locked
Failed attempts not being logged on 2008 R2 RRS feed

  • Question

  • I have NPS running for .1x authentication for our wireless.  It is working properly but there is no record of any failed attempts of any kind anywhere that I can find.  I've done this so far (multiple times):

    auditpol /set /subcategory:"Network Policy Server" /success:disable /failure:disable

    auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable

     

    And this:

    auditpol /get /subcategory:"Network Policy Server"

    with this result:  Network Policy Server                Success and Failure

     

    I cannot find any record of failures in event viewer nor in my log file.  This same thing happened with a different server running 2008 (not R2) months ago.  We gave up on the original server in hopes R2 would solve the issues.

     

    Any ideas?

    Thursday, April 7, 2011 6:29 PM

All replies

  • Hi Customer,

           Win2008 need to run the command to log the failed authentication event, it no need to run in Win2008 r2.

    http://support.microsoft.com/kb/951005

           Win2008 r2 add a new log option "If logging fails, discard connection requests ", uncheck this option will log the failed authentication.

    Configure Log File Properties

    http://technet.microsoft.com/en-us/library/cc730677.aspx

     


    Regards, Rick Tan
    Friday, April 8, 2011 5:15 AM
  • Thanks for the quick reply!!

     

    Still no go with failed auths.  Here's a run down of settings (I'm 99% sure they are correct after looking through so many docs):

     

    NPS (Local) Properties - [checked] Rejected auth requests  [checked] successful auth requests

       Ports = 1812/1645  & 1813/1646

     

    NPS (Local) -> Accounting - [checked] Acc requests, Auth requests, Periodic acc status, Periodic Auth status

              [unchecked] If logging fails, discard conn req

     

    Results of logging - Successful logged but not failures.  I did find failed machine auth because I misconfigured encryption type but it is corrected

     

    Diagnostics -> Event Viewer -> Custom Views -> Server Roles -> Network Policy and Access Services:

            only successes are being logged

            Only event IDs = 4400, 6272, 6274 and 6278 found so far (6274 eliminated for machine auths)

     

    I checked for failed auths by two methods:

    1) A known good account with wrong password

    2) A known bad (doesn't exist) account

     

    Thanks in advance for any insight on this.  It is greatly appreciated.  I will keep track of any changes made and successes so we can document for others!!

     

     

     



    Friday, April 8, 2011 1:21 PM
  • Hi,

    Did you try the method that Rick noted in his link above http://support.microsoft.com/kb/951005?

    You can also try disabling and then enabling again.

    Note that the link says "This behavior occurs even though Event Viewer is configured correctly to log such events."

    auditpol /set /subcategory:"Network Policy Server" /success:disable /failure:disable

    auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable

     

    Monday, April 11, 2011 7:41 AM
  • Hi Customer,

     

      

    I understand that you want to log event ID 6273, NPS denied access to user.

    You could see many customers post event 6273 in forum to discuss the NPS issue, so maybe something configured wrong cause your issue.

    1.   Please run command ”netsh nps show eventlog”, “netsh nps show filelog” on the NPS server, check the result if all enabled

    2.   Do you use NPS proxy in your scenario? NPS failed event may logged in the NPS proxy server.

    3.   Please check if log normal on your client and switch/AP log about the 802.1x authentication failed.

    4.   Trace NPS log in Windows\tracing directory\ IASSAM.log and post it to us.

     Trace start,  netsh ras set tr * en

     Trace stop,  netsh ras set tr * dis

    5. Please post file isasvcs.dll version to us

    6. Test to set your system locate "English (Unite States)" 

     

     

    Event ID 6273 — NPS Authentication Status

    http://technet.microsoft.com/en-us/library/cc735399(WS.10).aspx

     


    Regar
    Monday, April 11, 2011 9:58 AM
  • 1) All shown to be up and logging for accepted + rejected

    2) No proxy

    3) logging is configured on WLAN (I'll look more into logging for specific client)

    4) output -- names changed to protect the guilty!!  ;) 


    [608] 04-12 07:54:58:598: LDAP connect succeeded.
    [608] 04-12 07:54:58:598: Sending LDAP search to DCServer.site.loc.
    [608] 04-12 07:54:58:598: Successfully validated windows account site\Client-Device.
    [608] 04-12 07:54:58:598: Allowed EAP type: 25
    [608] 04-12 07:54:58:598: Succesfully created EAP Host session with session id 27
    [608] 04-12 07:54:58:614: Processing output from EAP: action:1
    [608] 04-12 07:54:58:614: Inserting outbound EAP-Message of length 6.
    [608] 04-12 07:54:58:614: Issuing Access-Challenge.
    [608] 04-12 07:54:58:614: No AUTHORIZATION extensions, continuing
    [744] 04-12 07:54:58:614: Successfully retrieved session (27) for user site\Client-Device.
    [744] 04-12 07:54:58:614: No AUTHENTICATION extensions, continuing
    [744] 04-12 07:54:58:614: Processing output from EAP: action:1
    [744] 04-12 07:54:58:614: Inserting outbound EAP-Message of length 1096.
    [744] 04-12 07:54:58:614: Issuing Access-Challenge.
    [744] 04-12 07:54:58:614: No AUTHORIZATION extensions, continuing
    [608] 04-12 07:54:58:629: Successfully retrieved session (27) for user site\Client-Device.
    [608] 04-12 07:54:58:629: No AUTHENTICATION extensions, continuing
    [608] 04-12 07:54:58:629: Processing output from EAP: action:1
    [608] 04-12 07:54:58:629: Inserting outbound EAP-Message of length 1096.
    [608] 04-12 07:54:58:629: Issuing Access-Challenge.
    [608] 04-12 07:54:58:629: No AUTHORIZATION extensions, continuing
    [744] 04-12 07:54:58:629: Successfully retrieved session (27) for user site\Client-Device.
    [744] 04-12 07:54:58:629: No AUTHENTICATION extensions, continuing
    [744] 04-12 07:54:58:629: Processing output from EAP: action:1
    [744] 04-12 07:54:58:629: Inserting outbound EAP-Message of length 133.
    [744] 04-12 07:54:58:629: Issuing Access-Challenge.
    [744] 04-12 07:54:58:629: No AUTHORIZATION extensions, continuing
    [608] 04-12 07:54:58:629: Successfully retrieved session (27) for user site\Client-Device.
    [608] 04-12 07:54:58:629: No AUTHENTICATION extensions, continuing
    [608] 04-12 07:54:58:629: Processing output from EAP: action:1
    [608] 04-12 07:54:58:629: Inserting outbound EAP-Message of length 57.
    [608] 04-12 07:54:58:629: Issuing Access-Challenge.
    [608] 04-12 07:54:58:629: No AUTHORIZATION extensions, continuing
    [744] 04-12 07:54:58:645: Successfully retrieved session (27) for user site\Client-Device.
    [744] 04-12 07:54:58:645: No AUTHENTICATION extensions, continuing
    [744] 04-12 07:54:58:645: Processing output from EAP: action:1
    [744] 04-12 07:54:58:645: Inserting outbound EAP-Message of length 32.
    [744] 04-12 07:54:58:645: Issuing Access-Challenge.
    [744] 04-12 07:54:58:645: No AUTHORIZATION extensions, continuing
    [608] 04-12 07:54:58:645: Successfully retrieved session (27) for user site\Client-Device.
    [608] 04-12 07:54:58:645: No AUTHENTICATION extensions, continuing
    [608] 04-12 07:54:58:645: Processing output from EAP: action:1
    [608] 04-12 07:54:58:645: Inserting outbound EAP-Message of length 47.
    [608] 04-12 07:54:58:645: Issuing Access-Challenge.
    [608] 04-12 07:54:58:645: No AUTHORIZATION extensions, continuing
    [744] 04-12 07:54:58:660: Successfully retrieved session (27) for user site\Client-Device.
    [744] 04-12 07:54:58:660: No AUTHENTICATION extensions, continuing
    [744] 04-12 07:54:58:660: Processing output from EAP: action:1
    [744] 04-12 07:54:58:660: Inserting outbound EAP-Message of length 66.
    [744] 04-12 07:54:58:660: Issuing Access-Challenge.
    [744] 04-12 07:54:58:660: No AUTHORIZATION extensions, continuing
    [608] 04-12 07:54:58:676: Successfully retrieved session (27) for user site\Client-Device.
    [608] 04-12 07:54:58:676: No AUTHENTICATION extensions, continuing
    [608] 04-12 07:54:58:676: Processing output from EAP: action:1
    [608] 04-12 07:54:58:676: Inserting outbound EAP-Message of length 78.
    [608] 04-12 07:54:58:676: Issuing Access-Challenge.
    [608] 04-12 07:54:58:676: No AUTHORIZATION extensions, continuing
    [744] 04-12 07:54:58:676: Successfully retrieved session (27) for user site\Client-Device.
    [744] 04-12 07:54:58:676: No AUTHENTICATION extensions, continuing
    [744] 04-12 07:54:58:676: Processing output from EAP: action:3
    [744] 04-12 07:54:58:676: onIndicateTLV: Injecting All Attributes Returned by EAP
    [744] 04-12 07:54:58:676: Translating attributes returned by EAPHost.
    [744] 04-12 07:54:58:676: Inserting attribute 4120
    [744] 04-12 07:54:58:676: Inserting attribute 4145
    [744] 04-12 07:54:58:676: Inserting attribute 8102
    [744] 04-12 07:54:58:676: Inserting attribute 8102
    [744] 04-12 07:54:58:676: Processing PEAP TLVs
    [744] 04-12 07:54:58:676: Forward Result-TLV and Inner Method TLV
    [744] 04-12 07:54:58:676: No AUTHORIZATION extensions, continuing
    [744] 04-12 07:54:58:676: pEapHost->EapHostAuthenticatorSetAttributes called succesfullywith 1 EAP attributes
    [744] 04-12 07:54:58:676: Processing output from EAP: action:1
    [744] 04-12 07:54:58:676: Inserting outbound EAP-Message of length 102.
    [744] 04-12 07:54:58:676: Issuing Access-Challenge.
    [608] 04-12 07:54:58:692: Successfully retrieved session (27) for user site\Client-Device.
    [608] 04-12 07:54:58:692: No AUTHENTICATION extensions, continuing
    [608] 04-12 07:54:58:692: Processing output from EAP: action:2
    [608] 04-12 07:54:58:692: Translating attributes returned by EAPHost.
    [608] 04-12 07:54:58:692: Inserting attribute 4120
    [608] 04-12 07:54:58:692: Inserting attribute 4145
    [608] 04-12 07:54:58:692: Inserting attribute 8100
    [608] 04-12 07:54:58:692: Inserting attribute 8099
    [608] 04-12 07:54:58:692: Inserting attribute 4140
    [608] 04-12 07:54:58:692: Inserting attribute 4141
    [608] 04-12 07:54:58:692: EAP authentication succeeded.
    [608] 04-12 07:54:58:692: No AUTHORIZATION extensions, continuing
    [608] 04-12 07:54:58:692: Inserting outbound EAP-Message of length 4.
    [744] 04-12 07:57:23:040: NT-SAM Names handler received request with user identity site\user.
    [744] 04-12 07:57:23:040: Username is already an NT4 account name.
    [744] 04-12 07:57:23:040: SAM-Account-Name is "site\user".
    [744] 04-12 07:57:23:040: Successfully created new RAP Based EAP session for user site\user.
    [744] 04-12 07:57:23:040: No AUTHENTICATION extensions, continuing
    [744] 04-12 07:57:23:040: NT-SAM Authentication handler received request for site\user.
    [744] 04-12 07:57:23:040: Validating windows user account site\user
    [744] 04-12 07:57:23:040: Sending LDAP search to DCServer.site.loc.
    [744] 04-12 07:57:23:040: Successfully validated windows account site\user.
    [744] 04-12 07:57:23:040: Allowed EAP type: 25
    [744] 04-12 07:57:23:040: Succesfully created EAP Host session with session id 29
    [744] 04-12 07:57:23:040: Processing output from EAP: action:1
    [744] 04-12 07:57:23:040: Inserting outbound EAP-Message of length 6.
    [744] 04-12 07:57:23:040: Issuing Access-Challenge.
    [744] 04-12 07:57:23:040: No AUTHORIZATION extensions, continuing
    [608] 04-12 07:57:23:056: Successfully retrieved session (29) for user site\user.
    [608] 04-12 07:57:23:056: No AUTHENTICATION extensions, continuing
    [608] 04-12 07:57:23:056: Processing output from EAP: action:1
    [608] 04-12 07:57:23:056: Inserting outbound EAP-Message of length 1096.
    [608] 04-12 07:57:23:056: Issuing Access-Challenge.
    [608] 04-12 07:57:23:056: No AUTHORIZATION extensions, continuing
    [744] 04-12 07:57:23:056: Successfully retrieved session (29) for user site\user.
    [744] 04-12 07:57:23:056: No AUTHENTICATION extensions, continuing
    [744] 04-12 07:57:23:056: Processing output from EAP: action:1
    [744] 04-12 07:57:23:056: Inserting outbound EAP-Message of length 1096.
    [744] 04-12 07:57:23:056: Issuing Access-Challenge.
    [744] 04-12 07:57:23:056: No AUTHORIZATION extensions, continuing
    [608] 04-12 07:57:23:071: Successfully retrieved session (29) for user site\user.
    [608] 04-12 07:57:23:071: No AUTHENTICATION extensions, continuing
    [608] 04-12 07:57:23:071: Processing output from EAP: action:1
    [608] 04-12 07:57:23:071: Inserting outbound EAP-Message of length 133.
    [608] 04-12 07:57:23:071: Issuing Access-Challenge.
    [608] 04-12 07:57:23:071: No AUTHORIZATION extensions, continuing
    [744] 04-12 07:57:23:071: Successfully retrieved session (29) for user site\user.
    [744] 04-12 07:57:23:071: No AUTHENTICATION extensions, continuing
    [744] 04-12 07:57:23:071: Processing output from EAP: action:1
    [744] 04-12 07:57:23:071: Inserting outbound EAP-Message of length 57.
    [744] 04-12 07:57:23:071: Issuing Access-Challenge.
    [744] 04-12 07:57:23:071: No AUTHORIZATION extensions, continuing
    [608] 04-12 07:57:23:087: Successfully retrieved session (29) for user site\user.
    [608] 04-12 07:57:23:087: No AUTHENTICATION extensions, continuing
    [608] 04-12 07:57:23:087: Processing output from EAP: action:1
    [608] 04-12 07:57:23:087: Inserting outbound EAP-Message of length 32.
    [608] 04-12 07:57:23:087: Issuing Access-Challenge.
    [608] 04-12 07:57:23:087: No AUTHORIZATION extensions, continuing
    [744] 04-12 07:57:23:087: Successfully retrieved session (29) for user site\user.
    [744] 04-12 07:57:23:087: No AUTHENTICATION extensions, continuing
    [744] 04-12 07:57:23:087: Processing output from EAP: action:1
    [744] 04-12 07:57:23:087: Inserting outbound EAP-Message of length 47.
    [744] 04-12 07:57:23:087: Issuing Access-Challenge.
    [744] 04-12 07:57:23:087: No AUTHORIZATION extensions, continuing
    [608] 04-12 07:57:23:134: Successfully retrieved session (29) for user site\user.
    [608] 04-12 07:57:23:134: No AUTHENTICATION extensions, continuing
    [608] 04-12 07:57:23:134: Processing output from EAP: action:1
    [608] 04-12 07:57:23:134: Inserting outbound EAP-Message of length 66.
    [608] 04-12 07:57:23:134: Issuing Access-Challenge.
    [608] 04-12 07:57:23:134: No AUTHORIZATION extensions, continuing
    [744] 04-12 07:57:23:274: Successfully retrieved session (29) for user site\user.
    [744] 04-12 07:57:23:274: No AUTHENTICATION extensions, continuing
    [744] 04-12 07:57:23:274: Processing output from EAP: action:1
    [744] 04-12 07:57:23:274: Inserting outbound EAP-Message of length 78.
    [744] 04-12 07:57:23:274: Issuing Access-Challenge.
    [744] 04-12 07:57:23:274: No AUTHORIZATION extensions, continuing
    [608] 04-12 07:57:23:274: Successfully retrieved session (29) for user site\user.
    [608] 04-12 07:57:23:274: No AUTHENTICATION extensions, continuing
    [608] 04-12 07:57:23:274: Processing output from EAP: action:3
    [608] 04-12 07:57:23:274: onIndicateTLV: Injecting All Attributes Returned by EAP
    [608] 04-12 07:57:23:274: Translating attributes returned by EAPHost.
    [608] 04-12 07:57:23:274: Inserting attribute 4120
    [608] 04-12 07:57:23:274: Inserting attribute 4145
    [608] 04-12 07:57:23:274: Inserting attribute 8102
    [608] 04-12 07:57:23:274: Inserting attribute 8102
    [608] 04-12 07:57:23:274: Processing PEAP TLVs
    [608] 04-12 07:57:23:274: Forward Result-TLV and Inner Method TLV
    [608] 04-12 07:57:23:274: No AUTHORIZATION extensions, continuing
    [608] 04-12 07:57:23:274: pEapHost->EapHostAuthenticatorSetAttributes called succesfullywith 1 EAP attributes
    [608] 04-12 07:57:23:274: Processing output from EAP: action:1
    [608] 04-12 07:57:23:274: Inserting outbound EAP-Message of length 102.
    [608] 04-12 07:57:23:274: Issuing Access-Challenge.
    [744] 04-12 07:57:24:616: Successfully retrieved session (29) for user site\user.
    [744] 04-12 07:57:24:616: No AUTHENTICATION extensions, continuing
    [744] 04-12 07:57:24:616: Processing output from EAP: action:2
    [744] 04-12 07:57:24:616: Translating attributes returned by EAPHost.
    [744] 04-12 07:57:24:616: Inserting attribute 4120
    [744] 04-12 07:57:24:616: Inserting attribute 4145
    [744] 04-12 07:57:24:616: Inserting attribute 8100
    [744] 04-12 07:57:24:616: Inserting attribute 8099
    [744] 04-12 07:57:24:616: Inserting attribute 4140
    [744] 04-12 07:57:24:616: Inserting attribute 4141
    [744] 04-12 07:57:24:616: EAP authentication succeeded.
    [744] 04-12 07:57:24:616: No AUTHORIZATION extensions, continuing
    [744] 04-12 07:57:24:616: Inserting outbound EAP-Message of length 4.
    [608] 04-12 07:57:56:081: NT-SAM Names handler received request with user identity host/Client-Device.site.loc.
    [608] 04-12 07:57:56:081: Successfully cracked username.
    [608] 04-12 07:57:56:081: SAM-Account-Name is "site\Client-Device".
    [608] 04-12 07:57:56:081: Successfully created new RAP Based EAP session for user site\Client-Device.
    [608] 04-12 07:57:56:081: No AUTHENTICATION extensions, continuing
    [608] 04-12 07:57:56:081: NT-SAM Authentication handler received request for site\Client-Device.
    [608] 04-12 07:57:56:081: Validating windows user account site\Client-Device
    [608] 04-12 07:57:56:081: Sending LDAP search to DCServer.site.loc.
    [608] 04-12 07:57:56:097: Successfully validated windows account site\Client-Device.
    [608] 04-12 07:57:56:097: Allowed EAP type: 25
    [608] 04-12 07:57:56:097: Succesfully created EAP Host session with session id 31
    [608] 04-12 07:57:56:097: Processing output from EAP: action:1
    [608] 04-12 07:57:56:097: Inserting outbound EAP-Message of length 6.
    [608] 04-12 07:57:56:097: Issuing Access-Challenge.
    [608] 04-12 07:57:56:097: No AUTHORIZATION extensions, continuing
    [744] 04-12 07:57:56:097: Successfully retrieved session (31) for user site\Client-Device.
    [744] 04-12 07:57:56:097: No AUTHENTICATION extensions, continuing
    [744] 04-12 07:57:56:097: Processing output from EAP: action:1
    [744] 04-12 07:57:56:097: Inserting outbound EAP-Message of length 1096.
    [744] 04-12 07:57:56:097: Issuing Access-Challenge.
    [744] 04-12 07:57:56:097: No AUTHORIZATION extensions, continuing
    [608] 04-12 07:57:56:097: Successfully retrieved session (31) for user site\Client-Device.
    [608] 04-12 07:57:56:097: No AUTHENTICATION extensions, continuing
    [608] 04-12 07:57:56:097: Processing output from EAP: action:1
    [608] 04-12 07:57:56:097: Inserting outbound EAP-Message of length 1096.
    [608] 04-12 07:57:56:097: Issuing Access-Challenge.
    [608] 04-12 07:57:56:097: No AUTHORIZATION extensions, continuing
    [744] 04-12 07:57:56:113: Successfully retrieved session (31) for user site\Client-Device.
    [744] 04-12 07:57:56:113: No AUTHENTICATION extensions, continuing
    [744] 04-12 07:57:56:113: Processing output from EAP: action:1
    [744] 04-12 07:57:56:113: Inserting outbound EAP-Message of length 133.
    [744] 04-12 07:57:56:113: Issuing Access-Challenge.
    [744] 04-12 07:57:56:113: No AUTHORIZATION extensions, continuing
    [608] 04-12 07:57:56:113: Successfully retrieved session (31) for user site\Client-Device.
    [608] 04-12 07:57:56:113: No AUTHENTICATION extensions, continuing
    [608] 04-12 07:57:56:128: Processing output from EAP: action:1
    [608] 04-12 07:57:56:128: Inserting outbound EAP-Message of length 57.
    [608] 04-12 07:57:56:128: Issuing Access-Challenge.
    [608] 04-12 07:57:56:128: No AUTHORIZATION extensions, continuing
    [744] 04-12 07:57:56:128: Successfully retrieved session (31) for user site\Client-Device.
    [744] 04-12 07:57:56:128: No AUTHENTICATION extensions, continuing
    [744] 04-12 07:57:56:128: Processing output from EAP: action:1
    [744] 04-12 07:57:56:128: Inserting outbound EAP-Message of length 32.
    [744] 04-12 07:57:56:128: Issuing Access-Challenge.
    [744] 04-12 07:57:56:128: No AUTHORIZATION extensions, continuing
    [608] 04-12 07:57:56:128: Successfully retrieved session (31) for user site\Client-Device.
    [608] 04-12 07:57:56:128: No AUTHENTICATION extensions, continuing
    [608] 04-12 07:57:56:128: Processing output from EAP: action:1
    [608] 04-12 07:57:56:128: Inserting outbound EAP-Message of length 47.
    [608] 04-12 07:57:56:128: Issuing Access-Challenge.
    [608] 04-12 07:57:56:128: No AUTHORIZATION extensions, continuing
    [744] 04-12 07:57:56:128: Successfully retrieved session (31) for user site\Client-Device.
    [744] 04-12 07:57:56:128: No AUTHENTICATION extensions, continuing
    [744] 04-12 07:57:56:144: Processing output from EAP: action:1
    [744] 04-12 07:57:56:144: Inserting outbound EAP-Message of length 66.
    [744] 04-12 07:57:56:144: Issuing Access-Challenge.
    [744] 04-12 07:57:56:144: No AUTHORIZATION extensions, continuing
    [608] 04-12 07:57:56:144: Successfully retrieved session (31) for user site\Client-Device.
    [608] 04-12 07:57:56:144: No AUTHENTICATION extensions, continuing
    [608] 04-12 07:57:56:160: Processing output from EAP: action:1
    [608] 04-12 07:57:56:160: Inserting outbound EAP-Message of length 78.
    [608] 04-12 07:57:56:160: Issuing Access-Challenge.
    [608] 04-12 07:57:56:160: No AUTHORIZATION extensions, continuing
    [744] 04-12 07:57:56:160: Successfully retrieved session (31) for user site\Client-Device.
    [744] 04-12 07:57:56:160: No AUTHENTICATION extensions, continuing
    [744] 04-12 07:57:56:160: Processing output from EAP: action:3
    [744] 04-12 07:57:56:160: onIndicateTLV: Injecting All Attributes Returned by EAP
    [744] 04-12 07:57:56:160: Translating attributes returned by EAPHost.
    [744] 04-12 07:57:56:160: Inserting attribute 4120
    [744] 04-12 07:57:56:160: Inserting attribute 4145
    [744] 04-12 07:57:56:160: Inserting attribute 8102
    [744] 04-12 07:57:56:160: Inserting attribute 8102
    [744] 04-12 07:57:56:160: Processing PEAP TLVs
    [744] 04-12 07:57:56:160: Forward Result-TLV and Inner Method TLV
    [744] 04-12 07:57:56:160: No AUTHORIZATION extensions, continuing
    [744] 04-12 07:57:56:160: pEapHost->EapHostAuthenticatorSetAttributes called succesfullywith 1 EAP attributes
    [744] 04-12 07:57:56:160: Processing output from EAP: action:1
    [744] 04-12 07:57:56:160: Inserting outbound EAP-Message of length 102.
    [744] 04-12 07:57:56:160: Issuing Access-Challenge.
    [608] 04-12 07:57:56:160: Successfully retrieved session (31) for user site\Client-Device.
    [608] 04-12 07:57:56:160: No AUTHENTICATION extensions, continuing
    [608] 04-12 07:57:56:160: Processing output from EAP: action:2
    [608] 04-12 07:57:56:160: Translating attributes returned by EAPHost.
    [608] 04-12 07:57:56:160: Inserting attribute 4120
    [608] 04-12 07:57:56:160: Inserting attribute 4145
    [608] 04-12 07:57:56:160: Inserting attribute 8100
    [608] 04-12 07:57:56:160: Inserting attribute 8099
    [608] 04-12 07:57:56:160: Inserting attribute 4140
    [608] 04-12 07:57:56:160: Inserting attribute 4141
    [608] 04-12 07:57:56:160: EAP authentication succeeded.
    [608] 04-12 07:57:56:160: No AUTHORIZATION extensions, continuing
    [608] 04-12 07:57:56:160: Inserting outbound EAP-Message of length 4.

     

    This includes both type of failed auth attempts: good username with wrong password & bad username/password.

     

    5) isasvcs.dll is 6.1.7600.16385

    6) System is set to English (United States)

     

    As a side note, I am working on another new radius server on R2.  It is doing exactly the same thing... that's 0 out of 4 that will log failed attempts.  Either I'm really good at making the same mistake over and over or there's something else wrong.  :)

     

     

    Thanks for any and all help.  We're going to figure this out!!

    Tuesday, April 12, 2011 1:16 PM
  • Hi Customer,

     

       I see no failed log in your post, all validating is successful. Do you find the bad username in the original log?

       Meanwhile there is also no authentication failed log, please find some other log in the same directory as IASSAM.log.

     

    [608] 04-12 07:54:58:598: Successfully validated windows account site\Client-Device.

     

    [744] 04-12 07:57:23:040: NT-SAM Authentication handler received request for site\user.

     

    [744] 04-12 07:57:23:040: Successfully validated windows account site\user.

     

    [608] 04-12 07:57:56:081: NT-SAM Authentication handler received request for site\Client-Device.

     

    [608] 04-12 07:57:56:097: Successfully validated windows account site\Client-Device.

     

    __________________________________________________________________

     

    http://social.technet.microsoft.com/Forums/en-US/winserverNAP/thread/ae370301-3db0-4788-be81-9ea9b88a4679

     

    1748] 04-08 10:56:17:571: EAP authentication failed.


    Regards, Rick Tan
    Wednesday, April 13, 2011 9:18 AM
  • That's the problem: there is absolutely no record of the attempt on the servers.  I've searched every type of log file and GUI logging interface I can find.  If it fails, there is absolutely no record of the attempt.  For obvious reasons, I cannot put the servers into production.
    Wednesday, April 13, 2011 12:19 PM
  • Hi Customer,

         NPS failed events are not logged if the locale of the server is different from English.

    Please use below steps to check and fix the problem:

    a). Start->Control Panel->Regional and Language Options
    b). Click "Administrative" Tab, check the current applied System Locale, if it is
    different from "English (United States)", then click "Change system locale..."
    button.
    c). Select "English (United States)", click OK and reboot the computer.

    You can download and install English language pack from
    http://www.microsoft.com/Downloads/details.aspx?FamilyID=e9f6f200-cfaf-4516-8e96-e4d4750397ff&displaylang=en

    Please note to download language pack according your system platform type.


    Regards, Rick Tan
    • Proposed as answer by Rick Tan Thursday, April 14, 2011 6:04 AM
    Thursday, April 14, 2011 5:58 AM
  • They are set to English (United States).

    While talking with our AD guys, we did run across one item of interest.  Our AD has all DC on 2008 R2.  Is it possible the AD domain Policies are interpreted differently by Radius servers on 2008 R2 vs. 2003?  The default domain policy is to only log successful authentications.  Since our 2003 radius servers work properly but the 2008 R2 servers do not, is it possible this is the cause?

    Thursday, April 14, 2011 2:21 PM
  • Hi Customer,

         You could use command RSOP.msc and compare the GP setting on windows 2003 and 2008 server for local audit policy.

         Winodws 2008 server GP add advanced audit policy configuration you could check it for NPS.

    Audit Network Policy server

    http://technet.microsoft.com/en-us/library/dd772634(WS.10).aspx


    Regards, Rick Tan

    Friday, April 15, 2011 3:00 AM
  • I found no differences between them using the RSOP.msc.

    I'm not sure where to go now.  It seems whatever the issue is must be related to 2008 in some manner since all versions of 2008 have the issue while none of the 2003 servers have the issue.

    Friday, April 15, 2011 12:52 PM
  • Hi,

     

    I would be interested to see your IAS log files, which haven’t been examined yet as far as I can tell. They are probably named IN<date>.log in your C:\Windows\System32\Logfiles directory.

    The native format is difficult to read, but you can see a description of it here:

    Interpret NPS Database Format Log Files

    I haven't tried log file viewers on these files, but they might help. Look here and here. You really don't need these however if you are just searching for rejected access requests.

     

    You should also try enabling tracing From an elevated prompt, type:

    netsh ras set tr * en

     

    Disable by typing:

    netsh ras set tr * dis

     

    In these logs, you should see a number right after the date and time. There might be several commas in a row immediately after the number which makes it easy to spot in each line. For example:

    "CLIENTCOMP","IAS",03/07/2008,13:04:33,2,,,,,,

    The number represents the packet type. In the example above, the number you are looking for is "2" which means this is an access-accept packet. Are all the entried in the log files 1's and 2's? You should see an occasional 3 if access requests are being rejected.

    1 = Access-Request
    2 = Access-Accept

    3 = Access-Reject

    4 = Accounting-Request

     

    -Greg

     

    Friday, April 15, 2011 10:41 PM
  • Tried testing with another device with same results (in case original laptop was the problem).

     

    In the log file, the username never appears when it fails authentication.  This happens for both type of failed auth attempts: good username with wrong password & bad username/password.

    Monday, April 18, 2011 3:31 PM
  • Have you tried enabling the Advanced Auditing in Group Policy?

     

    Windows Setting>Security Settings>Advanced Audit Policy Configuration>Audit Policies>Logon\Logoff>Audit Network Policy Server

    Select failed and successful, then run gpupdate /force and run rsop.msc afterwards to ensure it took affect.

    Tuesday, May 3, 2011 4:27 PM
  • Hello,

    Thank you for your great post with the meaning of the log numbers. I am seeing a lot of 11 for the packet type, e.g.

    "CLIENTCOMP","IAS",10/17/2012,08:51:25,11,,,,,,

    I found the following Technet article http://technet.microsoft.com/en-us/library/cc771748(v=ws.10).aspx however, like your list it does not give a value above 4.

    I cannot see any other numbers aside from 1,2,3,4 and 11 in the log.

    What does 11 represent?

    -Adey H0bett


    • Edited by H0bett Wednesday, October 17, 2012 8:52 AM Corrected typos.
    Wednesday, October 17, 2012 8:43 AM
  • Hello,

    i've got same problem and return 1  and then 11 code.

    here is my log file:

    "PC","IAS",07/09/2014,23:14:04,1,"hamid","ORG\hamid","00-00-7A-C4-B3-42:WS_IRIB","00-00-35-78-B1-54",,,,"192.168.1.5",1,0,"192.168.204.207","wifi",,,19,"CONNECT 54Mbps 802.11g",,2,5,"Secure Wireless Connections",0,"311 1 10.10.0.52 07/09/2014 13:17:38 1023",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Secure Wireless Connections",1,,,,
    "PC","IAS",07/09/2014,23:14:04,11,,"ORG\hamid",,,,,,,,0,"192.168.204.207","wifi",,,,,,,5,"Secure Wireless Connections",0,"311 1 10.10.0.52 07/09/2014 13:17:38 1023",30,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Secure Wireless Connections",1,,,,
    

    Thursday, July 10, 2014 6:21 AM
  • Type 11 is an access challenge packet. See:

    http://technet.microsoft.com/en-us/library/cc958030.aspx

    Thursday, July 10, 2014 7:22 PM