Hi. We are/have installed IAPs at a number of locations, some of which have a local internet connection as well as a WAN link back to the core. We are using Clearpass and Clearpass guest to control/record user access. On sites without a local internet breakout, we tunnel all the guest traffic back to the core controllers and out the DMZ, works perfectly. On sites with a local internet breakout, we want to send guest traffic out the local connection, not down the WAN to the core and then out. Design is ok, theory is good, and we believe that the local IAP NATting of the guest traffic will work ok.
However, it is at the local NATting that we will lose visibility of the relationship between the user and the IP address. The local site firewall will only see one IP address with all the guest traffic, so if any user does something "not nice" and we have to try and do some forensics, we will not be able to track back to the user.
Has anyone come across this issue before or does anyone have any hints about how we might track/record the NATting being done.
Thanks in advance
Ross (from New Zealand).