I only use NPS for Cisco RADIUS auth. Otherwise, all of our authentication hits Extreme NAC (uses FreeRADIUS as a backend). I dislike NPS very much.
*--Jeremy L. Gibbs* Sr. Network Engineer Utica College IITS On Wed, Nov 16, 2016 at 3:29 PM, Mike Atkins <[email protected]> wrote: > Bruce, > > We are using Microsoft Event log view for NPS/security and are also > exporting security logs daily to another system that we built to massage > the information in order to get stats and summarize errors. We have > Microsoft System Center that I believe can be expanded to do additional > reporting and alerting but we have been unsuccessful in getting the other > groups to implement it. > > > > I used perfmon for a very short period when I was initially looking at way > to graph rates over a 24 hour period and was quickly discouraged. I did > not have a working baseline to compare to and I could not find a published > spec. Our identity group opened a ticket with Microsoft and never got a > solid # on rates. I believe the response was “depends on your server > resources.” I was looking at success and failure rates but the problem at > the time was NPS just stopped responding to the supplicant. I did not see > a counter for something like that. Maybe I did not look hard enough and > there is a way to calculate it. I should probably take another look if you > find it useful. > > > > A typical troubleshooting scenario was “everyone in this room was > disconnected!” I ask the typical question, “did everyone get disconnected > at the same time.” Response is “yes!” I ask “so everyone got disconnected > at the very same minute?” Response, “well no, but during the meeting most > of us got disconnected.” I reply “most not everyone?.?.?…..” J You > know how it goes. In the end I had to look at information far enough back > that it is/was very difficult to use perfmon. > > > > > > > > *Mike Atkins * > > Network Engineer > > Office of Information Technology > > University of Notre Dame > > > > *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: > [email protected]] *On Behalf Of *Bruce Boardman > *Sent:* Wednesday, November 16, 2016 2:49 PM > > *To:* [email protected] > *Subject:* Re: [WIRELESS-LAN] Microsoft NPS as RADIUS for 802.1X Wi-Fi? > > > > Mike > > Regarding the Troubleshooting and debug challenges with NPS are you > exporting the MS events to a log collector or using the server's native > event viewer? How useful have you found the PerfMon RADIUS metrics? > > > > > > |Bruce Boardman, Network Engineer, Syracuse University - 315 412-4156 > > ------------------------------ > > *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv < > [email protected]> on behalf of Mike Atkins < > [email protected]> > *Sent:* Wednesday, November 16, 2016 2:44 PM > *To:* [email protected] > *Subject:* Re: [WIRELESS-LAN] Microsoft NPS as RADIUS for 802.1X Wi-Fi? > > > > Lee, > > We use Microsoft NPS for radius on dot1x wireless (ND-secure & eduroam.) > Troubleshooting and getting debug information has been very difficult. > Finding a deployment guide on expected performance/load is also impossible > to find. I think configuration is absolutely key. My impression is either > it works great or it does not. > > > > Dennis, > > I think we are doing the realm stripping you are talking about using NPS. > Our identity management group has two policies configured for eduroam. The > first policy says identity @nd.edu authenticate PEAP requests on the > local server. The second policy says “@” forward to the two eduroam.us > “servers.” There are a couple other policies for off campus users that get > forwarded from eduroam.us servers. Maybe not what you are talking about > but just thought I would chime in just in case. > > > > > > > > > > > > *Mike Atkins * > > Network Engineer > > Office of Information Technology > > University of Notre Dame > > Phone: 574-631-7210 > > > > > > ---- .__o > > ----- _-\_<, > > --- (*)/'(*) > > > > *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: > [email protected]] *On Behalf Of *Lee H Badman > *Sent:* Wednesday, November 16, 2016 9:40 AM > *To:* [email protected] > *Subject:* [WIRELESS-LAN] Microsoft NPS as RADIUS for 802.1X Wi-Fi? > > > > Hello to the awesome group. > > > > We’ve used Cisco ACS with general satisfaction for many years as the > RADIUS solution for our very, very large WLAN’s 802.1X authentication. We > also have Aruba Clearpass in-house for guest wireless, and have poked > around at ISE a bit. We’re weighing replacing our aging ACS environment, > but as many of you know times are changing. When you shop for RADIUS, you > have to wade through the fog of NAC systems because everything is getting > ever more “feature rich”. For major vendors, RADIUS is just a slice of NAC > now, and since everybody “is a software company!” licensing can be ugly. > I’m not slamming those who find value in the many interesting features that > the likes of ISE and Clearpass offer, but I also can’t help but be drawn to > Microsoft NPS when I think about going forward with simple RADIUS. > > > > Way back when, we avoided Microsoft in this role as the reporting wasn’t > particularly strong when it came time to troubleshoot clients. We **may** > have found relief to this through Splunk, and also enjoy a robust Windows > server environment staffed by absolutely brilliant MS-minded veteran > admins. > > > > All that being said- is anyone using NPS as their RADIUS solution for a > large secure WLAN environment? Can you share likes, dislikes, regrets, > endorsements, horror stories, tales of success, etc? > > > > > > (Any vendor reps lurking- no, I’m not open to hearing about other RADIUS > solutions. Please, no calls or emails) > > > > > > Kind regards- > > > > *Lee Badman* | CWNE #200 | Network Architect > > Information Technology Services > 206 Machinery Hall > 120 Smith Drive > Syracuse, New York 13244 > > *t* 315.443.3003 * f* 315.443.4325 *e* [email protected] *w* its.syr.edu > > > *SYRACUSE UNIVERSITY*syr.edu > > > > > > > > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at http://www.educause.edu/ > groups/. > > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at http://www.educause.edu/ > groups/. > > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at http://www.educause.edu/ > groups/. > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at http://www.educause.edu/ > groups/. > > ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
