Edward,
Take a look and see if the BlueCoats can receive RADIUS accounting messages. I've been able to perform EAP-PEAP client identification with Fortigate units by forwarding accounting radius messages from NPS to the firewalls. Thanks, Chris Adams, CISSP Director, Network & Telecom Services Division of Information Technology University of North Georgia E-Mail: <mailto:chris.ad...@ung.edu> chris.ad...@ung.edu | Office: (706) 867-2891 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Edward Ip Sent: Friday, November 18, 2016 10:46 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Microsoft NPS as RADIUS for 802.1X Wi-Fi? Very true. I should have explained it a bit better, my bad. Let me give it a second try. Bluecoat has a plugin (BCAAA) installed on the AD domain servers that allows it to retrieve a user id details from our AD Domain for IP addresses generating requests to applications and web servers (this works well for wired domain clients) which then allows Bluecoat to apply the relevant policies to the traffic. Since we are using the Microsoft NPS for radius authentication on wireless clients, Bluecoat is not able to retrieve that information from our wireless clients as it isn't on the domain. Bluecoat does not current have a plugin or api to query the Aruba controllers for the same information as it does on our AD domain. Regards, Edward Ip Algonquin College | 1385 Woodroffe Avenue | Room C316 | Ottawa | Ontario | K2G 1V8 | Canada algonquincollege.com From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Wang, Yu Sent: Friday, November 18, 2016 8:48 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Microsoft NPS as RADIUS for 802.1X Wi-Fi? Edward, NPS servers (radius) do not have clients' IP information as the whole 802.1X authentication process happens before a client can have an IP address. Once a client is successfully authenticated, radius' job is done. The client is then assigned to a network and acquires an IP through DHCP. You can get a client's IP from Aruba controllers or DHCP servers (client's MAC address from NPS). Yu From: The EDUCAUSE Wireless Issues Constituent Group Listserv [ <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Edward Ip Sent: Thursday, November 17, 2016 2:38 PM To: <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Microsoft NPS as RADIUS for 802.1X Wi-Fi? We have being using Microsoft NPS in a cluster as Radius for 80.21X for a while now. Our normal concurrent client load is about 12,000 users. Monitoring is now done via Airwave, specifically using the Clarity feature. In the pass, we used Solarwinds to query our Aruba controllers for the statistics and then graphing it in Solarwinds. We are not doing anything fancy with the NPS servers. My network architect wants to be able to query the AD network and set up network policies (like bandwidth control and app control) using Bluecoat PacketShaper and the Authentication and Authorization Agent (BCAAA) with User Awareness feature. However, the NPS servers do not update our ad directory with regards to what IP address the wireless client is currently using. So this feature is not useable on our wireless client (works great on wired domain clients). Investigating if we can use ClearPass to give the bluecoat the required information. Edward Ip Algonquin College | 1385 Woodroffe Avenue | Room C316 | Ottawa | Ontario | K2G 1V8 | Canada algonquincollege.com From: The EDUCAUSE Wireless Issues Constituent Group Listserv [ <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman Sent: Wednesday, November 16, 2016 9:40 AM To: <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Microsoft NPS as RADIUS for 802.1X Wi-Fi? Hello to the awesome group. We've used Cisco ACS with general satisfaction for many years as the RADIUS solution for our very, very large WLAN's 802.1X authentication. We also have Aruba Clearpass in-house for guest wireless, and have poked around at ISE a bit. We're weighing replacing our aging ACS environment, but as many of you know times are changing. When you shop for RADIUS, you have to wade through the fog of NAC systems because everything is getting ever more "feature rich". For major vendors, RADIUS is just a slice of NAC now, and since everybody "is a software company!" licensing can be ugly. I'm not slamming those who find value in the many interesting features that the likes of ISE and Clearpass offer, but I also can't help but be drawn to Microsoft NPS when I think about going forward with simple RADIUS. Way back when, we avoided Microsoft in this role as the reporting wasn't particularly strong when it came time to troubleshoot clients. We *may* have found relief to this through Splunk, and also enjoy a robust Windows server environment staffed by absolutely brilliant MS-minded veteran admins. All that being said- is anyone using NPS as their RADIUS solution for a large secure WLAN environment? Can you share likes, dislikes, regrets, endorsements, horror stories, tales of success, etc? (Any vendor reps lurking- no, I'm not open to hearing about other RADIUS solutions. Please, no calls or emails) Kind regards- Lee Badman | CWNE #200 | Network Architect Information Technology Services 206 Machinery Hall 120 Smith Drive Syracuse, New York 13244 t 315.443.3003 f 315.443.4325 e <mailto:lhbad...@syr.edu> lhbad...@syr.edu w its.syr.edu SYRACUSE UNIVERSITY syr.edu ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
smime.p7s
Description: S/MIME cryptographic signature