This is something I come across a bit as it seems to be a problematic area for NetFlow monitoring. Do you know of the client IPI addresses in the NetFlow traffic match up with the client IP addresses in the Radius events.
I recently worked with someone to provide reporting in this area. We ended up deploying a traffic analysis system which used a SPAN port as a source instead of NetFlow. We mirrored the ports of the VPN systems connecting to the network core and then used AD logs to map what IP addresses were associated with what users.
thanks for answering!
i do not know the IP address of the teleworker. and in my opinion i don't need to now that.
in the past we used a cisco MARS appliance, and my cisco firewalls where just sending their netflow events. on the MARS i had an report where i saw all the users (teleworkers) authenticatet through the cisco firewall.
so actually (netflow) NTA should have that information ... i guess it's just an matter of implementing in NTA!!?