NPS access and failed logs not generating

All replies

• 

  

  0

  Sign in to vote

  Hi,

  According to your description, maybe auditing is not enabled.

  We can use commands below to ensure that the audit policy is configured to allow logging success and failure events.

  First, run the command below on NPS server to see current audit policy settings:

  auditpol /get /subcategory:"Network Policy Server"

  If both success and failure events are enabled, the output should be:

  System audit policy

  Category/Subcategory                      Setting

  Logon/Logoff

    Network Policy Server                   Success and Failure             

  If it shows "No auditing", we could run the command below to enable it:

  auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable           

  Best Regards,

  Tina

  Tuesday, September 16, 2014 1:25 PM
• 

  

  0

  Sign in to vote

  Hi Tina,

  Thanks for reply. When i execute >auditpol /get /subcategory:* its showing all policy are No auditing. I execute >auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable  its enable for some times after few minutes its automatic goes No Auditing. How to set default all audit policy on server. Please help me.  

  System audit policy was changed.

  Subject:

                  Security ID:                            Domain name \User

                  Account Name:                     User

                  Account Domain:                 Domain name

                  Logon ID:                               0x48d4400c

  Audit Policy Change:

                  Category:                               Logon/Logoff

                  Subcategory:                         Network Policy Server

                  Subcategory GUID:               {0cce9243-69ae-11d9-bed3-505054503030}

                  Changes:                                Success Added, Failure added

  System audit policy was changed.

  Subject:

                  Security ID:                            SYSTEM

                  Account Name:                     Hostname$

                  Account Domain:                 Domain name

                  Logon ID:                               0x3e7

  Audit Policy Change:

                  Category:                               Logon/Logoff

                  Subcategory:                         Network Policy Server

                  Subcategory GUID:               {0cce9243-69ae-11d9-bed3-505054503030}

                  Changes:                                Success removed, Failure removed

  Both are same Event ID:  4719

                              Task Category: Audit Policy Change

                             Keywords:  Audit Success

  ---

  Thanks, Manish

  
  
  

  • Edited by Manish KS Wednesday, September 17, 2014 6:50 AM

  Wednesday, September 17, 2014 6:34 AM
• 

  

  2

  Sign in to vote

  Hi Manish,

  It seems that the setting was overridden. Maybe we can use group policy to enable NPS auditing. Please run gpedit.msc, expand the Computer Configuration àWindows SettingsàSecurity Settingsà Advanced Audit Policy ConfigurationàSystem Audit Policies - Local Group Policy ObjectàLogon/Logoff. Then open Audit Network Policy Server Properties, check Configure the following audit events, check Success and Failure. Then run gpupdate /force command in the command prompts to make the policy work at once. This security policy setting determines whether the operating system generates audit events for RADIUS(IAS) and Network Access Protecion(NAP) activity on user access requests(Grant, Deny, Discard, Quarantine, Lock, and Unlock).

  Here is a success case about enabling Network Policy Server logon/logoff auditing via group policy,

  http://social.technet.microsoft.com/Forums/windowsserver/en-US/064f3e68-42fa-4669-aede-838e7cc7df92/nps-events-and-audit-policy?forum=winserverNAP

  And more details about Audit Network Policy Server,please refer to the link below,

  http://technet.microsoft.com/en-us/library/dd772634(v=ws.10).aspx

  Best Regards,

  Tina

  • Marked as answer by Manish KS Tuesday, September 30, 2014 5:15 AM

  Monday, September 22, 2014 1:32 AM
• 

  

  0

  Sign in to vote

  Hi Tina,

  Thanks for reply, I have done above configuration now NPS logs generating but same problem with security logs also its not generating. I have test DC server there are no group policy enable for Auditing but when i execute >auditpool /get /category:* its showing bellow configuration so i want to know where default Audit policy save and how to reset default Audit policy on production DC server.

  System audit policy
  
  Category/Subcategory                      Setting
  System
    Security System Extension               No Auditing
  
    System Integrity                        Success and Failure
  
    IPsec Driver                            No Auditing
  
    Other System Events                     Success and Failure
  
    Security State Change                   Success
  
  Logon/Logoff
    Logon                                   Success and Failure
  
    Logoff                                  Success
  
    Account Lockout                         Success
  
    IPsec Main Mode                         No Auditing
  
    IPsec Quick Mode                        No Auditing
  
    IPsec Extended Mode                     No Auditing
  
    Special Logon                           Success
  
    Other Logon/Logoff Events               No Auditing
  
    Network Policy Server                   Success and Failure
  
  Object Access
    File System                             No Auditing
  
    Registry                                No Auditing
  
    Kernel Object                           No Auditing
  
    SAM                                     No Auditing
  
    Certification Services                  No Auditing
  
    Application Generated                   No Auditing
  
    Handle Manipulation                     No Auditing
  
    File Share                              No Auditing
  
    Filtering Platform Packet Drop          No Auditing
  
    Filtering Platform Connection           No Auditing
  
    Other Object Access Events              No Auditing
  
    Detailed File Share                     No Auditing
  
  Privilege Use
    Sensitive Privilege Use                 No Auditing
  
    Non Sensitive Privilege Use             No Auditing
  
    Other Privilege Use Events              No Auditing
  
  Detailed Tracking
    Process Termination                     No Auditing
  
    DPAPI Activity                          No Auditing
  
    RPC Events                              No Auditing
  
    Process Creation                        No Auditing
  
  Policy Change
    Audit Policy Change                     Success
  
    Authentication Policy Change            Success
  
    Authorization Policy Change             No Auditing
  
    MPSSVC Rule-Level Policy Change         No Auditing
  
    Filtering Platform Policy Change        No Auditing
  
    Other Policy Change Events              No Auditing
  
  Account Management
    User Account Management                 Success
  
    Computer Account Management             Success
  
    Security Group Management               Success
  
    Distribution Group Management           No Auditing
  
    Application Group Management            No Auditing
  
    Other Account Management Events         No Auditing
  
  DS Access
    Directory Service Changes               No Auditing
  
    Directory Service Replication           No Auditing
  
    Detailed Directory Service Replication  No Auditing
  
    Directory Service Access                Success
  
  Account Logon
    Kerberos Service Ticket Operations      Success
  
    Other Account Logon Events              No Auditing
  
    Kerberos Authentication Service         Success
  
    Credential Validation                   Success
  

  ---

  Thanks, Manish

  Monday, September 22, 2014 7:10 AM
• 

  

  0

  Sign in to vote

  Hi Manish,

  Maybe we forgot something important. If these computers are in a domain environment, then the domain Group Policy will overriden the settings of the domain member computer's local Group Policy. To verify the problem, we can use gpresult /h PathandFileName command to generate a report in html format in DC and RADIUS server .For example, gpresult /h C:\report.html. This report include all Group Policy settings in the computer. If the Auditing is configured successfully, we can see a Local Policies/Audit Policy item. To configure Audit Policy in Domain Group Policy, please run gpmc.msc to open Group Policy Management in the DC, expand Forest:*/Domains/*/Default Domain Policy(* is the domain name), right-click Default Domain Policy, click Edit to open Group Policy Management Editor, then configure the corresponding policies. After configuring all settings, please run gpupdate /force command. We could also view the settings via run gpresult /h command.

  Note: we must log on as an administrator to finish all these operations.

  Best Regards,

  Tina

  Tuesday, September 23, 2014 1:10 PM
• 

  

  0

  Sign in to vote

  Hi Tina,

  Thanks for reply. This is my production DC server. I have taken report of auditpol /get /category:* from test DC server and done same configuration on production DC server in  gpedit.msc àComputer Configuration àWindows SettingsàSecurity Settingsà Advanced Audit Policy ConfigurationàSystem Audit Policies - Local Group Policy Objectà and modify in all audit policy as test DC server auditpol report and now i can see all security and NPS logs. I want to know where is the actual location of Auditpol  configuration because on test DC there are no policy showing in GPO & GPEDIT only its showing in auditpol /get /category:*.

  
  

  ---

  Thanks, Manish

  Wednesday, September 24, 2014 7:35 AM
• 

  

  0

  Sign in to vote

  Hi Manish,

  Advanced audit policy stores all of its local security policy values in an audit.csv file located here: %systemroot%\system32\grouppolicy\machine\microsoft\windows nt\audit\audit.csv, which is then copied here: %systemroot%\security\audit\audit.csv. So if you apply advanced audit policy successfully, please find the audit.csv in the NPS server.

  For more details about audit policy, please refer to the link below,

  Getting the Effective Audit Policy in Windows 7 and 2008 R2

  http://blogs.technet.com/b/askds/archive/2011/03/11/getting-the-effective-audit-policy-in-windows-7-and-2008-r2.aspx

  Best Regards,

  Tina

  Monday, September 29, 2014 1:12 AM