Stan...
Since we've touched on Aruba and SyslogI have a question...
We too are an Aruba shop, and do push info to a syslog server. In previous code
2.x, as you mentioned, an authentication log would include username, mac, IP,
and APbut since we've upgraded to 3.x, it seems the username and mac/IP
have been separated and are no longer tied together. I do get username
authentications, and mac/IP info, but I have no way of tying them together...
What ver code are you running and/or do you have the same issue ?
Ken Connell
Intermediate Network Engineer
Computer Communication Services
Ryerson University
350 Victoria St
RM AB50
Toronto, Ont
M5B 2K3
416-979-5000 x6709
- Original Message -
From: Brooks, Stan [EMAIL PROTECTED]
Date: Thursday, July 3, 2008 5:39 pm
Subject: Re: [WIRELESS-LAN] NAT in large scale wireless networks
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Greg,
Depending on the code version, you can set the logging levels to
capture user associations and authentications to a syslog server. The
data logged includes the location name/group of the AP the user
connected to, the SSID, along with the user's MAC, IP and user ID.
- Stan Brooks - CWNA/CWSP
Emory University
Network Communications Division
404.727.0226
AIM/Y!/Twitter: WLANstan
MSN: [EMAIL PROTECTED]
GoogleTalk: [EMAIL PROTECTED]
-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:[EMAIL PROTECTED] On Behalf Of Scholz, Greg
Sent: Thursday, July 03, 2008 8:55 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] NAT in large scale wireless networks
Stan,
Can you tell me what type of location information you get and from what
log? 802.1x/WPA-Enterprise, so we have usernames and locations in our
logs
We are trying to figure out if there is a way to determine what APs user
are/have been on but all we have seen in the radius logs is the
controller as the NAS.
Thanks,
Greg
-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:[EMAIL PROTECTED] On Behalf Of Brooks, Stan
Sent: Wednesday, July 02, 2008 6:34 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] NAT in large scale wireless networks
Mike,
We, too, are an Aruba shop, and have been doing NAT on our academic and
ResNet wireless networks for about a year now. Two years ago, we ran
out of IP addresses on our wireless network on Move-In Weekend and had
to scramble to add additional subnets - a scarce commodity here at
Emory. To prevent that from happening last year, we implemented NAT
for
our wireless clients and now have plenty of address space for our
growing user base.
We let the Aruba controllers perform the NAT function (very easy to set
up - just a firewall rule in the user role in the Aruba config). We've
not had any complaints from users regarding NAT issues; we were
concerned that it might break some apps, but no problems have been
observed or reported. We've even got our homegrown NAC (NetReg/CAT)
working over the wireless, too - NetReg DHCP traffic is not NAT'ed, but
all other traffic is. This all works great, thanks to the Aruba
capabilities.
The only issue we've had with NAT have been voiced by Philippe - DCMA
notices are hard to isolate. Our wired network has some protection in
place to identify and reduce peer-to-peer traffic (Tipping Points), so
we don't generally get a lot of notices. User tracking and RF location
still works well as those are functions of the radio and authentication
subsystems. Our academic users log on using 802.1x/WPA-Enterprise, so
we have usernames and locations in our logs. Connecting those usernames
to the NAT pool IP addresses is the hard part.
I'd be happy to share some basic configuration tips and tricks regarding
NAT with you off-list, or on-list if other s are interested.
BTW - We've been NAT'ing our guest access users since day one on the
Aruba equipment. Guests log in through the captive portal and are
given limited access - bandwidth limited web access and VPN access back
to their home organizations.
- Stan Brooks - CWNA/CWSP
Emory University
Network Communications Division
404.727.0226
AIM/Y!/Twitter: WLANstan
MSN: [EMAIL PROTECTED]
GoogleTalk: [EMAIL PROTECTED]
-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:[EMAIL PROTECTED] On Behalf Of Michael Dickson
Sent: Tuesday, July 01, 2008 9:47 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] NAT in large scale wireless networks
Though we currently have enough available routed IP space for our
wireless clients we are looking toward the future and wondering if
NAT-ing the wireless network makes sense.