Identifying users is a big concern for us. We need to be able to identify users for DMCA purposes, for example.
-- Neil Johnson Network Engineer The University of Iowa W: 319 384-0938 M: 319 540-2081 http://www.uiowa.edu -----Original Message----- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Brooks, Stan Sent: Thursday, May 29, 2008 10:52 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Using Private IP addresses for wireless users. Neil, At Emory, we've been NAT'ing wireless users since last fall - ResNet users since before move in weekend, and regular academic users since last fall break. We've not had any issues from the users that have been NAT'ed. By far the more complicated NAT was ResNet as we use NetReg and CAT for network access control and scanning. We end up internally routing the NAT addresses for NetReg - it hands out the DHCP addresses. Once a ResNet client gets an IP address, the NAT function is handled by our Aruba controllers. On the academic side, the controllers themselves handle DHCP for the wireless users along with NAT'ing the traffic. We have 4 class C non-routeable subnets per controller (4 ResNet controllers and 6 Academic controllers). The Aruba gear will load-balance users across those subnets for us. The Aruba gear also NATs the traffic though a pool of (routeable) addresses. IDS is handled by Tipping Points on the (routeable) network, just like any wired device. We don't have any way of easily tying a user/session on the non-routeable subnets to an IP on the routeable network. We can see the session as it happens, but there is not good way to go back through the logs and determine that this user hit a particular IP address on the Internet. To date, we haven't needed to. We originally moved to NAT because of scarce IP resources, and the number of wireless users was increasing at alarming rates. With NAT'ed IP addresses, we can support huge numbers of wireless users and ease some of the pressure on our allocated IP addresses. We felt and still feel that the benefits outweigh the problems with tracking individual users. >>-> Stan Brooks - CWNA/CWSP Emory University Network Communications Division 404.727.0226 [EMAIL PROTECTED] AIM: WLANstan Yahoo!: WLANstan MSN: [EMAIL PROTECTED] ________________________________________ From: The EDUCAUSE Wireless Issues Constituent Group Listserv [EMAIL PROTECTED] On Behalf Of Johnson, Neil M [EMAIL PROTECTED] Sent: Thursday, May 29, 2008 9:55 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Using Private IP addresses for wireless users. We will be out of address space for one of our wireless nets (currently a /21) in the fall. We do not have a larger block available, and attempts to obtain additional address space by fall are not looking promising, so there is a distinct possibility that will have to move our wireless users to private address space. So I'm looking for information from other institutions who use private address space for their wireless networks. We are primarily a Meru shop, although we have about 86 Cisco LWAPP AP's in production. We use 802.1X (WPA2 Enterprise) for authentication. Here are the questions I have: - How do you implement NAT ? - How do you provide DHCP addresses to your clients ? - How do you handle IDS and Flow data collection ? - What tools and processes do you use to tie a public IP address back to an 802.1X authenticated user ? - What kind of application issues have you run into and how do you handle them ? - Are your end-users satisfied with the service ? Thanks. -- Neil Johnson Network Engineer The University of Iowa W: 319 384-0938 M: 319 540-2081 http://www.uiowa.edu ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. This e-mail message (including any attachments) is for the sole use of the intended recipient(s) and may contain confidential and privileged information. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this message (including any attachments) is strictly prohibited. If you have received this message in error, please contact the sender by reply e-mail message and destroy all copies of the original message (including attachments). ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.