locked
IAS does not log username when using radius proxy RRS feed

  • Question

  • when i use IAS on w2k3 as a radius proxy, the username for successful authentication requests is not logged in the IAS log, but it is recorded in the event log.

    the username for rejected auth requests is logged in the IAS logfile.

    does anyone have any ideas as to why this is happening?

    when IAS locally authenticates requests, the username always appears.

    for one auth request when the radius proxy is used, the event log contains:-

    User user@test.ac.uk was granted access.
     Fully-Qualified-User-Name = <undetermined>
     NAS-IP-Address = 10.8.148.83
     NAS-Identifier = cs-dayshcntr1
     Client-Friendly-Name = cs-dayshcntr1
     Client-IP-Address = 10.8.148.83
     Calling-Station-Identifier = 00-1D-E0-80-F7-37
     NAS-Port-Type = Wireless - IEEE 802.11
     NAS-Port = 1
     Proxy-Policy-Name = non-ncl-users on campus
     Authentication-Provider = RADIUS Proxy
     Authentication-Server = 194.83.56.233
     Policy-Name = <undetermined>
     Authentication-Type = <undetermined>
     EAP-Type = <undetermined>


    and IAS logs this: (with the second field - username - empty).

    10.8.148.83,,06/01/2009,10:31:58,IAS,WINRADIUS1,31,00-1D-E0-80-F7-37,30,00-1B-2B-36-B0-A0:eduroam,5,1,4,10.8.148.83,32,cs-dayshcntr1,26,0x00003763010600000003,6,2,12,1300,61,19,64,13,65,6,81,407,4108,10.8.148.83,4116,9,4128,cs-dayshcntr1,4156,roaming.ja.net,4155,2,4154,non-ncl-users on campus,4157,194.83.56.233,4136,1,4142,0

    if any accounting records come thru, these do contain the username.

    thanks for any help
    Thursday, June 11, 2009 1:55 PM

Answers

  • Hi,

    Perhaps I missed something about your question, but if the IAS server is a proxy, aren't you forwarding authentication requests elsewhere? There is not any authentication or authorization being performed on the proxy.

    -Greg
    Wednesday, June 24, 2009 8:32 PM
  • this was confirmed as a bug.

     

    The workaround was to change to the log file format from IAS to database compatible.

     

    • Marked as answer by ncl Friday, December 17, 2010 2:02 PM
    Monday, November 22, 2010 5:35 PM

All replies

  • If the IAS records a failure (access) it prevents the user from accessing any level beyond IAS. So a user, already rejected by IAS, will not be logged locally simply because the user is not there.
    When The Machine breaks down. We break down !
    Saturday, June 13, 2009 10:54 PM
  • If the IAS records a failure (access) it prevents the user from accessing any level beyond IAS. So a user, already rejected by IAS, will not be logged locally simply because the user is not there.
    When The Machine breaks down. We break down !

    many thanks for the reply.

    however, the failed logins are logged correctly in the IAS log.

    the successful logins are logged, but the username is empty - second field is ",," in the comma seperated IAS log.

    10.8.148.83,,06/01/2009,10:31:58,IAS,WINRADIUS1,31,00-1D-E0-80-F7-37,30,00-1B-2B-36-B0-A0:eduroam,....

    this is the problem - the machine knows the username (as it is logged in the eventlog), but it is not logged in the IAS log.

    I need the useername in the IAS log, for authorization log processing.


    Sunday, June 14, 2009 11:39 AM
  • Hi,

    Perhaps I missed something about your question, but if the IAS server is a proxy, aren't you forwarding authentication requests elsewhere? There is not any authentication or authorization being performed on the proxy.

    -Greg
    Wednesday, June 24, 2009 8:32 PM
  • this was confirmed as a bug.

     

    The workaround was to change to the log file format from IAS to database compatible.

     

    • Marked as answer by ncl Friday, December 17, 2010 2:02 PM
    Monday, November 22, 2010 5:35 PM