locked
2 questions NPS logging RRS feed

  • Question

  • Hey all,

    I have 1 NPS proxy server which forwards authentication requests to 2 NPS servers in two domains (cross-forest authentication). Dynamic VLAN distribution depending on AD group membership works nicely, but my NPS logs don't show (what I think) they should.

    Question 1:
    The NPS proxy server has nothing but ID 6273 events ("NPS server denied access to a user"),
    the NPS server for domain A has nothing but ID 4400 events ("A LDAP connection with domain controller for domain A is established"),
    and the NPS server for domain B shows a lot ID 6273 events ("NPS server denied access to a user") and very few ID 4400 events.

    I don't see any successful authentication requests anywhere, even though all three servers are configured to log both rejected and successful authentication requests. Any idea how I can fix that?


    Question 2:
    All of the ID 6273 events are logged because no matching network policy is found. All of those events are attempted machine authentications. I didn't define any network policies based on _computers_, since all I care about in my situation is VLAN distribution depending on whether or not a _user_ belongs to a certain security group in AD. Is there a way to not have my logs get filled up with rejected machine authentications?

    Btw, the NPS log files in c:\windows\system32\logfiles show successful user authentications, but those files are rather large and sometimes  a little difficult to decipher.

    Any thoughts or advice on the above?

    Thanks in advance guys,
    -Dan
    Wednesday, October 29, 2008 10:53 PM

Answers

  • Hi Dan,

    The problem in the other post was fixed by a solution proposed by a member of the dev team (Divya). Can you try this and see if it helps you also?


    Run this command from an elevated prompt:

     

    auditpol /get /subcategory:"Network Policy Server"


    The output should be:
    System audit policy

    Category/Subcategory                      Setting

    Logon/Logoff

      Network Policy Server                   Success and Failure

     

    If it shows ‘No auditing’, you can run this command to enable it:

     

    auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable

     

    It might help to turn this off and back on again also. Give it a try and let me know if this helps.

    -Greg

    Thursday, November 13, 2008 4:39 AM

All replies

  • Hi Dan,

    If the NPS proxy is denying access, then it isn't successfully forwarding authentication requests. These events should only be on the authenticating server (remote RADIUS server). This probably explains why the remote NPS for domain A has only ID 4400 events. Please double-check that you are forwarding connection requests from the proxy.

    If requests are being denied because no policy is matched that should be fixed. Network policy is where authorization occurs (access to resources) so this is where I think you want to assign VLANs. I believe what you want to do is configure user authentication. There is a thread here: http://social.technet.microsoft.com/forums/en-US/winserverNAP/thread/5e6282ce-3067-493a-84b1-077df15fb33b/ that discusses this and might help you.

    This topic might help you interpret the log files if needed.

    -Greg

    Wednesday, November 5, 2008 8:24 AM
  • Hi, Greg,

    I know that my NPS proxy is successfully forwarding authentication requests because dozens of users for each of the two domains are getting successfully authenticated and placed into different VLANs based on AD security group membership. But I don't see any evidence of successful authentication in the NPS event viewer log at all. I believe I should be seeing a lot of event ID 1 and event ID 7 log entries, shouldn't I?

    -Dan
    Wednesday, November 5, 2008 7:11 PM
  • Hi Dan,

    This sounds somewhat similar to the problem in this post: http://social.technet.microsoft.com/forums/en-US/winserverNAP/thread/1288aade-b1fd-4849-9981-c02532926062 which I've just forwarded to the NPS team for investigation. Let's see if they find a resolution and it also works for you.

    Thanks for your patience.

    -Greg

    Sunday, November 9, 2008 5:18 AM
  • Hi Dan,

    The problem in the other post was fixed by a solution proposed by a member of the dev team (Divya). Can you try this and see if it helps you also?


    Run this command from an elevated prompt:

     

    auditpol /get /subcategory:"Network Policy Server"


    The output should be:
    System audit policy

    Category/Subcategory                      Setting

    Logon/Logoff

      Network Policy Server                   Success and Failure

     

    If it shows ‘No auditing’, you can run this command to enable it:

     

    auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable

     

    It might help to turn this off and back on again also. Give it a try and let me know if this helps.

    -Greg

    Thursday, November 13, 2008 4:39 AM
  • Thanks Greg! Using the command line instead of the GUI did the trick - I'm now seeing a lot of event ID 6278 entries in the event viewer.

    Thanks again,
    -Dan
    Thursday, November 13, 2008 7:41 PM