RE: Microsoft NPS as RADIUS for 802.1X Wi-Fi?

[Edward Ip]

We just got our 25K ClearPass server, so I still have a lot to learn about it. 
I appreciate all the help I can get. Thank you Bruce.

Edward Ip
Algonquin College | 1385 Woodroffe Avenue | Room C316 | Ottawa | Ontario | K2G 
1V8 | Canada
algonquincollege.com

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Osborne, Bruce W 
(Network Operations)
Sent: Tuesday, November 22, 2016 8:17 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Microsoft NPS as RADIUS for 802.1X Wi-Fi?

Feel free to ping me off-list if I can help further.


Bruce Osborne
Senior Network Engineer
Network Operations - Wireless

 (434) 592-4229

LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Edward Ip [mailto:i...@algonquincollege.com]
Sent: Monday, November 21, 2016 9:02 AM
Subject: Re: Microsoft NPS as RADIUS for 802.1X Wi-Fi?

Thank You Bruce!

Edward Ip
Algonquin College | 1385 Woodroffe Avenue | Room C316 | Ottawa | Ontario | K2G 
1V8 | Canada
algonquincollege.com

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Osborne, Bruce W 
(Network Operations)
Sent: Monday, November 21, 2016 7:39 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Microsoft NPS as RADIUS for 802.1X Wi-Fi?

Edward,

The best way to get the ip address information from ClearPass is by having it 
forward the RADIUS Accounting data.

You can have ClearPass generate Syslog from the Accounting data, but there are 
currently issues with missing data. We have a case open with Aruba to resolve 
this.


Bruce Osborne
Senior Network Engineer
Network Operations - Wireless

 (434) 592-4229

LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Edward Ip [mailto:i...@algonquincollege.com]
Sent: Thursday, November 17, 2016 2:38 PM
Subject: Re: Microsoft NPS as RADIUS for 802.1X Wi-Fi?

We have being using Microsoft NPS in a cluster as Radius for 80.21X for a while 
now. Our normal concurrent client load is about 12,000 users.

Monitoring is now done via Airwave, specifically using the Clarity feature. In 
the pass, we used Solarwinds to query our Aruba controllers for the statistics 
and then graphing it in Solarwinds.

We are not doing anything fancy with the NPS servers. My network architect 
wants to be able to query the AD network and set up network policies (like 
bandwidth control and app control) using Bluecoat PacketShaper and the 
Authentication and Authorization Agent (BCAAA) with User Awareness feature. 
However, the NPS servers do not update our ad directory with regards to what IP 
address the wireless client is currently using. So this feature is not useable 
on our wireless client (works great on wired domain clients). Investigating if 
we can use ClearPass to give the bluecoat the required information.

Edward Ip
Algonquin College | 1385 Woodroffe Avenue | Room C316 | Ottawa | Ontario | K2G 
1V8 | Canada
algonquincollege.com

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman
Sent: Wednesday, November 16, 2016 9:40 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: [WIRELESS-LAN] Microsoft NPS as RADIUS for 802.1X Wi-Fi?

Hello to the awesome group.

We've used Cisco ACS with general satisfaction for many years as the RADIUS 
solution for our very, very large WLAN's 802.1X authentication. We also have 
Aruba Clearpass in-house for guest wireless, and have poked around at ISE a 
bit. We're weighing replacing our aging ACS environment, but as many of you 
know times are changing. When you shop for RADIUS, you have to wade through the 
fog of NAC systems because everything is getting ever more "feature rich". For 
major vendors, RADIUS is just a slice of NAC now, and since everybody "is a 
software company!" licensing can be ugly. I'm not slamming those who find value 
in the many interesting features that the likes of ISE and Clearpass offer, but 
I also can't help but be drawn to Microsoft NPS when I think about going 
forward with simple RADIUS.

Way back when, we avoided Microsoft in this role as the reporting wasn't 
particularly strong when it came time to troubleshoot clients. We *may* have 
found relief to this through Splunk, and also enjoy a robust Windows server 
environment staffed by absolutely brilliant MS-minded veteran admins.

All that being said- is anyone using NPS as their RADIUS solution for a large 
secure WLAN environment? Can you share likes, dislikes, regrets, endorsements, 
horror stories, tales of success, etc?


(Any vendor reps lurking- no, I'm not open to hearing about other RADIUS 
solutions. Please, no calls or emails)


Kind regards-

Lee Badman | CWNE #200 | Network Architect

Informat

Re: [WIRELESS-LAN] Microsoft NPS as RADIUS for 802.1X Wi-Fi?

[Frans Panken]

Guess what’s under the hood of many commercial RADIUS platforms (e.g., 
Clearpass)… indeed: FreeRadius 1.0 …
-Frans


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 on behalf of Lee H Badman 

Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 

Date: Thursday, 17 November 2016 at 01:37
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
Subject: Re: [WIRELESS-LAN] Microsoft NPS as RADIUS for 802.1X Wi-Fi?


Yeah- thanks, Phillipe. I knew I wasn't phrasing that quite right, typed it as 
I was flying out the door earlier.​



-Lee






From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 on behalf of Philippe Hanset 

Sent: Wednesday, November 16, 2016 5:26 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Microsoft NPS as RADIUS for 802.1X Wi-Fi?

Lee,

Radiator is not open source (you can buy support) but it works more smoothly on 
Unix (you can operate it on Windows).

Philippe


On Nov 16, 2016, at 4:34 PM, Lee H Badman 
mailto:lhbad...@syr.edu>> wrote:
Thanks, Phillipe. For a number of reasons we’re trying to steer away from open 
source on this.

Lee Badman | CWNE #200 | Network Architect

Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w 
its.syr.edu<http://its.syr.edu>
SYRACUSE UNIVERSITY
syr.edu<http://syr.edu>

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Philippe Hanset
Sent: Wednesday, November 16, 2016 12:58 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Microsoft NPS as RADIUS for 802.1X Wi-Fi?

Lee,

Not speaking from using NPS but from having to help Institutions using NPS:

It is a very “stiff” environment, and Microsoft does not want to listen to the 
eduroam community’s requests (not just US, but worldwide)

No REALM stripping
No Server Status (that one is killing us. We have to implement all kinds of 
timers to make sure that servers are responding…when the standard has a built 
in mechanism)
No support for RadSec ever mentioned.

If I were a large University with in house expertise I would do FreeRADIUS 3.0 
or Radiator (or more NAC oriented solutions if you need that)

Philippe

Philippe Hanset, CEO
www.anyroam.net<http://www.anyroam.net>
www.eduroam.us<http://www.eduroam.us>
GPG key id: 0xF2636F9C




On Nov 16, 2016, at 9:40 AM, Lee H Badman 
mailto:lhbad...@syr.edu>> wrote:

Hello to the awesome group.

We’ve used Cisco ACS with general satisfaction for many years as the RADIUS 
solution for our very, very large WLAN’s 802.1X authentication. We also have 
Aruba Clearpass in-house for guest wireless, and have poked around at ISE a 
bit. We’re weighing replacing our aging ACS environment, but as many of you 
know times are changing. When you shop for RADIUS, you have to wade through the 
fog of NAC systems because everything is getting ever more “feature rich”. For 
major vendors, RADIUS is just a slice of NAC now, and since everybody “is a 
software company!” licensing can be ugly. I’m not slamming those who find value 
in the many interesting features that the likes of ISE and Clearpass offer, but 
I also can’t help but be drawn to Microsoft NPS when I think about going 
forward with simple RADIUS.

Way back when, we avoided Microsoft in this role as the reporting wasn’t 
particularly strong when it came time to troubleshoot clients. We *may* have 
found relief to this through Splunk, and also enjoy a robust Windows server 
environment staffed by absolutely brilliant MS-minded veteran admins.

All that being said- is anyone using NPS as their RADIUS solution for a large 
secure WLAN environment? Can you share likes, dislikes, regrets, endorsements, 
horror stories, tales of success, etc?


(Any vendor reps lurking- no, I’m not open to hearing about other RADIUS 
solutions. Please, no calls or emails)


Kind regards-

Lee Badman | CWNE #200 | Network Architect

Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w 
its.syr.edu<http://its.syr.edu/>
SYRACUSE UNIVERSITY
syr.edu<http://syr.edu/>



** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.
** Participation and subscription information for this EDUCAUSE 

RE: Microsoft NPS as RADIUS for 802.1X Wi-Fi?

[Osborne, Bruce W (Network Operations)]

Feel free to ping me off-list if I can help further.


Bruce Osborne
Senior Network Engineer
Network Operations - Wireless

 (434) 592-4229

LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Edward Ip [mailto:i...@algonquincollege.com]
Sent: Monday, November 21, 2016 9:02 AM
Subject: Re: Microsoft NPS as RADIUS for 802.1X Wi-Fi?

Thank You Bruce!

Edward Ip
Algonquin College | 1385 Woodroffe Avenue | Room C316 | Ottawa | Ontario | K2G 
1V8 | Canada
algonquincollege.com

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Osborne, Bruce W 
(Network Operations)
Sent: Monday, November 21, 2016 7:39 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Microsoft NPS as RADIUS for 802.1X Wi-Fi?

Edward,

The best way to get the ip address information from ClearPass is by having it 
forward the RADIUS Accounting data.

You can have ClearPass generate Syslog from the Accounting data, but there are 
currently issues with missing data. We have a case open with Aruba to resolve 
this.


Bruce Osborne
Senior Network Engineer
Network Operations - Wireless

 (434) 592-4229

LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Edward Ip [mailto:i...@algonquincollege.com]
Sent: Thursday, November 17, 2016 2:38 PM
Subject: Re: Microsoft NPS as RADIUS for 802.1X Wi-Fi?

We have being using Microsoft NPS in a cluster as Radius for 80.21X for a while 
now. Our normal concurrent client load is about 12,000 users.

Monitoring is now done via Airwave, specifically using the Clarity feature. In 
the pass, we used Solarwinds to query our Aruba controllers for the statistics 
and then graphing it in Solarwinds.

We are not doing anything fancy with the NPS servers. My network architect 
wants to be able to query the AD network and set up network policies (like 
bandwidth control and app control) using Bluecoat PacketShaper and the 
Authentication and Authorization Agent (BCAAA) with User Awareness feature. 
However, the NPS servers do not update our ad directory with regards to what IP 
address the wireless client is currently using. So this feature is not useable 
on our wireless client (works great on wired domain clients). Investigating if 
we can use ClearPass to give the bluecoat the required information.

Edward Ip
Algonquin College | 1385 Woodroffe Avenue | Room C316 | Ottawa | Ontario | K2G 
1V8 | Canada
algonquincollege.com

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman
Sent: Wednesday, November 16, 2016 9:40 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: [WIRELESS-LAN] Microsoft NPS as RADIUS for 802.1X Wi-Fi?

Hello to the awesome group.

We've used Cisco ACS with general satisfaction for many years as the RADIUS 
solution for our very, very large WLAN's 802.1X authentication. We also have 
Aruba Clearpass in-house for guest wireless, and have poked around at ISE a 
bit. We're weighing replacing our aging ACS environment, but as many of you 
know times are changing. When you shop for RADIUS, you have to wade through the 
fog of NAC systems because everything is getting ever more "feature rich". For 
major vendors, RADIUS is just a slice of NAC now, and since everybody "is a 
software company!" licensing can be ugly. I'm not slamming those who find value 
in the many interesting features that the likes of ISE and Clearpass offer, but 
I also can't help but be drawn to Microsoft NPS when I think about going 
forward with simple RADIUS.

Way back when, we avoided Microsoft in this role as the reporting wasn't 
particularly strong when it came time to troubleshoot clients. We *may* have 
found relief to this through Splunk, and also enjoy a robust Windows server 
environment staffed by absolutely brilliant MS-minded veteran admins.

All that being said- is anyone using NPS as their RADIUS solution for a large 
secure WLAN environment? Can you share likes, dislikes, regrets, endorsements, 
horror stories, tales of success, etc?


(Any vendor reps lurking- no, I'm not open to hearing about other RADIUS 
solutions. Please, no calls or emails)


Kind regards-

Lee Badman | CWNE #200 | Network Architect

Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w 
its.syr.edu
SYRACUSE UNIVERSITY
syr.edu



** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.
** Participation and subscriptio

RE: Microsoft NPS as RADIUS for 802.1X Wi-Fi?

[Edward Ip]

Thank You Bruce!

Edward Ip
Algonquin College | 1385 Woodroffe Avenue | Room C316 | Ottawa | Ontario | K2G 
1V8 | Canada
algonquincollege.com

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Osborne, Bruce W 
(Network Operations)
Sent: Monday, November 21, 2016 7:39 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Microsoft NPS as RADIUS for 802.1X Wi-Fi?

Edward,

The best way to get the ip address information from ClearPass is by having it 
forward the RADIUS Accounting data.

You can have ClearPass generate Syslog from the Accounting data, but there are 
currently issues with missing data. We have a case open with Aruba to resolve 
this.


Bruce Osborne
Senior Network Engineer
Network Operations - Wireless

 (434) 592-4229

LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Edward Ip [mailto:i...@algonquincollege.com]
Sent: Thursday, November 17, 2016 2:38 PM
Subject: Re: Microsoft NPS as RADIUS for 802.1X Wi-Fi?

We have being using Microsoft NPS in a cluster as Radius for 80.21X for a while 
now. Our normal concurrent client load is about 12,000 users.

Monitoring is now done via Airwave, specifically using the Clarity feature. In 
the pass, we used Solarwinds to query our Aruba controllers for the statistics 
and then graphing it in Solarwinds.

We are not doing anything fancy with the NPS servers. My network architect 
wants to be able to query the AD network and set up network policies (like 
bandwidth control and app control) using Bluecoat PacketShaper and the 
Authentication and Authorization Agent (BCAAA) with User Awareness feature. 
However, the NPS servers do not update our ad directory with regards to what IP 
address the wireless client is currently using. So this feature is not useable 
on our wireless client (works great on wired domain clients). Investigating if 
we can use ClearPass to give the bluecoat the required information.

Edward Ip
Algonquin College | 1385 Woodroffe Avenue | Room C316 | Ottawa | Ontario | K2G 
1V8 | Canada
algonquincollege.com

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman
Sent: Wednesday, November 16, 2016 9:40 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: [WIRELESS-LAN] Microsoft NPS as RADIUS for 802.1X Wi-Fi?

Hello to the awesome group.

We've used Cisco ACS with general satisfaction for many years as the RADIUS 
solution for our very, very large WLAN's 802.1X authentication. We also have 
Aruba Clearpass in-house for guest wireless, and have poked around at ISE a 
bit. We're weighing replacing our aging ACS environment, but as many of you 
know times are changing. When you shop for RADIUS, you have to wade through the 
fog of NAC systems because everything is getting ever more "feature rich". For 
major vendors, RADIUS is just a slice of NAC now, and since everybody "is a 
software company!" licensing can be ugly. I'm not slamming those who find value 
in the many interesting features that the likes of ISE and Clearpass offer, but 
I also can't help but be drawn to Microsoft NPS when I think about going 
forward with simple RADIUS.

Way back when, we avoided Microsoft in this role as the reporting wasn't 
particularly strong when it came time to troubleshoot clients. We *may* have 
found relief to this through Splunk, and also enjoy a robust Windows server 
environment staffed by absolutely brilliant MS-minded veteran admins.

All that being said- is anyone using NPS as their RADIUS solution for a large 
secure WLAN environment? Can you share likes, dislikes, regrets, endorsements, 
horror stories, tales of success, etc?


(Any vendor reps lurking- no, I'm not open to hearing about other RADIUS 
solutions. Please, no calls or emails)


Kind regards-

Lee Badman | CWNE #200 | Network Architect

Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w 
its.syr.edu
SYRACUSE UNIVERSITY
syr.edu



** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: Microsoft NPS as RADIUS for 802.1X Wi-Fi?

[Osborne, Bruce W (Network Operations)]

Edward,

The best way to get the ip address information from ClearPass is by having it 
forward the RADIUS Accounting data.

You can have ClearPass generate Syslog from the Accounting data, but there are 
currently issues with missing data. We have a case open with Aruba to resolve 
this.


Bruce Osborne
Senior Network Engineer
Network Operations - Wireless

 (434) 592-4229

LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Edward Ip [mailto:i...@algonquincollege.com]
Sent: Thursday, November 17, 2016 2:38 PM
Subject: Re: Microsoft NPS as RADIUS for 802.1X Wi-Fi?

We have being using Microsoft NPS in a cluster as Radius for 80.21X for a while 
now. Our normal concurrent client load is about 12,000 users.

Monitoring is now done via Airwave, specifically using the Clarity feature. In 
the pass, we used Solarwinds to query our Aruba controllers for the statistics 
and then graphing it in Solarwinds.

We are not doing anything fancy with the NPS servers. My network architect 
wants to be able to query the AD network and set up network policies (like 
bandwidth control and app control) using Bluecoat PacketShaper and the 
Authentication and Authorization Agent (BCAAA) with User Awareness feature. 
However, the NPS servers do not update our ad directory with regards to what IP 
address the wireless client is currently using. So this feature is not useable 
on our wireless client (works great on wired domain clients). Investigating if 
we can use ClearPass to give the bluecoat the required information.

Edward Ip
Algonquin College | 1385 Woodroffe Avenue | Room C316 | Ottawa | Ontario | K2G 
1V8 | Canada
algonquincollege.com

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman
Sent: Wednesday, November 16, 2016 9:40 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: [WIRELESS-LAN] Microsoft NPS as RADIUS for 802.1X Wi-Fi?

Hello to the awesome group.

We've used Cisco ACS with general satisfaction for many years as the RADIUS 
solution for our very, very large WLAN's 802.1X authentication. We also have 
Aruba Clearpass in-house for guest wireless, and have poked around at ISE a 
bit. We're weighing replacing our aging ACS environment, but as many of you 
know times are changing. When you shop for RADIUS, you have to wade through the 
fog of NAC systems because everything is getting ever more "feature rich". For 
major vendors, RADIUS is just a slice of NAC now, and since everybody "is a 
software company!" licensing can be ugly. I'm not slamming those who find value 
in the many interesting features that the likes of ISE and Clearpass offer, but 
I also can't help but be drawn to Microsoft NPS when I think about going 
forward with simple RADIUS.

Way back when, we avoided Microsoft in this role as the reporting wasn't 
particularly strong when it came time to troubleshoot clients. We *may* have 
found relief to this through Splunk, and also enjoy a robust Windows server 
environment staffed by absolutely brilliant MS-minded veteran admins.

All that being said- is anyone using NPS as their RADIUS solution for a large 
secure WLAN environment? Can you share likes, dislikes, regrets, endorsements, 
horror stories, tales of success, etc?


(Any vendor reps lurking- no, I'm not open to hearing about other RADIUS 
solutions. Please, no calls or emails)


Kind regards-

Lee Badman | CWNE #200 | Network Architect

Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w 
its.syr.edu
SYRACUSE UNIVERSITY
syr.edu



** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: Microsoft NPS as RADIUS for 802.1X Wi-Fi?

[Edward Ip]

Great. Chris, thank you for the information. I will take a look.

Edward Ip
Algonquin College | 1385 Woodroffe Avenue | Room C316 | Ottawa | Ontario | K2G 
1V8 | Canada
algonquincollege.com

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Chris Adams (IT)
Sent: Friday, November 18, 2016 10:48 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Microsoft NPS as RADIUS for 802.1X Wi-Fi?

Edward,

Take a look and see if the BlueCoats can receive RADIUS accounting messages. 
I've been able to perform EAP-PEAP client identification with Fortigate units 
by forwarding accounting radius messages from NPS to the firewalls.


Thanks,

Chris Adams, CISSP

Director, Network & Telecom Services
Division of Information Technology
University of North Georgia
E-Mail: chris.ad...@ung.edu<mailto:chris.ad...@ung.edu> | Office: (706) 867-2891

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Edward Ip
Sent: Friday, November 18, 2016 10:46 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Microsoft NPS as RADIUS for 802.1X Wi-Fi?

Very true. I should have explained it a bit better, my bad. Let me give it a 
second try.

Bluecoat has a plugin (BCAAA) installed on the AD domain servers that allows it 
to retrieve a user id details from our AD Domain for IP addresses generating 
requests to applications and web servers (this works well for wired domain 
clients) which then allows Bluecoat to apply the relevant policies to the 
traffic. Since we are using the Microsoft NPS for radius authentication on 
wireless clients, Bluecoat is not able to retrieve that information from our 
wireless clients as it isn't on the domain.

Bluecoat does not current have a plugin or api to query the Aruba controllers 
for the same information as it does on our AD domain.

Regards,
Edward Ip
Algonquin College | 1385 Woodroffe Avenue | Room C316 | Ottawa | Ontario | K2G 
1V8 | Canada
algonquincollege.com

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Wang, Yu
Sent: Friday, November 18, 2016 8:48 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Microsoft NPS as RADIUS for 802.1X Wi-Fi?

Edward,

NPS servers (radius) do not have clients' IP information as the whole 802.1X 
authentication process happens before a client can have an IP address. Once a 
client is successfully authenticated, radius' job is done. The client is then 
assigned to a network and acquires an IP through DHCP. You can get a client's 
IP from Aruba controllers or DHCP servers (client's MAC address from NPS).

Yu

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Edward Ip
Sent: Thursday, November 17, 2016 2:38 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Microsoft NPS as RADIUS for 802.1X Wi-Fi?

We have being using Microsoft NPS in a cluster as Radius for 80.21X for a while 
now. Our normal concurrent client load is about 12,000 users.

Monitoring is now done via Airwave, specifically using the Clarity feature. In 
the pass, we used Solarwinds to query our Aruba controllers for the statistics 
and then graphing it in Solarwinds.

We are not doing anything fancy with the NPS servers. My network architect 
wants to be able to query the AD network and set up network policies (like 
bandwidth control and app control) using Bluecoat PacketShaper and the 
Authentication and Authorization Agent (BCAAA) with User Awareness feature. 
However, the NPS servers do not update our ad directory with regards to what IP 
address the wireless client is currently using. So this feature is not useable 
on our wireless client (works great on wired domain clients). Investigating if 
we can use ClearPass to give the bluecoat the required information.

Edward Ip
Algonquin College | 1385 Woodroffe Avenue | Room C316 | Ottawa | Ontario | K2G 
1V8 | Canada
algonquincollege.com

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman
Sent: Wednesday, November 16, 2016 9:40 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: [WIRELESS-LAN] Microsoft NPS as RADIUS for 802.1X Wi-Fi?

Hello to the awesome group.

We've used Cisco ACS with general satisfaction for many years as the RADIUS 
solution for our very, very large WLAN's 802.1X authentication. We also have 
Aruba Clearpass in-house for guest wireless, and have poked around at ISE a 
bit. We're weighing replacing our aging ACS environment, but as many of you 
know 

RE: Microsoft NPS as RADIUS for 802.1X Wi-Fi?

[Chris Adams (IT)]

Edward,

 

Take a look and see if the BlueCoats can receive RADIUS accounting messages.
I've been able to perform EAP-PEAP client identification with Fortigate
units by forwarding accounting radius messages from NPS to the firewalls.

 

 

Thanks,

 

Chris Adams, CISSP

 

Director, Network & Telecom Services

Division of Information Technology

University of North Georgia

E-Mail:  <mailto:chris.ad...@ung.edu> chris.ad...@ung.edu | Office: (706)
867-2891

 

From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Edward Ip
Sent: Friday, November 18, 2016 10:46 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Microsoft NPS as RADIUS for 802.1X Wi-Fi?

 

Very true. I should have explained it a bit better, my bad. Let me give it a
second try.

 

Bluecoat has a plugin (BCAAA) installed on the AD domain servers that allows
it to retrieve a user id details from our AD Domain for IP addresses
generating requests to applications and web servers (this works well for
wired domain clients) which then allows Bluecoat to apply the relevant
policies to the traffic. Since we are using the Microsoft NPS for radius
authentication on wireless clients, Bluecoat is not able to retrieve that
information from our wireless clients as it isn't on the domain.

 

Bluecoat does not current have a plugin or api to query the Aruba
controllers for the same information as it does on our AD domain.

 

Regards,

Edward Ip

Algonquin College | 1385 Woodroffe Avenue | Room C316 | Ottawa | Ontario |
K2G 1V8 | Canada

algonquincollege.com

 

From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Wang, Yu
Sent: Friday, November 18, 2016 8:48 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
Subject: Re: [WIRELESS-LAN] Microsoft NPS as RADIUS for 802.1X Wi-Fi?

 

Edward,

 

NPS servers (radius) do not have clients' IP information as the whole 802.1X
authentication process happens before a client can have an IP address. Once
a client is successfully authenticated, radius' job is done. The client is
then assigned to a network and acquires an IP through DHCP. You can get a
client's IP from Aruba controllers or DHCP servers (client's MAC address
from NPS).

 

Yu

 

From: The EDUCAUSE Wireless Issues Constituent Group Listserv [
<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Edward Ip
Sent: Thursday, November 17, 2016 2:38 PM
To:  <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Microsoft NPS as RADIUS for 802.1X Wi-Fi?

 

We have being using Microsoft NPS in a cluster as Radius for 80.21X for a
while now. Our normal concurrent client load is about 12,000 users.

 

Monitoring is now done via Airwave, specifically using the Clarity feature.
In the pass, we used Solarwinds to query our Aruba controllers for the
statistics and then graphing it in Solarwinds.

 

We are not doing anything fancy with the NPS servers. My network architect
wants to be able to query the AD network and set up network policies (like
bandwidth control and app control) using Bluecoat PacketShaper and the
Authentication and Authorization Agent (BCAAA) with User Awareness feature.
However, the NPS servers do not update our ad directory with regards to what
IP address the wireless client is currently using. So this feature is not
useable on our wireless client (works great on wired domain clients).
Investigating if we can use ClearPass to give the bluecoat the required
information.

 

Edward Ip

Algonquin College | 1385 Woodroffe Avenue | Room C316 | Ottawa | Ontario |
K2G 1V8 | Canada

algonquincollege.com

 

From: The EDUCAUSE Wireless Issues Constituent Group Listserv [
<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman
Sent: Wednesday, November 16, 2016 9:40 AM
To:  <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Microsoft NPS as RADIUS for 802.1X Wi-Fi?

 

Hello to the awesome group.

 

We've used Cisco ACS with general satisfaction for many years as the RADIUS
solution for our very, very large WLAN's 802.1X authentication. We also have
Aruba Clearpass in-house for guest wireless, and have poked around at ISE a
bit. We're weighing replacing our aging ACS environment, but as many of you
know times are changing. When you shop for RADIUS, you have to wade through
the fog of NAC systems because everything is getting ever more "feature
rich". For major vendors, RADIUS is just a slice of NAC now, and since
everybody "is a software company!" licensing can be ugly. I'm not slamming
those who find value in the many interesting features that the 

RE: Microsoft NPS as RADIUS for 802.1X Wi-Fi?

[Edward Ip]

Very true. I should have explained it a bit better, my bad. Let me give it a 
second try.

Bluecoat has a plugin (BCAAA) installed on the AD domain servers that allows it 
to retrieve a user id details from our AD Domain for IP addresses generating 
requests to applications and web servers (this works well for wired domain 
clients) which then allows Bluecoat to apply the relevant policies to the 
traffic. Since we are using the Microsoft NPS for radius authentication on 
wireless clients, Bluecoat is not able to retrieve that information from our 
wireless clients as it isn't on the domain.

Bluecoat does not current have a plugin or api to query the Aruba controllers 
for the same information as it does on our AD domain.

Regards,
Edward Ip
Algonquin College | 1385 Woodroffe Avenue | Room C316 | Ottawa | Ontario | K2G 
1V8 | Canada
algonquincollege.com

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Wang, Yu
Sent: Friday, November 18, 2016 8:48 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Microsoft NPS as RADIUS for 802.1X Wi-Fi?

Edward,

NPS servers (radius) do not have clients' IP information as the whole 802.1X 
authentication process happens before a client can have an IP address. Once a 
client is successfully authenticated, radius' job is done. The client is then 
assigned to a network and acquires an IP through DHCP. You can get a client's 
IP from Aruba controllers or DHCP servers (client's MAC address from NPS).

Yu

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Edward Ip
Sent: Thursday, November 17, 2016 2:38 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Microsoft NPS as RADIUS for 802.1X Wi-Fi?

We have being using Microsoft NPS in a cluster as Radius for 80.21X for a while 
now. Our normal concurrent client load is about 12,000 users.

Monitoring is now done via Airwave, specifically using the Clarity feature. In 
the pass, we used Solarwinds to query our Aruba controllers for the statistics 
and then graphing it in Solarwinds.

We are not doing anything fancy with the NPS servers. My network architect 
wants to be able to query the AD network and set up network policies (like 
bandwidth control and app control) using Bluecoat PacketShaper and the 
Authentication and Authorization Agent (BCAAA) with User Awareness feature. 
However, the NPS servers do not update our ad directory with regards to what IP 
address the wireless client is currently using. So this feature is not useable 
on our wireless client (works great on wired domain clients). Investigating if 
we can use ClearPass to give the bluecoat the required information.

Edward Ip
Algonquin College | 1385 Woodroffe Avenue | Room C316 | Ottawa | Ontario | K2G 
1V8 | Canada
algonquincollege.com

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman
Sent: Wednesday, November 16, 2016 9:40 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: [WIRELESS-LAN] Microsoft NPS as RADIUS for 802.1X Wi-Fi?

Hello to the awesome group.

We've used Cisco ACS with general satisfaction for many years as the RADIUS 
solution for our very, very large WLAN's 802.1X authentication. We also have 
Aruba Clearpass in-house for guest wireless, and have poked around at ISE a 
bit. We're weighing replacing our aging ACS environment, but as many of you 
know times are changing. When you shop for RADIUS, you have to wade through the 
fog of NAC systems because everything is getting ever more "feature rich". For 
major vendors, RADIUS is just a slice of NAC now, and since everybody "is a 
software company!" licensing can be ugly. I'm not slamming those who find value 
in the many interesting features that the likes of ISE and Clearpass offer, but 
I also can't help but be drawn to Microsoft NPS when I think about going 
forward with simple RADIUS.

Way back when, we avoided Microsoft in this role as the reporting wasn't 
particularly strong when it came time to troubleshoot clients. We *may* have 
found relief to this through Splunk, and also enjoy a robust Windows server 
environment staffed by absolutely brilliant MS-minded veteran admins.

All that being said- is anyone using NPS as their RADIUS solution for a large 
secure WLAN environment? Can you share likes, dislikes, regrets, endorsements, 
horror stories, tales of success, etc?


(Any vendor reps lurking- no, I'm not open to hearing about other RADIUS 
solutions. Please, no calls or emails)


Kind regards-

Lee Badman | CWNE #200 | Network Architect

Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443

Re: [WIRELESS-LAN] Microsoft NPS as RADIUS for 802.1X Wi-Fi?

[Trenton Hurt]

For IPv4, the client’s IP address is available via the Framed-IP-Address
attribute in Interim-Update Accounting-Request packets. For IPv6, client IP
addresses are instead available via Framed-IPv6-Address attributes. They
are made available by NASes that implement DHCP snooping functionality.

On Fri, Nov 18, 2016 at 8:48 AM Wang, Yu  wrote:

> Edward,
>
>
>
> NPS servers (radius) do not have clients’ IP information as the whole
> 802.1X authentication process happens before a client can have an IP
> address. Once a client is successfully authenticated, radius’ job is done.
> The client is then assigned to a network and acquires an IP through DHCP.
> You can get a client’s IP from Aruba controllers or DHCP servers (client’s
> MAC address from NPS).
>
>
>
> Yu
>
>
>
> *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Edward Ip
>
>
> *Sent:* Thursday, November 17, 2016 2:38 PM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>
> *Subject:* Re: [WIRELESS-LAN] Microsoft NPS as RADIUS for 802.1X Wi-Fi?
>
>
>
> We have being using Microsoft NPS in a cluster as Radius for 80.21X for a
> while now. Our normal concurrent client load is about 12,000 users.
>
>
>
> Monitoring is now done via Airwave, specifically using the Clarity
> feature. In the pass, we used Solarwinds to query our Aruba controllers for
> the statistics and then graphing it in Solarwinds.
>
>
>
> We are not doing anything fancy with the NPS servers. My network architect
> wants to be able to query the AD network and set up network policies (like
> bandwidth control and app control) using Bluecoat PacketShaper and the
> Authentication and Authorization Agent (BCAAA) with User Awareness feature.
> However, the NPS servers do not update our ad directory with regards to
> what IP address the wireless client is currently using. So this feature is
> not useable on our wireless client (works great on wired domain clients).
> Investigating if we can use ClearPass to give the bluecoat the required
> information.
>
>
>
> *Edward Ip*
>
> *Algonquin College* | 1385 Woodroffe Avenue | Room C316 | Ottawa | Ontario
> | K2G 1V8 | Canada
>
> algonquincollege.com
>
>
>
> *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [
> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> ] *On Behalf Of *Lee H Badman
> *Sent:* Wednesday, November 16, 2016 9:40 AM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> *Subject:* [WIRELESS-LAN] Microsoft NPS as RADIUS for 802.1X Wi-Fi?
>
>
>
> Hello to the awesome group.
>
>
>
> We’ve used Cisco ACS with general satisfaction for many years as the
> RADIUS solution for our very, very large WLAN’s 802.1X authentication. We
> also have Aruba Clearpass in-house for guest wireless, and have poked
> around at ISE a bit. We’re weighing replacing our aging ACS environment,
> but as many of you know times are changing. When you shop for RADIUS, you
> have to wade through the fog of NAC systems because everything is getting
> ever more “feature rich”. For major vendors, RADIUS is just a slice of NAC
> now, and since everybody “is a software company!” licensing can be ugly.
> I’m not slamming those who find value in the many interesting features that
> the likes of ISE and Clearpass offer, but I also can’t help but be drawn to
> Microsoft NPS when I think about going forward with simple RADIUS.
>
>
>
> Way back when, we avoided Microsoft in this role as the reporting wasn’t
> particularly strong when it came time to troubleshoot clients. We **may**
> have found relief to this through Splunk, and also enjoy a robust Windows
> server environment staffed by absolutely brilliant MS-minded veteran
> admins.
>
>
>
> All that being said- is anyone using NPS as their RADIUS solution for a
> large secure WLAN environment? Can you share likes, dislikes, regrets,
> endorsements, horror stories, tales of success, etc?
>
>
>
>
>
> (Any vendor reps lurking- no, I’m not open to hearing about other RADIUS
> solutions. Please, no calls or emails)
>
>
>
>
>
> Kind regards-
>
>
>
> *Lee Badman* | CWNE #200 | Network Architect
>
> Information Technology Services
> 206 Machinery Hall
> 120 Smith Drive
> Syracuse, New York 13244
>
> *t* 315.443.3003  * f* 315.443.4325   *e* lhbad...@syr.edu *w* its.syr.edu
>
>
> *SYRACUSE UNIVERSITY *syr.edu
>
>
>
>
>
>
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/groups/.
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/groups/.
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/groups/.
>
>

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: Microsoft NPS as RADIUS for 802.1X Wi-Fi?

[Wang, Yu]

Edward,

NPS servers (radius) do not have clients' IP information as the whole 802.1X 
authentication process happens before a client can have an IP address. Once a 
client is successfully authenticated, radius' job is done. The client is then 
assigned to a network and acquires an IP through DHCP. You can get a client's 
IP from Aruba controllers or DHCP servers (client's MAC address from NPS).

Yu

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Edward Ip
Sent: Thursday, November 17, 2016 2:38 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Microsoft NPS as RADIUS for 802.1X Wi-Fi?

We have being using Microsoft NPS in a cluster as Radius for 80.21X for a while 
now. Our normal concurrent client load is about 12,000 users.

Monitoring is now done via Airwave, specifically using the Clarity feature. In 
the pass, we used Solarwinds to query our Aruba controllers for the statistics 
and then graphing it in Solarwinds.

We are not doing anything fancy with the NPS servers. My network architect 
wants to be able to query the AD network and set up network policies (like 
bandwidth control and app control) using Bluecoat PacketShaper and the 
Authentication and Authorization Agent (BCAAA) with User Awareness feature. 
However, the NPS servers do not update our ad directory with regards to what IP 
address the wireless client is currently using. So this feature is not useable 
on our wireless client (works great on wired domain clients). Investigating if 
we can use ClearPass to give the bluecoat the required information.

Edward Ip
Algonquin College | 1385 Woodroffe Avenue | Room C316 | Ottawa | Ontario | K2G 
1V8 | Canada
algonquincollege.com

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman
Sent: Wednesday, November 16, 2016 9:40 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: [WIRELESS-LAN] Microsoft NPS as RADIUS for 802.1X Wi-Fi?

Hello to the awesome group.

We've used Cisco ACS with general satisfaction for many years as the RADIUS 
solution for our very, very large WLAN's 802.1X authentication. We also have 
Aruba Clearpass in-house for guest wireless, and have poked around at ISE a 
bit. We're weighing replacing our aging ACS environment, but as many of you 
know times are changing. When you shop for RADIUS, you have to wade through the 
fog of NAC systems because everything is getting ever more "feature rich". For 
major vendors, RADIUS is just a slice of NAC now, and since everybody "is a 
software company!" licensing can be ugly. I'm not slamming those who find value 
in the many interesting features that the likes of ISE and Clearpass offer, but 
I also can't help but be drawn to Microsoft NPS when I think about going 
forward with simple RADIUS.

Way back when, we avoided Microsoft in this role as the reporting wasn't 
particularly strong when it came time to troubleshoot clients. We *may* have 
found relief to this through Splunk, and also enjoy a robust Windows server 
environment staffed by absolutely brilliant MS-minded veteran admins.

All that being said- is anyone using NPS as their RADIUS solution for a large 
secure WLAN environment? Can you share likes, dislikes, regrets, endorsements, 
horror stories, tales of success, etc?


(Any vendor reps lurking- no, I'm not open to hearing about other RADIUS 
solutions. Please, no calls or emails)


Kind regards-

Lee Badman | CWNE #200 | Network Architect

Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w 
its.syr.edu
SYRACUSE UNIVERSITY
syr.edu



** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: Microsoft NPS as RADIUS for 802.1X Wi-Fi?

[Lee H Badman]

Thanks, Edward.

Lee Badman | CWNE #200 | Network Architect

Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w 
its.syr.edu
SYRACUSE UNIVERSITY
syr.edu

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Edward Ip
Sent: Thursday, November 17, 2016 2:38 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Microsoft NPS as RADIUS for 802.1X Wi-Fi?

We have being using Microsoft NPS in a cluster as Radius for 80.21X for a while 
now. Our normal concurrent client load is about 12,000 users.

Monitoring is now done via Airwave, specifically using the Clarity feature. In 
the pass, we used Solarwinds to query our Aruba controllers for the statistics 
and then graphing it in Solarwinds.

We are not doing anything fancy with the NPS servers. My network architect 
wants to be able to query the AD network and set up network policies (like 
bandwidth control and app control) using Bluecoat PacketShaper and the 
Authentication and Authorization Agent (BCAAA) with User Awareness feature. 
However, the NPS servers do not update our ad directory with regards to what IP 
address the wireless client is currently using. So this feature is not useable 
on our wireless client (works great on wired domain clients). Investigating if 
we can use ClearPass to give the bluecoat the required information.

Edward Ip
Algonquin College | 1385 Woodroffe Avenue | Room C316 | Ottawa | Ontario | K2G 
1V8 | Canada
algonquincollege.com

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman
Sent: Wednesday, November 16, 2016 9:40 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: [WIRELESS-LAN] Microsoft NPS as RADIUS for 802.1X Wi-Fi?

Hello to the awesome group.

We've used Cisco ACS with general satisfaction for many years as the RADIUS 
solution for our very, very large WLAN's 802.1X authentication. We also have 
Aruba Clearpass in-house for guest wireless, and have poked around at ISE a 
bit. We're weighing replacing our aging ACS environment, but as many of you 
know times are changing. When you shop for RADIUS, you have to wade through the 
fog of NAC systems because everything is getting ever more "feature rich". For 
major vendors, RADIUS is just a slice of NAC now, and since everybody "is a 
software company!" licensing can be ugly. I'm not slamming those who find value 
in the many interesting features that the likes of ISE and Clearpass offer, but 
I also can't help but be drawn to Microsoft NPS when I think about going 
forward with simple RADIUS.

Way back when, we avoided Microsoft in this role as the reporting wasn't 
particularly strong when it came time to troubleshoot clients. We *may* have 
found relief to this through Splunk, and also enjoy a robust Windows server 
environment staffed by absolutely brilliant MS-minded veteran admins.

All that being said- is anyone using NPS as their RADIUS solution for a large 
secure WLAN environment? Can you share likes, dislikes, regrets, endorsements, 
horror stories, tales of success, etc?


(Any vendor reps lurking- no, I'm not open to hearing about other RADIUS 
solutions. Please, no calls or emails)


Kind regards-

Lee Badman | CWNE #200 | Network Architect

Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w 
its.syr.edu
SYRACUSE UNIVERSITY
syr.edu



** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: Microsoft NPS as RADIUS for 802.1X Wi-Fi?

[Edward Ip]

We have being using Microsoft NPS in a cluster as Radius for 80.21X for a while 
now. Our normal concurrent client load is about 12,000 users.

Monitoring is now done via Airwave, specifically using the Clarity feature. In 
the pass, we used Solarwinds to query our Aruba controllers for the statistics 
and then graphing it in Solarwinds.

We are not doing anything fancy with the NPS servers. My network architect 
wants to be able to query the AD network and set up network policies (like 
bandwidth control and app control) using Bluecoat PacketShaper and the 
Authentication and Authorization Agent (BCAAA) with User Awareness feature. 
However, the NPS servers do not update our ad directory with regards to what IP 
address the wireless client is currently using. So this feature is not useable 
on our wireless client (works great on wired domain clients). Investigating if 
we can use ClearPass to give the bluecoat the required information.

Edward Ip
Algonquin College | 1385 Woodroffe Avenue | Room C316 | Ottawa | Ontario | K2G 
1V8 | Canada
algonquincollege.com

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman
Sent: Wednesday, November 16, 2016 9:40 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Microsoft NPS as RADIUS for 802.1X Wi-Fi?

Hello to the awesome group.

We've used Cisco ACS with general satisfaction for many years as the RADIUS 
solution for our very, very large WLAN's 802.1X authentication. We also have 
Aruba Clearpass in-house for guest wireless, and have poked around at ISE a 
bit. We're weighing replacing our aging ACS environment, but as many of you 
know times are changing. When you shop for RADIUS, you have to wade through the 
fog of NAC systems because everything is getting ever more "feature rich". For 
major vendors, RADIUS is just a slice of NAC now, and since everybody "is a 
software company!" licensing can be ugly. I'm not slamming those who find value 
in the many interesting features that the likes of ISE and Clearpass offer, but 
I also can't help but be drawn to Microsoft NPS when I think about going 
forward with simple RADIUS.

Way back when, we avoided Microsoft in this role as the reporting wasn't 
particularly strong when it came time to troubleshoot clients. We *may* have 
found relief to this through Splunk, and also enjoy a robust Windows server 
environment staffed by absolutely brilliant MS-minded veteran admins.

All that being said- is anyone using NPS as their RADIUS solution for a large 
secure WLAN environment? Can you share likes, dislikes, regrets, endorsements, 
horror stories, tales of success, etc?


(Any vendor reps lurking- no, I'm not open to hearing about other RADIUS 
solutions. Please, no calls or emails)


Kind regards-

Lee Badman | CWNE #200 | Network Architect

Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w 
its.syr.edu
SYRACUSE UNIVERSITY
syr.edu



** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: Microsoft NPS as RADIUS for 802.1X Wi-Fi?

[Lee H Badman]

Thanks, Jen.

?


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 on behalf of Jennifer Francis Wilson 

Sent: Thursday, November 17, 2016 8:48 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Microsoft NPS as RADIUS for 802.1X Wi-Fi?

Been using IAS and now NPS for several years for our wireless auth.

We are a reasonable size institution (13,000 peak concurrent wireless devices 
connected) and have not had any issues with it.

We run 2 main servers and 1 eduroam server sitting on the outside that decides 
where to send eduroam auth requests, internally or externally. (all VMs, 1 Xeon 
E5-2670 v3 core, 4GB ram on each)

Having said that, we don't do any kind of performance monitoring or get stats 
on the servers (I guess mainly because they have just worked).
We don't do any realm stripping.
Logs are left on the servers on a compressed drive (last six months worth is 
around 20GB size (5GB on the drive))
We use glogg to look at the log files if we are investigating issues.

We are starting to set up clearpass, but only for guests currently, though the 
boxes should be big enough to handle our full radius load too, eventually.

Regards,

Jen.

Jennifer Wilson
Senior IT Network Analyst
University of Central Lancashire
01772 89 2116

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman
Sent: 16 November 2016 14:40
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Microsoft NPS as RADIUS for 802.1X Wi-Fi?

Hello to the awesome group.

We've used Cisco ACS with general satisfaction for many years as the RADIUS 
solution for our very, very large WLAN's 802.1X authentication. We also have 
Aruba Clearpass in-house for guest wireless, and have poked around at ISE a 
bit. We're weighing replacing our aging ACS environment, but as many of you 
know times are changing. When you shop for RADIUS, you have to wade through the 
fog of NAC systems because everything is getting ever more "feature rich". For 
major vendors, RADIUS is just a slice of NAC now, and since everybody "is a 
software company!" licensing can be ugly. I'm not slamming those who find value 
in the many interesting features that the likes of ISE and Clearpass offer, but 
I also can't help but be drawn to Microsoft NPS when I think about going 
forward with simple RADIUS.

Way back when, we avoided Microsoft in this role as the reporting wasn't 
particularly strong when it came time to troubleshoot clients. We *may* have 
found relief to this through Splunk, and also enjoy a robust Windows server 
environment staffed by absolutely brilliant MS-minded veteran admins.

All that being said- is anyone using NPS as their RADIUS solution for a large 
secure WLAN environment? Can you share likes, dislikes, regrets, endorsements, 
horror stories, tales of success, etc?


(Any vendor reps lurking- no, I'm not open to hearing about other RADIUS 
solutions. Please, no calls or emails)


Kind regards-

Lee Badman | CWNE #200 | Network Architect

Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w 
its.syr.edu
SYRACUSE UNIVERSITY
syr.edu



** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: Microsoft NPS as RADIUS for 802.1X Wi-Fi?

[Jennifer Francis Wilson]

Been using IAS and now NPS for several years for our wireless auth.

We are a reasonable size institution (13,000 peak concurrent wireless devices 
connected) and have not had any issues with it.

We run 2 main servers and 1 eduroam server sitting on the outside that decides 
where to send eduroam auth requests, internally or externally. (all VMs, 1 Xeon 
E5-2670 v3 core, 4GB ram on each)

Having said that, we don't do any kind of performance monitoring or get stats 
on the servers (I guess mainly because they have just worked).
We don't do any realm stripping.
Logs are left on the servers on a compressed drive (last six months worth is 
around 20GB size (5GB on the drive))
We use glogg to look at the log files if we are investigating issues.

We are starting to set up clearpass, but only for guests currently, though the 
boxes should be big enough to handle our full radius load too, eventually.

Regards,

Jen.

Jennifer Wilson
Senior IT Network Analyst
University of Central Lancashire
01772 89 2116

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman
Sent: 16 November 2016 14:40
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Microsoft NPS as RADIUS for 802.1X Wi-Fi?

Hello to the awesome group.

We've used Cisco ACS with general satisfaction for many years as the RADIUS 
solution for our very, very large WLAN's 802.1X authentication. We also have 
Aruba Clearpass in-house for guest wireless, and have poked around at ISE a 
bit. We're weighing replacing our aging ACS environment, but as many of you 
know times are changing. When you shop for RADIUS, you have to wade through the 
fog of NAC systems because everything is getting ever more "feature rich". For 
major vendors, RADIUS is just a slice of NAC now, and since everybody "is a 
software company!" licensing can be ugly. I'm not slamming those who find value 
in the many interesting features that the likes of ISE and Clearpass offer, but 
I also can't help but be drawn to Microsoft NPS when I think about going 
forward with simple RADIUS.

Way back when, we avoided Microsoft in this role as the reporting wasn't 
particularly strong when it came time to troubleshoot clients. We *may* have 
found relief to this through Splunk, and also enjoy a robust Windows server 
environment staffed by absolutely brilliant MS-minded veteran admins.

All that being said- is anyone using NPS as their RADIUS solution for a large 
secure WLAN environment? Can you share likes, dislikes, regrets, endorsements, 
horror stories, tales of success, etc?


(Any vendor reps lurking- no, I'm not open to hearing about other RADIUS 
solutions. Please, no calls or emails)


Kind regards-

Lee Badman | CWNE #200 | Network Architect

Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w 
its.syr.edu
SYRACUSE UNIVERSITY
syr.edu



** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: Microsoft NPS as RADIUS for 802.1X Wi-Fi?

[Lee H Badman]

Thanks, Bruce. We are piloting ClearPass as well, and all of your points have 
merit. At the same time, trying to be complete in regards to our own particular 
circumstances. Thanks for the reply.


-  Lee

Lee Badman | CWNE #200 | Network Architect

Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w 
its.syr.edu
SYRACUSE UNIVERSITY
syr.edu

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Osborne, Bruce W 
(Network Operations)
Sent: Thursday, November 17, 2016 8:07 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Microsoft NPS as RADIUS for 802.1X Wi-Fi?

Lee,

We actually starts 802.1X Wi-Fi with NPS and then moved to FreeRADIUS-based 
ClearPass. Since you already have ClearPass, it may be worth investigating. We 
are using it for RADIUS & Guest, but not as NAC. The NAC (OnGuard) licenses are 
a separate item.

I believe the needed Policy Manager licenses come with the appliance or VM so 
you may already have all the necessary pieces for testing. Each server comes 
with 25 Enterprise licenses, so at least you could start a small test.

Feel free to reach out to me or TJ with any additional questions. Or team email 
is w...@liberty.edu<mailto:w...@liberty.edu>


Bruce Osborne
Senior Network Engineer
Network Operations - Wireless

 (434) 592-4229

LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Lee H Badman [mailto:lhbad...@syr.edu]
Sent: Wednesday, November 16, 2016 9:40 AM
Subject: Microsoft NPS as RADIUS for 802.1X Wi-Fi?

Hello to the awesome group.

We've used Cisco ACS with general satisfaction for many years as the RADIUS 
solution for our very, very large WLAN's 802.1X authentication. We also have 
Aruba Clearpass in-house for guest wireless, and have poked around at ISE a 
bit. We're weighing replacing our aging ACS environment, but as many of you 
know times are changing. When you shop for RADIUS, you have to wade through the 
fog of NAC systems because everything is getting ever more "feature rich". For 
major vendors, RADIUS is just a slice of NAC now, and since everybody "is a 
software company!" licensing can be ugly. I'm not slamming those who find value 
in the many interesting features that the likes of ISE and Clearpass offer, but 
I also can't help but be drawn to Microsoft NPS when I think about going 
forward with simple RADIUS.

Way back when, we avoided Microsoft in this role as the reporting wasn't 
particularly strong when it came time to troubleshoot clients. We *may* have 
found relief to this through Splunk, and also enjoy a robust Windows server 
environment staffed by absolutely brilliant MS-minded veteran admins.

All that being said- is anyone using NPS as their RADIUS solution for a large 
secure WLAN environment? Can you share likes, dislikes, regrets, endorsements, 
horror stories, tales of success, etc?


(Any vendor reps lurking- no, I'm not open to hearing about other RADIUS 
solutions. Please, no calls or emails)


Kind regards-

Lee Badman | CWNE #200 | Network Architect

Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w 
its.syr.edu
SYRACUSE UNIVERSITY
syr.edu



** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: Microsoft NPS as RADIUS for 802.1X Wi-Fi?

[Osborne, Bruce W (Network Operations)]

Lee,

We actually starts 802.1X Wi-Fi with NPS and then moved to FreeRADIUS-based 
ClearPass. Since you already have ClearPass, it may be worth investigating. We 
are using it for RADIUS & Guest, but not as NAC. The NAC (OnGuard) licenses are 
a separate item.

I believe the needed Policy Manager licenses come with the appliance or VM so 
you may already have all the necessary pieces for testing. Each server comes 
with 25 Enterprise licenses, so at least you could start a small test.

Feel free to reach out to me or TJ with any additional questions. Or team email 
is w...@liberty.edu<mailto:w...@liberty.edu>


Bruce Osborne
Senior Network Engineer
Network Operations - Wireless

 (434) 592-4229

LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Lee H Badman [mailto:lhbad...@syr.edu]
Sent: Wednesday, November 16, 2016 9:40 AM
Subject: Microsoft NPS as RADIUS for 802.1X Wi-Fi?

Hello to the awesome group.

We've used Cisco ACS with general satisfaction for many years as the RADIUS 
solution for our very, very large WLAN's 802.1X authentication. We also have 
Aruba Clearpass in-house for guest wireless, and have poked around at ISE a 
bit. We're weighing replacing our aging ACS environment, but as many of you 
know times are changing. When you shop for RADIUS, you have to wade through the 
fog of NAC systems because everything is getting ever more "feature rich". For 
major vendors, RADIUS is just a slice of NAC now, and since everybody "is a 
software company!" licensing can be ugly. I'm not slamming those who find value 
in the many interesting features that the likes of ISE and Clearpass offer, but 
I also can't help but be drawn to Microsoft NPS when I think about going 
forward with simple RADIUS.

Way back when, we avoided Microsoft in this role as the reporting wasn't 
particularly strong when it came time to troubleshoot clients. We *may* have 
found relief to this through Splunk, and also enjoy a robust Windows server 
environment staffed by absolutely brilliant MS-minded veteran admins.

All that being said- is anyone using NPS as their RADIUS solution for a large 
secure WLAN environment? Can you share likes, dislikes, regrets, endorsements, 
horror stories, tales of success, etc?


(Any vendor reps lurking- no, I'm not open to hearing about other RADIUS 
solutions. Please, no calls or emails)


Kind regards-

Lee Badman | CWNE #200 | Network Architect

Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w 
its.syr.edu
SYRACUSE UNIVERSITY
syr.edu



** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Microsoft NPS as RADIUS for 802.1X Wi-Fi?

[Lee H Badman]

Yeah- thanks, Phillipe. I knew I wasn't phrasing that quite right, typed it as 
I was flying out the door earlier.?


-Lee




From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 on behalf of Philippe Hanset 

Sent: Wednesday, November 16, 2016 5:26 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Microsoft NPS as RADIUS for 802.1X Wi-Fi?

Lee,

Radiator is not open source (you can buy support) but it works more smoothly on 
Unix (you can operate it on Windows).

Philippe


On Nov 16, 2016, at 4:34 PM, Lee H Badman 
mailto:lhbad...@syr.edu>> wrote:

Thanks, Phillipe. For a number of reasons we're trying to steer away from open 
source on this.

Lee Badman | CWNE #200 | Network Architect

Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w 
its.syr.edu<http://its.syr.edu>
SYRACUSE UNIVERSITY
syr.edu<http://syr.edu>

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Philippe Hanset
Sent: Wednesday, November 16, 2016 12:58 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Microsoft NPS as RADIUS for 802.1X Wi-Fi?

Lee,

Not speaking from using NPS but from having to help Institutions using NPS:

It is a very "stiff" environment, and Microsoft does not want to listen to the 
eduroam community's requests (not just US, but worldwide)

No REALM stripping
No Server Status (that one is killing us. We have to implement all kinds of 
timers to make sure that servers are responding...when the standard has a built 
in mechanism)
No support for RadSec ever mentioned.

If I were a large University with in house expertise I would do FreeRADIUS 3.0 
or Radiator (or more NAC oriented solutions if you need that)

Philippe

Philippe Hanset, CEO
www.anyroam.net<http://www.anyroam.net>
www.eduroam.us<http://www.eduroam.us>
GPG key id: 0xF2636F9C





On Nov 16, 2016, at 9:40 AM, Lee H Badman 
mailto:lhbad...@syr.edu>> wrote:

Hello to the awesome group.

We've used Cisco ACS with general satisfaction for many years as the RADIUS 
solution for our very, very large WLAN's 802.1X authentication. We also have 
Aruba Clearpass in-house for guest wireless, and have poked around at ISE a 
bit. We're weighing replacing our aging ACS environment, but as many of you 
know times are changing. When you shop for RADIUS, you have to wade through the 
fog of NAC systems because everything is getting ever more "feature rich". For 
major vendors, RADIUS is just a slice of NAC now, and since everybody "is a 
software company!" licensing can be ugly. I'm not slamming those who find value 
in the many interesting features that the likes of ISE and Clearpass offer, but 
I also can't help but be drawn to Microsoft NPS when I think about going 
forward with simple RADIUS.

Way back when, we avoided Microsoft in this role as the reporting wasn't 
particularly strong when it came time to troubleshoot clients. We *may* have 
found relief to this through Splunk, and also enjoy a robust Windows server 
environment staffed by absolutely brilliant MS-minded veteran admins.

All that being said- is anyone using NPS as their RADIUS solution for a large 
secure WLAN environment? Can you share likes, dislikes, regrets, endorsements, 
horror stories, tales of success, etc?


(Any vendor reps lurking- no, I'm not open to hearing about other RADIUS 
solutions. Please, no calls or emails)


Kind regards-

Lee Badman | CWNE #200 | Network Architect

Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w 
its.syr.edu<http://its.syr.edu/>
SYRACUSE UNIVERSITY
syr.edu<http://syr.edu/>



** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Microsoft NPS as RADIUS for 802.1X Wi-Fi?

[Philippe Hanset]

Lee,

Radiator is not open source (you can buy support) but it works more smoothly on 
Unix (you can operate it on Windows).

Philippe


> On Nov 16, 2016, at 4:34 PM, Lee H Badman  wrote:
> 
> Thanks, Phillipe. For a number of reasons we’re trying to steer away from 
> open source on this.
>  
> Lee Badman | CWNE #200 | Network Architect 
> 
> Information Technology Services
> 206 Machinery Hall
> 120 Smith Drive
> Syracuse, New York 13244
> 
> t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu w its.syr.edu
> SYRACUSE UNIVERSITY
> syr.edu
> 
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Philippe Hanset
> Sent: Wednesday, November 16, 2016 12:58 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] Microsoft NPS as RADIUS for 802.1X Wi-Fi?
>  
> Lee,
>  
> Not speaking from using NPS but from having to help Institutions using NPS:
>  
> It is a very “stiff” environment, and Microsoft does not want to listen to 
> the eduroam community’s requests (not just US, but worldwide)
>  
> No REALM stripping
> No Server Status (that one is killing us. We have to implement all kinds of 
> timers to make sure that servers are responding…when the standard has a built 
> in mechanism)
> No support for RadSec ever mentioned.
>  
> If I were a large University with in house expertise I would do FreeRADIUS 
> 3.0 or Radiator (or more NAC oriented solutions if you need that)
>  
> Philippe
>  
> Philippe Hanset, CEO
> www.anyroam.net
> www.eduroam.us
> GPG key id: 0xF2636F9C
> 
> 
> 
> 
> 
>  
> On Nov 16, 2016, at 9:40 AM, Lee H Badman  wrote:
>  
> Hello to the awesome group.
>  
> We’ve used Cisco ACS with general satisfaction for many years as the RADIUS 
> solution for our very, very large WLAN’s 802.1X authentication. We also have 
> Aruba Clearpass in-house for guest wireless, and have poked around at ISE a 
> bit. We’re weighing replacing our aging ACS environment, but as many of you 
> know times are changing. When you shop for RADIUS, you have to wade through 
> the fog of NAC systems because everything is getting ever more “feature 
> rich”. For major vendors, RADIUS is just a slice of NAC now, and since 
> everybody “is a software company!” licensing can be ugly. I’m not slamming 
> those who find value in the many interesting features that the likes of ISE 
> and Clearpass offer, but I also can’t help but be drawn to Microsoft NPS when 
> I think about going forward with simple RADIUS.
>  
> Way back when, we avoided Microsoft in this role as the reporting wasn’t 
> particularly strong when it came time to troubleshoot clients. We *may* have 
> found relief to this through Splunk, and also enjoy a robust Windows server 
> environment staffed by absolutely brilliant MS-minded veteran admins. 
>  
> All that being said- is anyone using NPS as their RADIUS solution for a large 
> secure WLAN environment? Can you share likes, dislikes, regrets, 
> endorsements, horror stories, tales of success, etc? 
>  
>  
> (Any vendor reps lurking- no, I’m not open to hearing about other RADIUS 
> solutions. Please, no calls or emails)
>  
>  
> Kind regards-
>  
> Lee Badman | CWNE #200 | Network Architect 
> 
> Information Technology Services
> 206 Machinery Hall
> 120 Smith Drive
> Syracuse, New York 13244
> t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu w its.syr.edu
> SYRACUSE UNIVERSITY
> syr.edu
>  
>  
>  
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.
>  
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: Microsoft NPS as RADIUS for 802.1X Wi-Fi?

[Dexter Caldwell]

We've used NPS since before it was called NPS.  We rarely have any issues.  
Sorta like DHCP- just runs.   We do almost everything as 802.1x.   It really 
depends what you're trying to do.   Microsoft Event Logs can be used to 
troubleshoot, but they can be like event logs always are- not fun.   Log 
aggregation systems, help, but when you really need to troubleshoot, I find it 
easier just to start with a client and track that client through the logs.  
Once I profile what's happening to a relevant, I can easily see how often the 
pattern is happening for other users.  That doesn't make the logs any more fun 
though.

If you're doing really fancy things with Radius, you need to be sure it has 
everything you want.  Most of it is there, but getting started will likely be 
your biggest roadblock, not because it's not heavily documented.  Usually 
though your product vendor will have instructions for it if you don't know what 
they require.

For us, it's been of my least problematic core network services.  I'd just be 
sure you have enough servers and disk space to store your logs and that you 
either archive them or set them to roll since they can eat disk space if you 
don't set the logs properly.   For larger schools you may have experience 
scalability issues, but so far we have not.  If you use radius for a lot of 
different products you may find issues, we haven't run into.  If you want good 
stats, or trending,  etc, it's probably not the best platform at all for 
getting that without some effort.

Dexter
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman
Sent: Wednesday, November 16, 2016 9:40 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Microsoft NPS as RADIUS for 802.1X Wi-Fi?

Hello to the awesome group.

We've used Cisco ACS with general satisfaction for many years as the RADIUS 
solution for our very, very large WLAN's 802.1X authentication. We also have 
Aruba Clearpass in-house for guest wireless, and have poked around at ISE a 
bit. We're weighing replacing our aging ACS environment, but as many of you 
know times are changing. When you shop for RADIUS, you have to wade through the 
fog of NAC systems because everything is getting ever more "feature rich". For 
major vendors, RADIUS is just a slice of NAC now, and since everybody "is a 
software company!" licensing can be ugly. I'm not slamming those who find value 
in the many interesting features that the likes of ISE and Clearpass offer, but 
I also can't help but be drawn to Microsoft NPS when I think about going 
forward with simple RADIUS.

Way back when, we avoided Microsoft in this role as the reporting wasn't 
particularly strong when it came time to troubleshoot clients. We *may* have 
found relief to this through Splunk, and also enjoy a robust Windows server 
environment staffed by absolutely brilliant MS-minded veteran admins.

All that being said- is anyone using NPS as their RADIUS solution for a large 
secure WLAN environment? Can you share likes, dislikes, regrets, endorsements, 
horror stories, tales of success, etc?


(Any vendor reps lurking- no, I'm not open to hearing about other RADIUS 
solutions. Please, no calls or emails)


Kind regards-

Lee Badman | CWNE #200 | Network Architect

Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w 
its.syr.edu
SYRACUSE UNIVERSITY
syr.edu



** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Microsoft NPS as RADIUS for 802.1X Wi-Fi?

[Lee H Badman]

Thanks, Phillipe. For a number of reasons we’re trying to steer away from open 
source on this.

Lee Badman | CWNE #200 | Network Architect

Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w 
its.syr.edu
SYRACUSE UNIVERSITY
syr.edu

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Philippe Hanset
Sent: Wednesday, November 16, 2016 12:58 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Microsoft NPS as RADIUS for 802.1X Wi-Fi?

Lee,

Not speaking from using NPS but from having to help Institutions using NPS:

It is a very “stiff” environment, and Microsoft does not want to listen to the 
eduroam community’s requests (not just US, but worldwide)

No REALM stripping
No Server Status (that one is killing us. We have to implement all kinds of 
timers to make sure that servers are responding…when the standard has a built 
in mechanism)
No support for RadSec ever mentioned.

If I were a large University with in house expertise I would do FreeRADIUS 3.0 
or Radiator (or more NAC oriented solutions if you need that)

Philippe

Philippe Hanset, CEO
www.anyroam.net<http://www.anyroam.net>
www.eduroam.us<http://www.eduroam.us>
GPG key id: 0xF2636F9C





On Nov 16, 2016, at 9:40 AM, Lee H Badman 
mailto:lhbad...@syr.edu>> wrote:

Hello to the awesome group.

We’ve used Cisco ACS with general satisfaction for many years as the RADIUS 
solution for our very, very large WLAN’s 802.1X authentication. We also have 
Aruba Clearpass in-house for guest wireless, and have poked around at ISE a 
bit. We’re weighing replacing our aging ACS environment, but as many of you 
know times are changing. When you shop for RADIUS, you have to wade through the 
fog of NAC systems because everything is getting ever more “feature rich”. For 
major vendors, RADIUS is just a slice of NAC now, and since everybody “is a 
software company!” licensing can be ugly. I’m not slamming those who find value 
in the many interesting features that the likes of ISE and Clearpass offer, but 
I also can’t help but be drawn to Microsoft NPS when I think about going 
forward with simple RADIUS.

Way back when, we avoided Microsoft in this role as the reporting wasn’t 
particularly strong when it came time to troubleshoot clients. We *may* have 
found relief to this through Splunk, and also enjoy a robust Windows server 
environment staffed by absolutely brilliant MS-minded veteran admins.

All that being said- is anyone using NPS as their RADIUS solution for a large 
secure WLAN environment? Can you share likes, dislikes, regrets, endorsements, 
horror stories, tales of success, etc?


(Any vendor reps lurking- no, I’m not open to hearing about other RADIUS 
solutions. Please, no calls or emails)


Kind regards-

Lee Badman | CWNE #200 | Network Architect

Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w 
its.syr.edu<http://its.syr.edu/>
SYRACUSE UNIVERSITY
syr.edu<http://syr.edu/>



** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Microsoft NPS as RADIUS for 802.1X Wi-Fi?

[Jeremy Gibbs]

I only use NPS for Cisco RADIUS auth.  Otherwise, all of our authentication
hits Extreme NAC (uses FreeRADIUS as a backend).  I dislike NPS very much.




*--Jeremy L. Gibbs*
Sr. Network Engineer
Utica College IITS

On Wed, Nov 16, 2016 at 3:29 PM, Mike Atkins  wrote:

> Bruce,
>
> We are using Microsoft Event log view for NPS/security and are also
> exporting security logs daily to another system that we built to massage
> the information in order to get stats and summarize errors.  We have
> Microsoft System Center that I believe can be expanded to do additional
> reporting and alerting but we have been unsuccessful in getting the other
> groups to implement it.
>
>
>
> I used perfmon for a very short period when I was initially looking at way
> to graph rates over a 24 hour period and was quickly discouraged.  I did
> not have a working baseline to compare to and I could not find a published
> spec.  Our identity group opened a ticket with Microsoft and never got a
> solid # on rates.  I believe the response was “depends on your server
> resources.”  I was looking at success and failure rates but the problem at
> the time was NPS just stopped responding to the supplicant.  I did not see
> a counter for something like that.  Maybe I did not look hard enough and
> there is a way to calculate it.  I should probably take another look if you
> find it useful.
>
>
>
> A typical troubleshooting scenario was “everyone in this room was
> disconnected!”  I ask the typical question, “did everyone get disconnected
> at the same time.”  Response is “yes!”  I ask “so everyone got disconnected
> at the very same minute?”  Response, “well no, but during the meeting most
> of us got disconnected.”  I reply “most not everyone?.?.?…..”  J  You
> know how it goes.  In the end I had to look at information far enough back
> that it is/was very difficult to use perfmon.
>
>
>
>
>
>
>
> *Mike Atkins *
>
> Network Engineer
>
> Office of Information Technology
>
> University of Notre Dame
>
>
>
> *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Bruce Boardman
> *Sent:* Wednesday, November 16, 2016 2:49 PM
>
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> *Subject:* Re: [WIRELESS-LAN] Microsoft NPS as RADIUS for 802.1X Wi-Fi?
>
>
>
> ​Mike
>
> Regarding the Troubleshooting and debug challenges with NPS are you
> exporting the MS events to a log collector or using the server's native
> event viewer? How useful have you found the PerfMon RADIUS metrics?
>
>
>
>
>
> |Bruce Boardman, Network Engineer, Syracuse University -  315 412-4156
>
> --
>
> *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Mike Atkins <
> matk...@nd.edu>
> *Sent:* Wednesday, November 16, 2016 2:44 PM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> *Subject:* Re: [WIRELESS-LAN] Microsoft NPS as RADIUS for 802.1X Wi-Fi?
>
>
>
> Lee,
>
> We use Microsoft NPS for radius on dot1x wireless (ND-secure & eduroam.)
> Troubleshooting and getting debug information has been very difficult.
> Finding a deployment guide on expected performance/load is also impossible
> to find.  I think configuration is absolutely key.  My impression is either
> it works great or it does not.
>
>
>
> Dennis,
>
> I think we are doing the realm stripping you are talking about using NPS.
> Our identity management group has two policies configured for eduroam.  The
> first policy says identity @nd.edu authenticate PEAP requests on the
> local server.  The second policy says “@” forward to the two eduroam.us
> “servers.”  There are a couple other policies for off campus users that get
> forwarded from eduroam.us servers.  Maybe not what you are talking about
> but just thought I would chime in just in case.
>
>
>
>
>
>
>
>
>
>
>
> *Mike Atkins *
>
> Network Engineer
>
> Office of Information Technology
>
> University of Notre Dame
>
> Phone: 574-631-7210
>
>
>
>
>
>    .__o
>
>- _-\_<,
>
>---  (*)/'(*)
>
>
>
> *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Lee H Badman
> *Sent:* Wednesday, November 16, 2016 9:40 AM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> *Subject:* [WIRELESS-LAN] Microsoft NPS as RADIUS for 802.1X Wi-Fi?
>
>
>
> Hello to the awesome group.
>
>
>
> We’ve used Cisco ACS with general satisfaction for many years as the
> RADIUS solution for our very, ve

RE: [WIRELESS-LAN] Microsoft NPS as RADIUS for 802.1X Wi-Fi?

[Mike Atkins]

Bruce,

We are using Microsoft Event log view for NPS/security and are also
exporting security logs daily to another system that we built to massage
the information in order to get stats and summarize errors.  We have
Microsoft System Center that I believe can be expanded to do additional
reporting and alerting but we have been unsuccessful in getting the other
groups to implement it.



I used perfmon for a very short period when I was initially looking at way
to graph rates over a 24 hour period and was quickly discouraged.  I did
not have a working baseline to compare to and I could not find a published
spec.  Our identity group opened a ticket with Microsoft and never got a
solid # on rates.  I believe the response was “depends on your server
resources.”  I was looking at success and failure rates but the problem at
the time was NPS just stopped responding to the supplicant.  I did not see
a counter for something like that.  Maybe I did not look hard enough and
there is a way to calculate it.  I should probably take another look if you
find it useful.



A typical troubleshooting scenario was “everyone in this room was
disconnected!”  I ask the typical question, “did everyone get disconnected
at the same time.”  Response is “yes!”  I ask “so everyone got disconnected
at the very same minute?”  Response, “well no, but during the meeting most
of us got disconnected.”  I reply “most not everyone?.?.?…..”  J  You know
how it goes.  In the end I had to look at information far enough back that
it is/was very difficult to use perfmon.







*Mike Atkins *

Network Engineer

Office of Information Technology

University of Notre Dame



*From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Bruce Boardman
*Sent:* Wednesday, November 16, 2016 2:49 PM
*To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
*Subject:* Re: [WIRELESS-LAN] Microsoft NPS as RADIUS for 802.1X Wi-Fi?



​Mike

Regarding the Troubleshooting and debug challenges with NPS are you
exporting the MS events to a log collector or using the server's native
event viewer? How useful have you found the PerfMon RADIUS metrics?





|Bruce Boardman, Network Engineer, Syracuse University -  315 412-4156

--

*From:* The EDUCAUSE Wireless Issues Constituent Group Listserv <
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Mike Atkins 
*Sent:* Wednesday, November 16, 2016 2:44 PM
*To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
*Subject:* Re: [WIRELESS-LAN] Microsoft NPS as RADIUS for 802.1X Wi-Fi?



Lee,

We use Microsoft NPS for radius on dot1x wireless (ND-secure & eduroam.)
Troubleshooting and getting debug information has been very difficult.
Finding a deployment guide on expected performance/load is also impossible
to find.  I think configuration is absolutely key.  My impression is either
it works great or it does not.



Dennis,

I think we are doing the realm stripping you are talking about using NPS.
Our identity management group has two policies configured for eduroam.  The
first policy says identity @nd.edu authenticate PEAP requests on the local
server.  The second policy says “@” forward to the two eduroam.us
“servers.”  There are a couple other policies for off campus users that get
forwarded from eduroam.us servers.  Maybe not what you are talking about
but just thought I would chime in just in case.











*Mike Atkins *

Network Engineer

Office of Information Technology

University of Notre Dame

Phone: 574-631-7210





   .__o

   - _-\_<,

   ---  (*)/'(*)



*From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Lee H Badman
*Sent:* Wednesday, November 16, 2016 9:40 AM
*To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
*Subject:* [WIRELESS-LAN] Microsoft NPS as RADIUS for 802.1X Wi-Fi?



Hello to the awesome group.



We’ve used Cisco ACS with general satisfaction for many years as the RADIUS
solution for our very, very large WLAN’s 802.1X authentication. We also
have Aruba Clearpass in-house for guest wireless, and have poked around at
ISE a bit. We’re weighing replacing our aging ACS environment, but as many
of you know times are changing. When you shop for RADIUS, you have to wade
through the fog of NAC systems because everything is getting ever more
“feature rich”. For major vendors, RADIUS is just a slice of NAC now, and
since everybody “is a software company!” licensing can be ugly. I’m not
slamming those who find value in the many interesting features that the
likes of ISE and Clearpass offer, but I also can’t help but be drawn to
Microsoft NPS when I think about going forward with simple RADIUS.



Way back when, we avoided Microsoft in this role as the reporting wasn’t
particularly strong when it came time to troubleshoot clients. We **may**
have found relief to this through Splunk, and also enjoy a robust Windows
server environment staffed by 

Re: [WIRELESS-LAN] Microsoft NPS as RADIUS for 802.1X Wi-Fi?

[Bruce Boardman]

?Mike

Regarding the Troubleshooting and debug challenges with NPS are you exporting 
the MS events to a log collector or using the server's native event viewer? How 
useful have you found the PerfMon RADIUS metrics?



|Bruce Boardman, Network Engineer, Syracuse University -  315 412-4156

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 on behalf of Mike Atkins 
Sent: Wednesday, November 16, 2016 2:44 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Microsoft NPS as RADIUS for 802.1X Wi-Fi?

Lee,
We use Microsoft NPS for radius on dot1x wireless (ND-secure & eduroam.) 
Troubleshooting and getting debug information has been very difficult.  Finding 
a deployment guide on expected performance/load is also impossible to find.  I 
think configuration is absolutely key.  My impression is either it works great 
or it does not.

Dennis,
I think we are doing the realm stripping you are talking about using NPS.  Our 
identity management group has two policies configured for eduroam.  The first 
policy says identity @nd.edu<http://nd.edu> authenticate PEAP requests on the 
local server.  The second policy says "@" forward to the two 
eduroam.us<http://eduroam.us> "servers."  There are a couple other policies for 
off campus users that get forwarded from eduroam.us<http://eduroam.us> servers. 
 Maybe not what you are talking about but just thought I would chime in just in 
case.





Mike Atkins
Network Engineer
Office of Information Technology
University of Notre Dame
Phone: 574-631-7210


   .__o
   - _-\_<,
   ---  (*)/'(*)

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>]
 On Behalf Of Lee H Badman
Sent: Wednesday, November 16, 2016 9:40 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: [WIRELESS-LAN] Microsoft NPS as RADIUS for 802.1X Wi-Fi?

Hello to the awesome group.

We've used Cisco ACS with general satisfaction for many years as the RADIUS 
solution for our very, very large WLAN's 802.1X authentication. We also have 
Aruba Clearpass in-house for guest wireless, and have poked around at ISE a 
bit. We're weighing replacing our aging ACS environment, but as many of you 
know times are changing. When you shop for RADIUS, you have to wade through the 
fog of NAC systems because everything is getting ever more "feature rich". For 
major vendors, RADIUS is just a slice of NAC now, and since everybody "is a 
software company!" licensing can be ugly. I'm not slamming those who find value 
in the many interesting features that the likes of ISE and Clearpass offer, but 
I also can't help but be drawn to Microsoft NPS when I think about going 
forward with simple RADIUS.

Way back when, we avoided Microsoft in this role as the reporting wasn't 
particularly strong when it came time to troubleshoot clients. We *may* have 
found relief to this through Splunk, and also enjoy a robust Windows server 
environment staffed by absolutely brilliant MS-minded veteran admins.

All that being said- is anyone using NPS as their RADIUS solution for a large 
secure WLAN environment? Can you share likes, dislikes, regrets, endorsements, 
horror stories, tales of success, etc?


(Any vendor reps lurking- no, I'm not open to hearing about other RADIUS 
solutions. Please, no calls or emails)


Kind regards-

Lee Badman | CWNE #200 | Network Architect

Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w 
its.syr.edu<http://its.syr.edu>
SYRACUSE UNIVERSITY
syr.edu<http://syr.edu>



** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Microsoft NPS as RADIUS for 802.1X Wi-Fi?

[Mike Atkins]

Lee,

We use Microsoft NPS for radius on dot1x wireless (ND-secure & eduroam.)
Troubleshooting and getting debug information has been very difficult.
Finding a deployment guide on expected performance/load is also impossible
to find.  I think configuration is absolutely key.  My impression is either
it works great or it does not.



Dennis,

I think we are doing the realm stripping you are talking about using NPS.
Our identity management group has two policies configured for eduroam.  The
first policy says identity @nd.edu authenticate PEAP requests on the local
server.  The second policy says “@” forward to the two eduroam.us
“servers.”  There are a couple other policies for off campus users that get
forwarded from eduroam.us servers.  Maybe not what you are talking about
but just thought I would chime in just in case.











*Mike Atkins *

Network Engineer

Office of Information Technology

University of Notre Dame

Phone: 574-631-7210





   .__o

   - _-\_<,

   ---  (*)/'(*)



*From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Lee H Badman
*Sent:* Wednesday, November 16, 2016 9:40 AM
*To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
*Subject:* [WIRELESS-LAN] Microsoft NPS as RADIUS for 802.1X Wi-Fi?



Hello to the awesome group.



We’ve used Cisco ACS with general satisfaction for many years as the RADIUS
solution for our very, very large WLAN’s 802.1X authentication. We also
have Aruba Clearpass in-house for guest wireless, and have poked around at
ISE a bit. We’re weighing replacing our aging ACS environment, but as many
of you know times are changing. When you shop for RADIUS, you have to wade
through the fog of NAC systems because everything is getting ever more
“feature rich”. For major vendors, RADIUS is just a slice of NAC now, and
since everybody “is a software company!” licensing can be ugly. I’m not
slamming those who find value in the many interesting features that the
likes of ISE and Clearpass offer, but I also can’t help but be drawn to
Microsoft NPS when I think about going forward with simple RADIUS.



Way back when, we avoided Microsoft in this role as the reporting wasn’t
particularly strong when it came time to troubleshoot clients. We **may**
have found relief to this through Splunk, and also enjoy a robust Windows
server environment staffed by absolutely brilliant MS-minded veteran
admins.



All that being said- is anyone using NPS as their RADIUS solution for a
large secure WLAN environment? Can you share likes, dislikes, regrets,
endorsements, horror stories, tales of success, etc?





(Any vendor reps lurking- no, I’m not open to hearing about other RADIUS
solutions. Please, no calls or emails)





Kind regards-



*Lee Badman* | CWNE #200 | Network Architect

Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244

*t* 315.443.3003  * f* 315.443.4325   *e* lhbad...@syr.edu *w* its.syr.edu


*SYRACUSE UNIVERSITY*syr.edu







** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: Microsoft NPS as RADIUS for 802.1X Wi-Fi?

[Curtis K. Larsen]

Ditto.  But technically we use PacketFence which uses FreeRADIUS under the 
hood.  We had the same realm stripping problem with ISE 2-3 yrs. ago.  We use 
realm stripping internally as well as when proxying externally.  I understand 
the external realm stripping was fixed long ago.  Not sure if internal realm 
stripping is still an issue.


--
Curtis K. Larsen
Senior Network Engineer
University of Utah IT/CIS
Office 801-587-1313


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 on behalf of Dennis Xu 
Sent: Wednesday, November 16, 2016 10:50 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Microsoft NPS as RADIUS for 802.1X Wi-Fi?

We have migrated our ACS servers to FreeRADIUS with success. We looked into NPS 
and the roadblock was the realm suffix stripping. We need to strip username 
d...@uoguelph.ca to just 'dxu' before authenticate with active directory. NPS 
only strips the outer PEAP identity but not inner identity.  Also NPS can strip 
the realm when it is running as proxy but not in local processing mode. See 
following discussion for more detail. We were seeing the exact same behavior:

https://social.technet.microsoft.com/Forums/windowsserver/en-US/e73183d4-7b2f-48a7-9246-97ed711e8e8d/eappeapmschapv2-realm-stripping?forum=winserverNAP


Dennis Xu, MASc, CCIE #13056
Analyst 3, Network Infrastructure
Computing and Communications Services(CCS)
University of Guelph

519-824-4120 Ext 56217
d...@uoguelph.ca
www.uoguelph.ca/ccs



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 on behalf of Lee H Badman 

Sent: Wednesday, November 16, 2016 9:40:08 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Microsoft NPS as RADIUS for 802.1X Wi-Fi?

Hello to the awesome group.

We’ve used Cisco ACS with general satisfaction for many years as the RADIUS 
solution for our very, very large WLAN’s 802.1X authentication. We also have 
Aruba Clearpass in-house for guest wireless, and have poked around at ISE a 
bit. We’re weighing replacing our aging ACS environment, but as many of you 
know times are changing. When you shop for RADIUS, you have to wade through the 
fog of NAC systems because everything is getting ever more “feature rich”. For 
major vendors, RADIUS is just a slice of NAC now, and since everybody “is a 
software company!” licensing can be ugly. I’m not slamming those who find value 
in the many interesting features that the likes of ISE and Clearpass offer, but 
I also can’t help but be drawn to Microsoft NPS when I think about going 
forward with simple RADIUS.

Way back when, we avoided Microsoft in this role as the reporting wasn’t 
particularly strong when it came time to troubleshoot clients. We *may* have 
found relief to this through Splunk, and also enjoy a robust Windows server 
environment staffed by absolutely brilliant MS-minded veteran admins.

All that being said- is anyone using NPS as their RADIUS solution for a large 
secure WLAN environment? Can you share likes, dislikes, regrets, endorsements, 
horror stories, tales of success, etc?


(Any vendor reps lurking- no, I’m not open to hearing about other RADIUS 
solutions. Please, no calls or emails)


Kind regards-

Lee Badman | CWNE #200 | Network Architect

Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w 
its.syr.edu
SYRACUSE UNIVERSITY
syr.edu



** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Microsoft NPS as RADIUS for 802.1X Wi-Fi?

[Philippe Hanset]

Lee,

Not speaking from using NPS but from having to help Institutions using NPS:

It is a very “stiff” environment, and Microsoft does not want to listen to the 
eduroam community’s requests (not just US, but worldwide)

No REALM stripping
No Server Status (that one is killing us. We have to implement all kinds of 
timers to make sure that servers are responding…when the standard has a built 
in mechanism)
No support for RadSec ever mentioned.

If I were a large University with in house expertise I would do FreeRADIUS 3.0 
or Radiator (or more NAC oriented solutions if you need that)

Philippe

Philippe Hanset, CEO
www.anyroam.net
www.eduroam.us
GPG key id: 0xF2636F9C






> On Nov 16, 2016, at 9:40 AM, Lee H Badman  wrote:
> 
> Hello to the awesome group.
>  
> We’ve used Cisco ACS with general satisfaction for many years as the RADIUS 
> solution for our very, very large WLAN’s 802.1X authentication. We also have 
> Aruba Clearpass in-house for guest wireless, and have poked around at ISE a 
> bit. We’re weighing replacing our aging ACS environment, but as many of you 
> know times are changing. When you shop for RADIUS, you have to wade through 
> the fog of NAC systems because everything is getting ever more “feature 
> rich”. For major vendors, RADIUS is just a slice of NAC now, and since 
> everybody “is a software company!” licensing can be ugly. I’m not slamming 
> those who find value in the many interesting features that the likes of ISE 
> and Clearpass offer, but I also can’t help but be drawn to Microsoft NPS when 
> I think about going forward with simple RADIUS.
>  
> Way back when, we avoided Microsoft in this role as the reporting wasn’t 
> particularly strong when it came time to troubleshoot clients. We *may* have 
> found relief to this through Splunk, and also enjoy a robust Windows server 
> environment staffed by absolutely brilliant MS-minded veteran admins. 
>  
> All that being said- is anyone using NPS as their RADIUS solution for a large 
> secure WLAN environment? Can you share likes, dislikes, regrets, 
> endorsements, horror stories, tales of success, etc? 
>  
>  
> (Any vendor reps lurking- no, I’m not open to hearing about other RADIUS 
> solutions. Please, no calls or emails)
>  
>  
> Kind regards-
>  
> Lee Badman | CWNE #200 | Network Architect 
> 
> Information Technology Services
> 206 Machinery Hall
> 120 Smith Drive
> Syracuse, New York 13244
> t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu 
>  w its.syr.edu 
> SYRACUSE UNIVERSITY
> syr.edu 
>  
>  
>  
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/ .


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: Microsoft NPS as RADIUS for 802.1X Wi-Fi?

[Lee H Badman]

Thanks, Dennis!

Lee Badman | CWNE #200 | Network Architect

Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w 
its.syr.edu
SYRACUSE UNIVERSITY
syr.edu

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Dennis Xu
Sent: Wednesday, November 16, 2016 12:51 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Microsoft NPS as RADIUS for 802.1X Wi-Fi?


We have migrated our ACS servers to FreeRADIUS with success. We looked into NPS 
and the roadblock was the realm suffix stripping. We need to strip username 
d...@uoguelph.ca<mailto:d...@uoguelph.ca> to just 'dxu' before authenticate 
with active directory. NPS only strips the outer PEAP identity but not inner 
identity.  Also NPS can strip the realm when it is running as proxy but not in 
local processing mode. See following discussion for more detail. We were seeing 
the exact same behavior:

https://social.technet.microsoft.com/Forums/windowsserver/en-US/e73183d4-7b2f-48a7-9246-97ed711e8e8d/eappeapmschapv2-realm-stripping?forum=winserverNAP


Dennis Xu, MASc, CCIE #13056
Analyst 3, Network Infrastructure
Computing and Communications Services(CCS)
University of Guelph

519-824-4120 Ext 56217
d...@uoguelph.ca<mailto:d...@uoguelph.ca>
www.uoguelph.ca/ccs<http://www.uoguelph.ca/ccs>


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Lee H Badman mailto:lhbad...@syr.edu>>
Sent: Wednesday, November 16, 2016 9:40:08 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: [WIRELESS-LAN] Microsoft NPS as RADIUS for 802.1X Wi-Fi?

Hello to the awesome group.

We've used Cisco ACS with general satisfaction for many years as the RADIUS 
solution for our very, very large WLAN's 802.1X authentication. We also have 
Aruba Clearpass in-house for guest wireless, and have poked around at ISE a 
bit. We're weighing replacing our aging ACS environment, but as many of you 
know times are changing. When you shop for RADIUS, you have to wade through the 
fog of NAC systems because everything is getting ever more "feature rich". For 
major vendors, RADIUS is just a slice of NAC now, and since everybody "is a 
software company!" licensing can be ugly. I'm not slamming those who find value 
in the many interesting features that the likes of ISE and Clearpass offer, but 
I also can't help but be drawn to Microsoft NPS when I think about going 
forward with simple RADIUS.

Way back when, we avoided Microsoft in this role as the reporting wasn't 
particularly strong when it came time to troubleshoot clients. We *may* have 
found relief to this through Splunk, and also enjoy a robust Windows server 
environment staffed by absolutely brilliant MS-minded veteran admins.

All that being said- is anyone using NPS as their RADIUS solution for a large 
secure WLAN environment? Can you share likes, dislikes, regrets, endorsements, 
horror stories, tales of success, etc?


(Any vendor reps lurking- no, I'm not open to hearing about other RADIUS 
solutions. Please, no calls or emails)


Kind regards-

Lee Badman | CWNE #200 | Network Architect

Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w 
its.syr.edu
SYRACUSE UNIVERSITY
syr.edu



** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: Microsoft NPS as RADIUS for 802.1X Wi-Fi?

[Dennis Xu]

We have migrated our ACS servers to FreeRADIUS with success. We looked into NPS 
and the roadblock was the realm suffix stripping. We need to strip username 
d...@uoguelph.ca to just 'dxu' before authenticate with active directory. NPS 
only strips the outer PEAP identity but not inner identity.  Also NPS can strip 
the realm when it is running as proxy but not in local processing mode. See 
following discussion for more detail. We were seeing the exact same behavior:

https://social.technet.microsoft.com/Forums/windowsserver/en-US/e73183d4-7b2f-48a7-9246-97ed711e8e8d/eappeapmschapv2-realm-stripping?forum=winserverNAP


Dennis Xu, MASc, CCIE #13056
Analyst 3, Network Infrastructure
Computing and Communications Services(CCS)
University of Guelph

519-824-4120 Ext 56217
d...@uoguelph.ca
www.uoguelph.ca/ccs



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 on behalf of Lee H Badman 

Sent: Wednesday, November 16, 2016 9:40:08 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Microsoft NPS as RADIUS for 802.1X Wi-Fi?

Hello to the awesome group.

We've used Cisco ACS with general satisfaction for many years as the RADIUS 
solution for our very, very large WLAN's 802.1X authentication. We also have 
Aruba Clearpass in-house for guest wireless, and have poked around at ISE a 
bit. We're weighing replacing our aging ACS environment, but as many of you 
know times are changing. When you shop for RADIUS, you have to wade through the 
fog of NAC systems because everything is getting ever more "feature rich". For 
major vendors, RADIUS is just a slice of NAC now, and since everybody "is a 
software company!" licensing can be ugly. I'm not slamming those who find value 
in the many interesting features that the likes of ISE and Clearpass offer, but 
I also can't help but be drawn to Microsoft NPS when I think about going 
forward with simple RADIUS.

Way back when, we avoided Microsoft in this role as the reporting wasn't 
particularly strong when it came time to troubleshoot clients. We *may* have 
found relief to this through Splunk, and also enjoy a robust Windows server 
environment staffed by absolutely brilliant MS-minded veteran admins.

All that being said- is anyone using NPS as their RADIUS solution for a large 
secure WLAN environment? Can you share likes, dislikes, regrets, endorsements, 
horror stories, tales of success, etc?


(Any vendor reps lurking- no, I'm not open to hearing about other RADIUS 
solutions. Please, no calls or emails)


Kind regards-

Lee Badman | CWNE #200 | Network Architect

Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w 
its.syr.edu
SYRACUSE UNIVERSITY
syr.edu



** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Microsoft NPS as RADIUS for 802.1X Wi-Fi?

[Lee H Badman]

Hello to the awesome group.

We've used Cisco ACS with general satisfaction for many years as the RADIUS 
solution for our very, very large WLAN's 802.1X authentication. We also have 
Aruba Clearpass in-house for guest wireless, and have poked around at ISE a 
bit. We're weighing replacing our aging ACS environment, but as many of you 
know times are changing. When you shop for RADIUS, you have to wade through the 
fog of NAC systems because everything is getting ever more "feature rich". For 
major vendors, RADIUS is just a slice of NAC now, and since everybody "is a 
software company!" licensing can be ugly. I'm not slamming those who find value 
in the many interesting features that the likes of ISE and Clearpass offer, but 
I also can't help but be drawn to Microsoft NPS when I think about going 
forward with simple RADIUS.

Way back when, we avoided Microsoft in this role as the reporting wasn't 
particularly strong when it came time to troubleshoot clients. We *may* have 
found relief to this through Splunk, and also enjoy a robust Windows server 
environment staffed by absolutely brilliant MS-minded veteran admins.

All that being said- is anyone using NPS as their RADIUS solution for a large 
secure WLAN environment? Can you share likes, dislikes, regrets, endorsements, 
horror stories, tales of success, etc?


(Any vendor reps lurking- no, I'm not open to hearing about other RADIUS 
solutions. Please, no calls or emails)


Kind regards-


Lee Badman | CWNE #200 | Network Architect

Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244

t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu w 
its.syr.edu

SYRACUSE UNIVERSITY
syr.edu




**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.