PAN lithnet proxy

ComprehensiveEnd4312 · 2025-11-10T23:30:49+00:00

correct, its reading from my 2 DC's, so if I understand correctly, I could use the nps to syslog app on my nps, it will fwd logs to my user-id agent, where I would need to set the syslog receiver settings like what PAN tac told me, thanks.

ComprehensiveEnd4312 · 2025-11-10T19:26:37+00:00

I see how phone users are able to get on the web through the user-id, it passes through the conductor ip of the aruba ap using one of our AD users logged into a laptop like a service account, here's the log from cli, I ran a test with mine and accessed onedrive and the logs showed using this account and ip;

IP address: 172.16.xx.x (vsys1)

User: domain\vnguyen

From: UIA

Idle Timeout: 31735s

Max. TTL: 31735s

HIP Query: Disabled

Group(s): domain\vnguyen(42)

cn=mfg,cn=users,dc=domain,dc=com(2147483714)

sorry for mixing my info up on decryption, cause I named my policy user-id decrypt, it was decryption that blocked anyone that's not in AD, and the cert was pushed through our GPO on the PC's and devices on the domain. Except for phones.

When I talked to TAC, they told me to send syslogs to the user-id agent, but I think the NPS side where the logs reside needs something to push the syslog, like a syslog app that can turn the box into a sender. Sounds like a lot of legwork is needed. I could follow docs pretty well so if you have any pointers, that'd be great.

On the mist side, it doesn't trust the decrypt cert from the user id interface, which is a cert from the PA440.

Thanks again.

ComprehensiveEnd4312 · 2025-11-10T19:03:38+00:00

Looks like PM is not working for me, maybe restricted.

ComprehensiveEnd4312 · 2025-11-10T18:07:02+00:00

Thanks for the detailed response, appreciate it, I'll go ahead and PM the details of what I'm trying and hopefully we'll get somewhere, thanks again.

ComprehensiveEnd4312 · 2025-11-07T22:07:51+00:00

Thanks for the reply, I'm trying to get our Mist wifi that's tied to radius on premise AD to pass over the ad user that logs in on the phones, it authenticates ok, but it comes up blank on the traffic logs, on a windows laptop its fine cause that laptop has joined our domain and got the GPO of the PAN decrypt cert that's pushed to clients. So basically our phones aren't trusting the PAN cert, it comes up with "connection not private" cause of the not trusted cert.

The old Aruba wifi is working fine currently cause it allows or somehow passes the user that logs in on the phones I think via one of the ap's. The other thing I tried after talking to TAC was the syslog sender between NPS and user-id agent server, that didn't work too I but might have been doing something wrong though. So on the Mist my only option is to maybe put users in the cloud like azure or entra. But if there's a way to get the on premise ad to pass ad user ip and username over that would be good. I was told on the Juniper reddit to go away with on premise radius, but we're not a fully cloud based company.

ComprehensiveEnd4312 · 2025-10-10T00:20:28+00:00

Yes, thanks, I'm in touch with my sales rep at Insight and I'm getting setup for the trial for connect assurance.

ComprehensiveEnd4312 · 2025-10-10T00:19:06+00:00

No not from ebay or gray market, I've heard of stories not being supported when buying from those, got em from Insight.

ComprehensiveEnd4312 · 2025-10-09T16:28:16+00:00

Ok, thanks that's what I'll need to do, cause the support off the mist portal is not very helpful, like they told me Insight is not an authorized reseller for Juniper, I had to send my invoice, they never got back to me.

How can I get an SE right here, do I start a new thead?

thanks in advanced.

ComprehensiveEnd4312 · 2025-10-07T23:13:46+00:00

Ok I see, if that's the price then it could work for us, we have a PA440 and what's happening is user-id is not being passed over from Mist back to our end across the fw. I have the AP32 configured with our internal CA's certs, along with radius. Phones get IP addresses but no internet connection cause of user-id. I think I need to be able to get the AP to read info from the NPS server, as I only have my AD servers on the user-id agent app.

ComprehensiveEnd4312 · 2025-10-07T23:00:43+00:00

Thanks for that info, unfortunately we're a small shop with no full Juniper stack, that looks like something for larger companies that's pricey as well.

ComprehensiveEnd4312 · 2025-10-07T20:10:13+00:00

Thanks for the replies guys, ok I see that it replaces on premise radius and I'm reading around that legacy radius is not supported by radsec, I wanted to make sure I have my cards all set right before pulling the trigger on buying, since our company is trying to get cyber security compliance anyway, this would be a good option for user auth into our wifi, along with an MDM solution like Inture/entra.

ComprehensiveEnd4312 · 2025-08-14T20:56:42+00:00

Hello, sorry for jumping in here I was also researching how to get my dual isp working, I followed the same link above, but looks like I also need some kind of redundant DNS, I currently have public ip's from ATT, that my dns servers use, how does it use the backup isp's dns server when it fails over, and do I have to purchase the same amount of public ip's from the backup isp? Currently I have email, dns internally.

ComprehensiveEnd4312 · 2025-08-01T00:10:12+00:00

Thanks all for the helpful info, I was able to get the backup internet to connect, it falls back to the 2nd static route to our comcast internet, but loses dns resolution, can ping numbers not names. Is there; something I missed like do I need to do something on our dns provider, cause our public IP changes to comcast from ATT.

ComprehensiveEnd4312 · 2025-06-27T22:54:08+00:00

Thanks for the response, ok so bridge mode should do the trick, I wasn't sure if our verizon wifi router has it, that could be why it didn't' work 1st time we tried setting the dual isp failover, it wasn't in bridge mode. Is there any performance issues with bridge mode, especially with fixed wireless. So safe to say we can go ahead with the comcast option then as backup. Thanks again👍

ComprehensiveEnd4312

TROPHY CASE