, Chapter 5, "Configuring CTA and Posture Plugin Interaction." for a complete explanation of these parameters and how to configure them.

This feature is available for Linux, Mac OS X, and Windows operating systems.

Configuring Posture Plugin Message Size

By default, plugins are permitted to provide 1024 bytes (1KB) of information to CTA. This number can be increased to allow all plug-ins to provide up to 6KB of information. PPMsgSize is the parameter in the ctad.ini file which you use to configure the plugin message size.

You can also create an application-specific posture plugin message size by adding the PluginName_PPMsgSize parameter to the ctad.ini file. This parameter allows you to define a posture message size for a specific plugin.

Note If there is a Symantec posture plugin installed on the client, the ctad.ini file must be configured in one of two ways:

PPMsgSize must be set to 1024 bytes.

The Symantec posture plugin must use an application-specific posture plugin set to 1024 bytes.

See, the Administrator Guide for Cisco Trust Agent, Release 2.1, Chapter 5, "Configuring the Posture Plugin Message Size" for a complete explanation of this parameter and how to configure it.

This feature is available for Linux, Mac OS X, and Windows operating systems.

Configuring CTA for Use with the Windows XP Firewall

The BootTimeUDPExemptions parameter alters the Windows XP Firewall policy and enables CTA to receive packets when the Windows XP SP2 or SP3-based computer is booting.

By enabling BootTimeUDPExemptions you alter the Windows XP Firewall setting by adding CTA's local EAPoUDP port to the Windows XP Firewall boot time UDP exemptions policy. This enables CTA to communicate with ACS over the network.

Note Use of the BootTimeUDPexemptions parameter is relevant only when used in conjunction with Microsoft's hot fix for Windows XP (KB17730)

See Administrator Guide for Cisco Trust Agent, Release 2.1, Chapter 5, "ctad.ini Configuration Parameters" for more information about this parameter and how to configure it.

Configuring Logging for Large Deployments

A procedure has been added to the Administrator Guide for Cisco Trust Agent, Release 2.1 that describes how to configure CTA logging for a large deployment. A sample ctalogd-temp.ini file has also been provided.

See the Administrator Guide for Cisco Trust Agent, Release 2.1, Chapter 6, "Configuring CTA Logging for Large Deployments for the procedure.

New Posture Plugin Features

The features in this section are described in the Administrator Guide for Cisco Trust Agent, Release 2.1, Chapter 7, "Posture Plugins."

Host Posture Plugin Now Returns MAC Address

The Host Posture Plugin reports basic information about the client running CTA to the ACS. With the release of CTA 2.1, the Host Posture Plugin can now return the MAC address of the client running CTA, provided that the MacAddress attribute has been added to the Posture-Validation Attribute Definition File employed by the ACS CSUtil database utility. (For more information about the ACS CSUtil database utility and the Posture-Validation Attribute Definition File, see the User Guide for Cisco Secure ACS for Windows Server.)

The attribute information for MacAddress is below. 

[attr#n]

vendor-id=9

vendor-name=Cisco

application-id=2

application-name=Host

attribute-id=00009

attribute-name=MacAdress

attribute-profile=in

attribute-type=string

The plugin will return all the MAC addresses available on the client running CTA and combine them into one string; the MAC addresses will be separated by pipes ( | ). For example, a wireless network card and a wired network card will each return a MAC address.

If you are defining a posture validation rule in ACS based on only one of these MAC addresses, the posture attribute should "contain" the MAC address you are verifying rather than "equal" or "start with" the MAC address you are verifying.

This feature is available for Linux, Mac OS X, and Windows operating systems.

Package Information Returned by Host Posture Plugin For Mac OS X

For Mac OS X, there are two types of applications that are of concern to CTA: system applications which have receipts in /Library/Receipts/ and user applications which are installed in /Applications directory.

System applications are identified by the first level folder name under /Library/Receipts, like "Danish.pkg", "X11SDK.pkg". User applications are identified by the application name under /Applications directory as displayed in Finder. For example, "Firefox", "DVD\ Player".

The applications located in the subfolders of /Applications directory can also be queried, in these cases the package name looks like the relative path to /Applications. For example, "Utilities/Disk\ Utility", "Zinio/Zinio\ Reader".

Note White spaces in package names must be escaped with backslash ("\").

The version information of system applications is parsed out of the Contents/version.plist file under the package's directory under the /Library/Receipts directory. Version information is in the form of "a.b.c.d". The first three fields of version are from the CFBundleShortVersionString key, and the fourth field is from SourceVersion key. For user application packages, the version information is retrieved from the Info.plist file under the Contents/ directory in the application's directory. We first look for the value of CFBundleShortVersionString key. If this key is not present we will return the value of CFBundleVersion key. If both keys are missing no information will be returned for the package.

New Features Introduced in CTA 802.1x Wired Client

The user interface for the Cisco Trust Agent 802.1x Wired Client was changed significantly in between CTA 2.0 and CTA 2.0.1, and then revised further for the CTA 2.1 release. The procedures for configuring user and machine authentication have also changed to reflect the new user interface the Administrator Guide for Cisco Trust Agent, Release 2.1, Chapter 9, "Cisco Trust Agent 802.1x Wired Client."

Differentiating Connected States

In previous versions of the CTA 802.1x Wired Client, the connection state of "Connected" included both authenticated connections and unauthenticated connections. Unauthenticated connections were those where authentication was not required.

The client now differentiates between "connected and authenticated" and "connected and unauthenticated", both in the displayed status text and the coloring pattern of the network/access icons in the CTA 802.1x Wired Client main window and the system tray icon.

A green icon indicates that the network adapter is connected and authenticated. The new blue colored icon indicates that the network adapter is connected but unauthenticated or does not require authentication.

Realtime Information on Connection Process

The main window of the CTA 802.1x Wired Client main window now contains a hotspot labeled "Details." Clicking Details displays the Information window which provides real-time feedback of the individual steps of any (manual or automatic) connection or disconnection process. See, the Administrator Guide for Cisco Trust Agent, Release 2.1, Chapter 9, "802.1x Wired Client Window" for an illustration and explanation of the Details hot spot.

Connection Status Dialog Enhancements

Several new aspects to the Connection Status informational dialog were added.

Client (network adapter) MAC address is now displayed.

Dynamic parameters are now updated in real time.

See the Administrator Guide for Cisco Trust Agent, Release 2.1, Chapter 9, "Viewing Access Device Status" for more information about the status window.

Authentication Retries Enhancement

This feature prevents the CTA 802.1x Wired Client from failing users' authentication attempts before they can be re-routed to a special vlan. This is also referred to as the "Auth-fail VLAN feature" in the NAC environment.

Some more intelligent access devices support special features that have, for example, the ability on a failed connection attempt to open the port but switch the user into a special vlan. In order to support these access devices, the client provides the administrator with the capability on a deployed end-user client of adjusting the number of connection retries before disconnecting, allowing the access device to make intelligent decisions based on multiple authentication failures.

This functionality is available to the user in the Station Policy window in the Authentication Retries Wired /Ethernet Settings area. See the Administrator Guide for Cisco Trust Agent, Release 2.1, Chapter 9, "Authentication Retries Wired / Ethernet Settings" for an explanation of this new functionality and a description of the related GUI area.

New "User Identity Protection" Area on Station Policy Window

The Authentication Method area and associated radio buttons have been renamed to better describe the functions represented in the interface. The area is now named the User Identity Protection area. The area has these radio buttons:

Send `anonymous' in clear

Send Username in clear.

Note The Send Username in Clear radio button choice is compatible with ACS 4.1 and later versions.

See the Administrator Guide for Cisco Trust Agent, Release 2.1, Chapter 9, "User Credentials Area" for an explanation of the function of these radio buttons.

New "Allow Unprotected Client Cert" Area on Station Policy Window

The Use Client Certificate area and associated check boxes on the Station Policy window have been renamed to better describe the functions represented in the interface. The area is now named the Allow Unprotected Client Cert area and has these checkboxes:

Machine Auth (Boot-time)

User Auth (Logon-time)

See the Administrator Guide for Cisco Trust Agent, Release 2.1, Chapter 9, "Allow Unprotected Client Cert Area" for an explanation of the function of these check boxes.

Global Enable Client Control Enhancements

In previous versions of the client, the global control for managing all the adapters was available on the popup menu off of the system tray icon and was labeled "Active" control.

This control has been relabeled as "Enable Client", which is the equivalent to the previous checked Active control, or unchecked "Enable Client", which is the equivalent to the previous unchecked Active control. The new control is also available from an associated drop-down menu. Additionally, this control has been added to the main screen menu bar as part of the 802.1x Wired Client drop-down choices. Otherwise there are no functional changes.

See the Administrator Guide for Cisco Trust Agent, Release 2.1, Chapter 9 "802.1x Wired Client System Tray Shortcut Menu" for more information about this control.

Popup Notifications

The system tray icon autonomous popup "bubble" notification messages have been removed to reduce impact on the user. All useful information is still available via the icon status color and the icon mouse rollover statuses.

New Features Introduced in CTA 2.0.1

The following sections describe the new features that were introduced in Cisco Trust Agent, Release 2.0.1.

CTA 2.0.1 was released only for Windows XP operating systems. The changes and features delivered in CTA 2.0.1 are available in Cisco Trust Agent 2.1.

CTA 802.1x Wired Client System Report Tool

The System Report utility provides end users a simple way to automatically gather data needed by support personnel to troubleshoot any problems. It captures the following information:

Current end-user technical log contents.

Current internal application activity log.

Information on the machine's hardware and software environment.

The System Report utility is packaged with the CTA 802.1x Wired Client and automatically installed with the CTA 802.1x Wired Client, however, it is a separate utility and it operates whether the CTA 802.1x Wired Client is active or not.

The System Report utility creates a single compressed file, the System Report, that contains information about the end station's hardware and software environment, the CTA 802.1x Wired Client, as well as the gathered technical and developer logs.

You can launch the System Report Tool by navigating Start > Programs > Cisco Systems, Inc. > Cisco Trust Agent 802.1x Wired Client > Cisco Trust Agent 802.1x Wired Client System Report.

CTA 802.1x Wired Client Technical Log

The technical log file is a time-stamped, Unicode text file that is the destination for log messages capable of being viewed with Microsoft Notepad (or equivalent) on Windows 2000 and Windows XP. See the Administrator Guide for Cisco Trust Agent, Release 2.1, Chapter 10, "Cisco Trust Agent Wired Client Logging" for more information.

Machine Authentication Methods

Authentication Using Machine Password

Starting in Cisco Trust Agent Release 2.0.1, machine authentication can occur during the boot up process. This is controlled by whether the "use machine credentials" button in the Station Policy dialog box is checked or unchecked. If the "use machine credentials" button is checked, then machine authentication is performed in place of user context authentication and one of the three machine credential types is passed.

There are different types of machine credentials:

Machine certificate (This is an existing feature.)

Machine PAC (This is an existing feature.)

Machine Password (This is a new feature.)

CTA 2.1 supports using the machine password whenever machine context authentication is done. A benefit of this method is that a certificate infrastructure is not needed.

See "Deploying End User 802.1x Wired Clients" in Chapter 11 of the Administrator Guide for Cisco Trust Agent, Release 2.1 for more information.

Machine Authentication Only

Either of these machine credentials can be used for machine authentication only:

Machine certificate

Machine password

See "Deploying End User 802.1x Wired Clients" in Chapter 11 of the Administrator Guide for Cisco Trust Agent, Release 2.1 for more information.

Configurable Outer Tunnel Identity for EAP-FAST

The construction of the encrypted tunnel through which the 802.1x Wired Client passes authentication credentials to the Cisco Secure Access Control Server (ACS) is initiated in the case of machine or user authentication.

During user authentication, UserName@FullyQualifiedDomainName, anonymous@FullyQualifiedDomainName, or UserName are the credentials passed to ACS.

During machine authentication, HostName/FullyQualifiedDomainName is the credential passed to ACS.

System Requirements

CTA may be installed on Linux, Mac OS X, and Windows operating systems. The following sections describe the system requirements for each type of operating system.

System Requirements for Installations on Linux

Before installing Cisco Trust Agent on a Linux operating system, verify that the target system meets the requirements in the following table.

Table 3 CTA System Requirements for Linux

System Component
Requirement

System

Pentium class processor or better

Network connection

Operating System and Language Support

All available internationalized versions of these Linux operating systems support CTA 2.1.:

Red Hat Linux 9

Red Hat Enterprise Linux v3 (Enterprise, Advanced Server, and Workstation)

Red Hat Enterprise Linux v4 (Enterprise, Advanced Server, and Workstation)

Note Support for a localized operating system is different from localized version of CTA. The CTA interface and messages are presented in English.

Linux Installers

Red Hat Package Management (RPM) v4.2 or greater.

Hard Disk Space

20 MB

Memory

256 MB Red Hat Enterprise Linux v3 (Enterprise, Advanced, Workstation)

256 MB Red Hat Enterprise Linux v4 (Enterprise, Advanced, Workstation)

Listening Port

By default, Cisco Trust Agent listens on UDP port 21862.


System Requirements for Installations on Mac OS X

Before installing Cisco Trust Agent on a Mac OS X operating system, verify that the target system meets the requirements in the following table.

Table 4 CTA System Requirements for Mac OS X

System Component
Requirement

System

G3 processor and later

Network connection

Free Hard Disk Space

20 MB minimum

Memory

256 MB RAM

Listening Port

By default, Cisco Trust Agent listens on UDP port 21862.

Operating System and Language Support

All available internationalized versions of Mac OS X 10.3.9 and 10.4 operating systems support CTA 2.1.

Note Support for a localized operating system is different from localized version of CTA. The CTA interface and messages are presented in English.


System Requirements for Installation on Windows

Before installing Cisco Trust Agent on a Windows operating system, verify that the target system meets the requirements in the following table.

Note CTA 2.1 does not support Windows NT 4.0 Server or Windows NT 4.0 Workstation. CTA 2.0 was the last release to support Windows NT 4.0.

Table 5 CTA System Requirements for Windows 

System Component
Requirement

System

Pentium II class processor or better

Network connection

Windows Installer (MSI)

Version 2.0 or later.

Free Hard Disk Space

20 MB minimum

Memory

256 MB of RAM

Listening Port

By default, Cisco Trust Agent listens on UDP port 21862.

Windows Operating Systems on which CTA 2.1 and the CTA 802.1x Wired Client Run

Windows 2000 Professional and Advanced Server, SP4 and Update Rollup 1

Windows XP Professional, SP1, SP2, and SP3

Windows 2003 Standard, SP1 and R2

Additional Windows operating systems on which CTA 2.1 runs but that do not support CTA 802.1x Wired Client

Windows XP Home, SP1, SP2, and SP3

Language Support for localized operating systems

All available localized versions of these operating systems support this release of CTA.

Note Support for a localized operating system is different from localized version of CTA. The CTA interface and messages are presented in English.

Windows 2000 Professional and Advanced Server, SP4 and Update Rollup 1

Windows XP Professional, SP1, SP2, and SP3

Windows XP Home, SP1, SP2, and SP3

Windows 2003 Standard, SP1 and R2


Installation Notes

Chapter 2, Chapter 3, and Chapter 4 of the Administrator Guide for Cisco Trust Agent, Release Version 2.1 discuss installing Cisco Trust Agent on Linux, Mac OS X, and Windows platforms. These chapters refer to installation files such as cta-linux-2.1.x-0.i386.rpm, cta-darwin-2.1.x.0.dmg, and ctasetup-supplicant-win-2.1.x.0.msi. Any installation file in this format is referring to CTA release 2.1.103.0 installation files.

Obtaining the Latest Release of CTA

The latest release of Cisco Trust Agent 2.1 is version 2.1.103.0.

Table 6 lists the files used to install CTA 2.1 on the supported operating systems. See the Administrator Guide for Cisco Trust Agent, Release 2.1 for a complete description of content of the files and how they can be used in a CTA installation.

Table 6 CTA 2.1.103.0 Files 

Downloadable File
and Description of
Content of the File and Description

cta21ag.pdf

Administrator Guide for Cisco Trust Agent, Release 2.1.

cta21rn.pdf

Release Notes for Cisco Trust Agent, Release 2.1.

ctaadminex-linux-2.1.103-0.tar.gz

This is the installation package for Linux operating system. It contains the ctaadminex-linux-2.1.103-0.sh script which allows administrators to accept the end user license agreement and extract the cta-linux-2.1.103-0.i386.rpm file used to install CTA.

ctaadminex-darwin-2.1.103.0.tar.gz

This is the installation package for Mac OS X operating systems. It contains the ctaadminex.sh script which allows administrators to accept the end user license agreement and extract the cta-darwin-2.1.103.0.dmg file used to install CTA.

CtaAdminEx-win-2.1.103.0.exe

This is an installation package for Windows operating systems. It contains the ctasetup-win-2.1.103.0.msi file which allows administrators to accept the end user license agreement and install CTA. The file does not contain the CTA 802.1X Wired Client.

CtaAdminex-supplicant-win-2.1.103.0.exe

This is an installation package for Windows operating systems. It contains the ctasetup-supplicant-win-2.1.103.0.msi file which allows administrators to accept the end user license agreement and install CTA. The file does contain the CTA 802.1X Wired Client.


Upgrade Support

Cisco Trust Agent supports upgrade installations from versions 1.0, 2.0, 2.0.1, selective availability, and beta 2.1 releases to CTA 2.1.103.0.

The behavior of an upgrade reflects the kind of installation being used. If the upgrade is performed using an installation wizard, CTA 2.1.103.0 recognizes the previous installation of CTA and prompts users to upgrade. In the case of a silent installation, it is assumed that the user intends to perform an upgrade and the installation proceeds without prompting the user.

Note When upgrading a version of CTA along with the CTA 802.1x Wired Client, to CTA 2.1 with the CTA 802.1x Wired Client, the computer is disconnected from the network at the end of the software upgrade process. The final step of the upgrade procedure is to reboot the computer; rebooting restores the network connection and it is a required step in the upgrade process.

In the case of a silent upgrade, administrators should use MSI commands which limit interruptions to users but still prompt users to reboot their computers at the end of the software upgrade.

There are different methods of upgrading CTA from version 1.0, 2.0, 2.0.1, and selective availability and beta versions to CTA 2.1.103.0. See Chapter 2 and Chapter 4 of the Administrator Guide for Cisco Trust Agent, Release 2.1, for information about upgrading previous versions of CTA for Linux and Windows to CTA 2.1.

Upgrading CTA 2.0 to CTA 2.1

This section describes upgrading CTA 2.0.0.30 to CTA 2.1.103.0.

Upgrading CTA without the CTA 802.1x Wired Client

Both Linux and Windows versions of CTA 2.0 without the CTA 802.1x Wired Client can be upgraded to CTA 2.1.

Upgrading CTA with the CTA 802.1x Wired Client

In order to upgrade from CTA 2.0 with the CTA 802.1x Wired Client to CTA 2.1 with the CTA 802.1x Wired Client, you need to uninstall CTA 2.0, delete the CTA 802.1x Wired Client directory, and then install CTA 2.1 from scratch.

If you attempt to directly upgrade CTA 2.0 with the CTA 802.1x Wired Client to CTA 2.1 with the CTA 802.1x Wired Client the CTA 802.1x Wired Client service fails to start and you will not be able to start the service manually.

To upgrade from CTA 2.0 with the CTA 802.1x Wired Client to CTA 2.1 with the CTA 802.1x Wired Client, follow this procedure:

Step 1 Uninstall CTA 2.0 using the procedure in "Uninstalling Cisco Trust Agent on Windows" in Chapter 4 of the Administrator Guide for Cisco Trust Agent, Release 2.1.

Step 2 Reboot the PC when prompted.

Step 3 Delete this directory and its contents:

\Program Files\Cisco Systems\Cisco Trust Agent 802_1x Wired Client

Step 4 Install CTA 2.1 from scratch using the methodology described in Chapter 4, "Installing the Cisco Trust Agent on Windows" in the Administrator Guide for Cisco Trust Agent, Release 2.1.

Step 5 Reboot the computer when prompted.

Note The computer remains disconnected from the network until the computer is rebooted.

Upgrading from Selective Availability and Beta Releases to CTA 2.1

Some customers of Cisco's Network Admission Control program participated in testing "selective availability" releases and beta releases of CTA 2.1 to test its functionality in their NAC environments.

CTA builds, numbered 2.1.18.0, 2.1.100.0, 2.1.101.0, and 2.1.102.0 may be upgraded to CTA 2.1.103.0 without being uninstalled first. The certificates, third-party posture plugins, ctad.ini, ctalogd.ini, log files, and the deployment profile files remain in the directories in which they were installed and they are used by CTA 2.1.103.0.

Upgrading CTA without the CTA 802.1x Wired Client

You can upgrade from any of the CTA 2.1 selective availability or beta releases without the CTA 802.1x Wired Client to CTA 2.1.103.0 without the 802.1x Wired Client without having to uninstall CTA 2.1.x. Use the upgrade procedures in Chapter 2 or Chapter 4 of the Administrator Guide for Cisco Trust Agent, Release 2.1, to upgrade a Linux or Windows installation.

Upgrading CTA with the CTA 802.1x Wired Client

You can upgrade from any of the CTA 2.1 selective availability or beta releases with the CTA 802.1x Wired Client to CTA 2.1.103.0 with the 802.1x Wired Client, you can run the installation for the new version of CTA while the old version is still installed. At the end of the upgrade process, you must reboot the computer.

If you are upgrading from CTA 2.1.x with the CTA 802.1x Wired Client to CTA 2.1.103.0 with the CTA 802.1x Wired Client, the authentication profiles installed on the client used in CTA 2.1.x are compatible with CTA 2.1.103.0 and will remain in their directories through the upgrade process.

Note At the end of the upgrade process the computer is disconnected from the network until the computer is rebooted.

Use any of the installation procedures in Chapter 4 of the Administrator Guide for Cisco Trust Agent, Release 2.1, to upgrade a Windows installation.

Known Defects in CTA 2.1 Posture Agent

This section describes problems known to exist in the posture agent of Cisco Trust Agent, Release 2.1. This section excludes defects of the 802.1x Wired Client component of CTA 2.1.

Note A "—" in the Explanation column indicates that no information was available at the time of publication. You should check the Cisco Software Bug Toolkit for current information. To access the Cisco Software Bug Toolkit, go to http://www.cisco.com/pcgi-bin/Support/Bugtool/home.pl. (You will be prompted to log in to Cisco.com.)

Table 7 Known Defects in the CTA 2.1 Posture Agent Client 

Defect ID
Headline
Explanation

CSCsc18885

Erroneous log entry, claiming "Failed to read Registry Key" in CTA log.

Symptom    When a user performs a fresh installation, upgrade, or reinstallation of Cisco Trust Agent with logging enabled, an erroneous log message is generated. This message is similar to this message: 

2 12:00:00.000 11/11/2005 Sev=Critical/1 
PSDaemon/0xE3C0001A Failed to Read Registry 
Key, error code 2

Conditions   This erroneous log message is generated when the Cisco Trust Agent Version 2.0.0.30 is Installed, Reinstalled, or Upgraded with logging enabled. This erroneous log message was observed on the following platforms: Windows NT 4.0, Window 2000 and Windows XP.

Workaround   No workarounds are available. Note that this log message is erroneous and does not affect the running of Cisco Trust Agent.

CSCse27741

CTA uses wrong root certificate when an expired certificate exists along with working certificate.

Symptom    Existing customer certificates work with some authentication protocols but not EAP over UDP (NAC-L3-IP or NAC-L2-IP). The certificates are valid and are stored in the correct locations.

This message is in the ACS Failed Attempts log: "EAP-TLS or PEAP authentication failed during SSL handshake."

Conditions   The existing certificate is part of a certificate chain in which the root certificate is expired. The expired root certificate has the same subject name as the valid certificate and both certificates coexist in CTA client's certificate store.

Workaround   Remove this expired root certificate from the user certificate store.

CSCsg08764

CTAstat incorrectly reports operational status for plugin

Symptom    ctastat reports that a posture plugin is working correctly when some other system behavior, such as a failed authentication, indicates that a plugin might not be working correctly.

Conditions   Any condition where the plugin is not working correctly or it is missing; for example, corrupted or missing .dll or .so file, missing .inf file, the plugin was installed in the wrong directory, or the plugin is corrupted etc.

Workaround   Enable logging on the client in order to capture information about the failed plugin.

CSCsg15684

ctapsd crash after 5 hours with SAV PP and 1K buffer

Symptom    Cisco Trust Agent Posture Server Daemon crashes after running approximately 5 hours with a Symantec posture plugin installed on the client machine and when PPMsgSize is set to 1024.

Conditions   Running CTA 2.1.14.0 and PPMsgSize is set to 1024 in ctad.ini and occurs on Windows operating systems.

Workaround   There is no workaround.

Note This problem is NOT reproducible with CTA 2.1.18.0 or later versions.

CSCsg26209

CTA does not support downgrade of posture plugins

Symptom    A posture plugin for a third-party application does not respond at all or does not respond with values for all posture attributes. In the CTA log files you may see these messages like "client not installed," "client is running the wrong version," or "client communication error."

Conditions   The third-party client application has been downgraded, and though the corresponding downgraded plugin has been dropped into the Cisco Trust Agent plugins/install directory, CTA has not installed it because the previous plugin has a higher version number.

Workaround   Uninstall the higher revision of the plugin then install the version of the plugin that corresponds to the downgraded application's version.

Note You can verify the version numbers of the plugin and application by viewing their properties.

CSCsi49862

CTA should set BootTimeUDPExemptions as String Value

Symptom    In default status, CTA creates windows registry key "BootTimeUDPExemptions" as DWORD, and set it to 0x00005566. However the value is incompatible with Windows specification. CTA should set BootTimeUDPExemptions as String Value.

Conditions   BootTimeUDPExemptions is set to 1 in ctad.ini. This is the default setting.

Workaround   Set BootTimeUDPExemptions in ctad.ini to 0, and set BootTimeUDPExemptions in registry by hand. This is documented by Microsoft at this location: http://support.microsoft.com/kb/917730/en-us

CSCsi91317

HostPP truncates MAC addresses if there are 2 or more

Symptom    If the MAC OS X host being postured has more than two active IPV4 interfaces (not including loopback interfaces), and the host is postured of the HostPP MacAddress, the Mac address of the 2nd interface will be incomplete, and the Mac addresses of 3+ interfaces will be missing.

Conditions   Host machine has more than one active IPV4 interfaces, and the host is postured of the HostPP MacAddress.

Workaround   None.

CSCsi91358

Linux-Truncated addresses with 2 MAC address requested thorough HostPP

Symptom    If the Linux host being postured has more than two active IPV4 interfaces (not including loopback interfaces), and the host is postured of the HostPP MacAddress, the Mac address of the 2nd interface will be incomplete, and the Mac addresses of 3+ interfaces will be missing.

Conditions   Host machine has more than one active IPV4 interfaces, and the host is postured of the HostPP MacAddress.

Workaround   None.

CSCsi98520

Creating a Custom Installation Package procedure for Mac OS X is incorrect.

Symptom    The "Creating a Custom Installation Package" procedure in Chapter 3 of the "Administrator Guide for Cisco Trust Agent, Release 2.1, with Bundled Supplicant" and the "Creating a Custom Installation Package" procedure in Chapter 3 of the "Administrator Guide for Cisco Trust Agent, Release 2.1 Without Bundled Supplicant" requires that you rename the disk image before customizing the CiscoTrustAgent volume. This is unnecessary.

Conditions   All.

Workaround   Do not perform step 3, 4, or 5 of the procedure.

Step 6 should be written, "Double-click the CiscoTrustAgent volume on the desktop." the rest of the step should be deleted.

CSCsj76891

CTACERT.exe throws application exception

Symptom    Running CTACERT.EXE to import a certificate into the root store in windows XP results in an error, Dr. Watson log (if enabled) and minidump file. The CTACERT.EXE program crashes.

Conditions   This error was observed on Windows XP SP2 and using CTA 2.1.103. The command used when the error occurred was: "C:\Program Files\Cisco Systems\CiscoTrustAgent\ctacert.exe" /ui 2 /add "C:\Program Files\Cisco Systems\CiscoTrustAgent\rocselfcert.cer" /store "root"

Workaround   The certificate should be installed in the root store, even though the error occurs. The certificate can also be manually imported using the certificate MMC, Group policy, etc.

CSCsk70794

Parameters in the User Notifies section of the ctad.ini file do not parse correctly. This occurs only in Danish versions of Windows operating systems.

Symptom    Two symptoms present themselves as a result of this defect. The parameters named in the symptoms are in the [User Notifies] section of the ctad.ini file.

After the user receives a posture notification message, the user has to click OK in the message box before launching another program from the start menu even when SysModal=0 in the ctad.ini file.

The default value of UserActionDelayTimeout is 25 seconds. When the value of this parameter is decreased dramatically, it still takes 25 seconds for the browser to open the URL contained in the posture message.

Conditions   This occurs in all versions of Danish Windows operating systems.

Workaround   None


Known Defects in CTA 802.1x Wired Client

These are the defects in the CTA 802.1x Wired Client that was released with CTA 2.1.103.0. The CTA 802.1x Wired Client may also be referred to as the "light supplicant" or "supplicant."

Table 8 Known Defects in the CTA 2.1 802.1x Wired Client 

Defect ID
Headline
Explanation

CSCsb47789

TLS alert bad_certificate(42) should be unknown_ca(48)

Symptom    The CTA 802.1X Wired Client sends an incorrect error code to the ACS. The 802.1X Wired Client sends bad_certificate(42) when it should send unknown_ca(48). This error gets logged on the ACS and might mislead ACS administrators.

The result is an incorrect log on the ACS, but it does not affect the functionality of the 802.1X Wired Client nor ACS.

Conditions   A valid certificate chain or a partial chain was received, but the certificate was not accepted because the CA certificate could not be located or could not be matched with a known, trusted CA

Workaround   There is no workaround.

CSCsb88110

The 802.1X Wired Client pop up box is hidden during bootup with multiple interfaces.

Symptom    When booting up a PC with multiple interfaces (four), with the 802.1X Wired Client installed, a user enters his username on first popup box and then his password. However, the second popup box does not appear. The 802.1X Wired Client is waiting for the password to be entered for the second popup box. Then the third popup box appears. The forth popup box does not appear but the 802.1X Wired Client waits for the password to be entered.

Conditions   This occurs with multiple interfaces that are all getting authenticated.

Workaround   Set the EnableLogonNotifies attribute to 0 in the ctad.ini for CTA.

CSCsc31219

User credentials dialog does not close upon failure to connect.

Symptom    If the network client fails to provide a posture at Layer 2, and ACS fails to set a policy for the network client, and if the user enters incorrect credentials, the user credentials dialog box is not automatically removed from the screen.

Workaround   Users need to manually close the user credentials dialog box.

CSCsc39374

RSA 5.2 new pin mode does not work with CTA 802.1x Wired Client

Symptom    User authentication fails.

Conditions   RSA 5.2 is used for authentication. This is the behavior the user experiences:

1. User is prompted for username.

2. User is prompted for password. User enters RSA tokencode here.

3. User responds with "y" at the prompt to create a new PIN.

4. The user is then prompted for username two times, until the connection fails.

Workaround   There is no workaround.

CSCsd60058

802.1x, EAP-GTC password change fails when password complexity requirement is enforced.

Symptom    Password change fails with EAP-GTC.

Conditions   ACS is configured for EAP-GTC and password complexity rule enabled on Active Directory.

Workaround   Disable password complexity rule on Active Directory.

CSCse35094

Password entered in supplicant Credentials popup is not used.

Symptom    Password entered in supplicant Credentials popup is not used for authentication.

Conditions   With machine and user authentication enabled, the password entered in supplicant Credentials popup is not used for authentication.

Workaround   There is no workaround.

CSCse35113

CTA 802.1x Wired Client can indicate that the ethernet interface is authenticated and connected when it is not.

Symptom    With IEEE 802.1x authentication configured, the CTA 802.1x Wired Client status shows that the client is authenticated and connected to the network when it is not.

Conditions   This error can happen when you try to reconnect after a failed authentication.

Workaround   The incorrect connection status will time out in about one minute.

CSCse54397

CTA 802.1x Wired Client delays 802.1x authentication after returning from hibernation.

Symptom    While client is coming out of hibernation state the supplicant needs to initiate a IEEE 802.1x connection for either machine or user authentication. The time it takes for supplicant to initiate for IEEE 802.1x authentication may vary form 15-to-80 seconds.

Conditions   The CTA 802.1x Wired client eventually initiates IEEE 802.1x authentication but the time it takes varies between 15-to-80 seconds after the network interface comes up. This delay depends on various factors like Operating system, PC hardware configuration, and the context of the machine, for example, is the user logged into desktop or not.

Workaround   Wait for the CTA 802.1x Wired Client to initiate IEEE 802.1x authentication after the interface comes up or open the CTA 802.1x Wired Client main window, select the network adapter you use to connect to the network, click Disconnect, and then click Connect.

CSCse77264

CTA 802.1x Wired Client fails to launch after a reboot