First off, we block P2P using our Fortinet and SafeConnect, so we have never had an RIAA Complaint ;), but as to your question, SafeConnect allows us to search on an IP and see who was logged in at that time. Also we have a 1 year DHCP lease which allows computer->ip connections to be very near permanent, allowing much easier linking of user/computer/ip's.
-Mike From: Peter P Morrissey [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 05, 2008 11:11 AM To: [email protected] Subject: Re: [WIRELESS-LAN] Wireless 802.1x working well- now add NAC? So how would you guys track down a user to an IP address if you had a security complaint or RIAA complaint? For example someone says "IP address x.x.x.x DOSed/hacked etc our machine three days ago." How do you identify the machine and the IP address they were using? Since we use DHCP on our wireless, this would be a challenge. Thanks, Pete Morrissey ________________________________ From: Mike Binns [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 05, 2008 11:03 AM To: [email protected] Subject: Re: [WIRELESS-LAN] Wireless 802.1x working well- now add NAC? We use WPA/802.1x on our wireless for all our students and faculty/staff. We also use SafeConnect, which asks them to log in every 7 days. Faculty/Staff who are on our domain do not need to log in to SafeConnect because it uses Windows Integrated Authentication to log them in as the domain user who is logged in to windows. Our students are not on the domain, so they do log in every 7 days. Since it is a web login, their browser has the ability to cache the credentials (could be turned off very easily in code if we wanted to). -Mike From: Lee H Badman [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 05, 2008 10:17 AM To: [email protected] Subject: [WIRELESS-LAN] Wireless 802.1x working well- now add NAC? We have a very successful 802.1x wireless network, using native supplicants, WPA/2, PEAP w/ MSCHAPv2, going against AD. In the general production network, we use simple go/nogo from the perspective of AD. If you're in AD, you are allowed in. (We have special WLANs that actually use RADIUS attributes, but not on the big honkin' general WLAN). We use Cisco ACS for RADIUS. We are now looking at adding NAC (possibly Impulse or Lockdown, or one of a couple of others- and please, no NAC vendors contact me after reading this) to both the wired and wireless networks- but it gets a bit weird looking at adding NAC to 802.1x (which is NAC to a certain degree in and of itself) for the likes of posture/health checking. For 802.1x, we tout the value of stored credentials on personal machines to facilitate fast access to the WLAN. But agent-based NAC systems tend to want frequent logins for various functions... I guess I don't have specific questions, but has anyone else wrestled with these issues, and what did you end up doing? I realize I'm giving you little info, but really just looking for general thoughts- offline is fine... Lee H. Badman Wireless/Network Engineer Information Technology and Services Syracuse University 315 443-3003 ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
