Bruce, We are using Microsoft Event log view for NPS/security and are also exporting security logs daily to another system that we built to massage the information in order to get stats and summarize errors. We have Microsoft System Center that I believe can be expanded to do additional reporting and alerting but we have been unsuccessful in getting the other groups to implement it.
I used perfmon for a very short period when I was initially looking at way to graph rates over a 24 hour period and was quickly discouraged. I did not have a working baseline to compare to and I could not find a published spec. Our identity group opened a ticket with Microsoft and never got a solid # on rates. I believe the response was “depends on your server resources.” I was looking at success and failure rates but the problem at the time was NPS just stopped responding to the supplicant. I did not see a counter for something like that. Maybe I did not look hard enough and there is a way to calculate it. I should probably take another look if you find it useful. A typical troubleshooting scenario was “everyone in this room was disconnected!” I ask the typical question, “did everyone get disconnected at the same time.” Response is “yes!” I ask “so everyone got disconnected at the very same minute?” Response, “well no, but during the meeting most of us got disconnected.” I reply “most not everyone?.?.?…..” J You know how it goes. In the end I had to look at information far enough back that it is/was very difficult to use perfmon. *Mike Atkins * Network Engineer Office of Information Technology University of Notre Dame *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Bruce Boardman *Sent:* Wednesday, November 16, 2016 2:49 PM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* Re: [WIRELESS-LAN] Microsoft NPS as RADIUS for 802.1X Wi-Fi? Mike Regarding the Troubleshooting and debug challenges with NPS are you exporting the MS events to a log collector or using the server's native event viewer? How useful have you found the PerfMon RADIUS metrics? |Bruce Boardman, Network Engineer, Syracuse University - 315 412-4156 ------------------------------ *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv < WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Mike Atkins <matk...@nd.edu > *Sent:* Wednesday, November 16, 2016 2:44 PM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* Re: [WIRELESS-LAN] Microsoft NPS as RADIUS for 802.1X Wi-Fi? Lee, We use Microsoft NPS for radius on dot1x wireless (ND-secure & eduroam.) Troubleshooting and getting debug information has been very difficult. Finding a deployment guide on expected performance/load is also impossible to find. I think configuration is absolutely key. My impression is either it works great or it does not. Dennis, I think we are doing the realm stripping you are talking about using NPS. Our identity management group has two policies configured for eduroam. The first policy says identity @nd.edu authenticate PEAP requests on the local server. The second policy says “@” forward to the two eduroam.us “servers.” There are a couple other policies for off campus users that get forwarded from eduroam.us servers. Maybe not what you are talking about but just thought I would chime in just in case. *Mike Atkins * Network Engineer Office of Information Technology University of Notre Dame Phone: 574-631-7210 ---- .__o ----- _-\_<, --- (*)/'(*) *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Lee H Badman *Sent:* Wednesday, November 16, 2016 9:40 AM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* [WIRELESS-LAN] Microsoft NPS as RADIUS for 802.1X Wi-Fi? Hello to the awesome group. We’ve used Cisco ACS with general satisfaction for many years as the RADIUS solution for our very, very large WLAN’s 802.1X authentication. We also have Aruba Clearpass in-house for guest wireless, and have poked around at ISE a bit. We’re weighing replacing our aging ACS environment, but as many of you know times are changing. When you shop for RADIUS, you have to wade through the fog of NAC systems because everything is getting ever more “feature rich”. For major vendors, RADIUS is just a slice of NAC now, and since everybody “is a software company!” licensing can be ugly. I’m not slamming those who find value in the many interesting features that the likes of ISE and Clearpass offer, but I also can’t help but be drawn to Microsoft NPS when I think about going forward with simple RADIUS. Way back when, we avoided Microsoft in this role as the reporting wasn’t particularly strong when it came time to troubleshoot clients. We **may** have found relief to this through Splunk, and also enjoy a robust Windows server environment staffed by absolutely brilliant MS-minded veteran admins. All that being said- is anyone using NPS as their RADIUS solution for a large secure WLAN environment? Can you share likes, dislikes, regrets, endorsements, horror stories, tales of success, etc? (Any vendor reps lurking- no, I’m not open to hearing about other RADIUS solutions. Please, no calls or emails) Kind regards- *Lee Badman* | CWNE #200 | Network Architect Information Technology Services 206 Machinery Hall 120 Smith Drive Syracuse, New York 13244 *t* 315.443.3003 * f* 315.443.4325 *e* lhbad...@syr.edu *w* its.syr.edu *SYRACUSE UNIVERSITY*syr.edu ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.