Aug 01 2019 08:37 AM
Will VPN providers not listed in the Integrade VPN page (https://docs.microsoft.com/en-us/azure-advanced-threat-protection/install-atp-step6-vpn) still work if sending RADIUS Accounting information to a sensor? We are not using one of the listed vendors that are supported and I wanted to see if it would even be worth it to get this setup.
Also, can a stand alone sensor be used only to receive RADIUS Accounting data and not be used for monitoring any domain controller traffic? I believe it can be a hard sell to convince all stakeholders that a good usage of a Domain Controller's resources would be to receive RADIUS Accounting traffic. Or that adding a Domain Controller would be a good idea for this.
Aug 01 2019 01:18 PM
@archedmeerkat it should work if you can make the data arrive in a format that looks like one of the supported formats.
And no, having a standalone gateway just for radius is not supported.
The memory impact of those events CPU/memory wise are mostly unnoticeable.
Aug 07 2019 07:08 AM
Can a sample (or a few) be provided for the correct format for events from RADIUS?
Is there any specific data on the impact being negligible when using a Domain Controller as a syslog receiver of RADIUS events? I can let others know that there will likely be little impact, but it will still be a tough sell to get other teams and management buy in for this type of functionality. It would be helpful to have some data to back this up.
Outside of Health Alerts in the AATP console, would there be any impact to having a stand alone gateway up, with no traffic going to it?
Aug 07 2019 01:48 PM
Solution@archedmeerkat
following this RFC should be a good start:
https://tools.ietf.org/html/rfc2866
It might just work this way, the supported list is a list we tested and confirmed it worked.
I don't have any official data about a measured impact, just that it never cam up as an issue with any customer...
As for setting a standalone Gateway and "live" with health warning... you might be able to trick it to work if you let it think it monitors a specific DC while it doesn't really see it's traffic or events.
it will produce health alerts, but although not supported at all, it might "work", but I never tested it.
Aug 07 2019 01:48 PM
Solution@archedmeerkat
following this RFC should be a good start:
https://tools.ietf.org/html/rfc2866
It might just work this way, the supported list is a list we tested and confirmed it worked.
I don't have any official data about a measured impact, just that it never cam up as an issue with any customer...
As for setting a standalone Gateway and "live" with health warning... you might be able to trick it to work if you let it think it monitors a specific DC while it doesn't really see it's traffic or events.
it will produce health alerts, but although not supported at all, it might "work", but I never tested it.