Hi,
I've configured NPS for RADIUS authentication and it is working happily; recently the need has arisen to perform web traffic fingerprinting and while the basic process is working for kerberos-based authentication, RADIUS-based auth is only partially working.
We have 2 groups of users we need to identify; 'staff' and 'students. Accordingly, we have configured a connection request policy and a network policy for each group. In the case of the former, the AD group specified directly contains the member AD accounts; in the latter it contains 3 sub-groups, which in turn contain the AD user accounts.
Each policy is associated with a different SSID and each SSID can only be logged on to by members of the group specified in the NPS policy; staff to staff and student to student, enforced through use of the Called Station ID attribute. Additionally, the 'student' policies are second in the processing order. Other than that there are no differences between the policies that I am aware of; the student policies are duplicates of the staff policies.
The problem we are seeing is thus; for staff web traffic, the firewall is able to match a username to source IP address reliably all of the time, but with the student traffic it is hit and miss - about 50% of the time is it able to match them up. Clearly the mechanism is working, but for an unknown reason it is only partially working on one of the policies. What might be the reason for this?
- I have tested by modifying my own group membership - when a member of 'staff' my traffic is identified but when a member of 'student' it is only partially successful
- The problem is site agnostic and happens on all 4 of our sites
- The problem is device agnostic and happens on Windows, Mac or iOS clients
- Changing the position of the policies so that the student policy is processed first didn't make any difference
- The tests have been performed using the same access points on all occasions
- I have found only one difference between the staff and student SSIDs which is that on one of the campuses the student SSID has Bonjour forwarding enabled
I am thinking there could be an issue with the firewall configuration; if that were the case how could it be proven based on the NPS server logs?
NPS role is running on Windows Server 2012 Datacenter edition.
The firewall is a FortiGate 600C
The wireless infrastructure is Cisco Meraki
Many thanks in advance for any advice that could be offered.
Regards,
Robert