Stan, Can you tell me what type of location information you get and from what log? "802.1x/WPA-Enterprise, so we have usernames and locations in our logs"
We are trying to figure out if there is a way to determine what APs user are/have been on but all we have seen in the radius logs is the controller as the NAS. Thanks, Greg -----Original Message----- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Brooks, Stan Sent: Wednesday, July 02, 2008 6:34 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] NAT in large scale wireless networks Mike, We, too, are an Aruba shop, and have been doing NAT on our academic and ResNet wireless networks for about a year now. Two years ago, we ran out of IP addresses on our wireless network on Move-In Weekend and had to scramble to add additional subnets - a scarce commodity here at Emory. To prevent that from happening last year, we implemented NAT for our wireless clients and now have plenty of address space for our growing user base. We let the Aruba controllers perform the NAT function (very easy to set up - just a firewall rule in the user role in the Aruba config). We've not had any complaints from users regarding NAT issues; we were concerned that it might break some apps, but no problems have been observed or reported. We've even got our homegrown NAC (NetReg/CAT) working over the wireless, too - NetReg DHCP traffic is not NAT'ed, but all other traffic is. This all works great, thanks to the Aruba capabilities. The only issue we've had with NAT have been voiced by Philippe - DCMA notices are hard to isolate. Our wired network has some protection in place to identify and reduce peer-to-peer traffic (Tipping Points), so we don't generally get a lot of notices. User tracking and RF location still works well as those are functions of the radio and authentication subsystems. Our academic users log on using 802.1x/WPA-Enterprise, so we have usernames and locations in our logs. Connecting those usernames to the NAT pool IP addresses is the hard part. I'd be happy to share some basic configuration tips and tricks regarding NAT with you off-list, or on-list if other s are interested. BTW - We've been NAT'ing our guest access users since day one on the Aruba equipment. Guests "log in" through the captive portal and are given limited access - bandwidth limited web access and VPN access back to their home organizations. >>-> Stan Brooks - CWNA/CWSP Emory University Network Communications Division 404.727.0226 AIM/Y!/Twitter: WLANstan MSN: [EMAIL PROTECTED] GoogleTalk: [EMAIL PROTECTED] -----Original Message----- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Michael Dickson Sent: Tuesday, July 01, 2008 9:47 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] NAT in large scale wireless networks Though we currently have enough available routed IP space for our wireless clients we are looking toward the future and wondering if NAT-ing the wireless network makes sense. Does anyone have any experiences, good or bad, using NAT for the wireless client pool in a large scale environment? What features "go away" (i.e. RFID or user tracking, etc.) Are there any gotchas? We're an Aruba shop and expect about 3000+ wireless clients this semester and have been adding more APs by the week. Thanks, Mike *************************************************************** Michael Dickson Phone: 413-545-9639 Network Analyst [EMAIL PROTECTED] University of Massachusetts Network Systems and Services *************************************************************** ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. This e-mail message (including any attachments) is for the sole use of the intended recipient(s) and may contain confidential and privileged information. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this message (including any attachments) is strictly prohibited. If you have received this message in error, please contact the sender by reply e-mail message and destroy all copies of the original message (including attachments). ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
