locked
NPS access and failed logs not generating RRS feed

  • Question

  • Hi,

    We have windows server 2008r2 with DC and we have integrated WLC with DC with the help of RADIUS server. Two days before we have enabled Audit Policy for Account, Directory and object changes with success and failure. After these changes NPS access and failed logs not generated on RADIUS server, before 2 days logs generated. Now only 4400 event ID generated on server. Users are accessing Wireless network. So please help me.


    Thanks, Manish


    • Edited by Manish KS Monday, September 15, 2014 11:31 AM
    Monday, September 15, 2014 11:29 AM

Answers

  • Hi Manish,

    It seems that the setting was overridden. Maybe we can use group policy to enable NPS auditing. Please run gpedit.msc, expand the Computer Configuration àWindows SettingsàSecurity Settingsà Advanced Audit Policy ConfigurationàSystem Audit Policies - Local Group Policy ObjectàLogon/Logoff. Then open Audit Network Policy Server Properties, check Configure the following audit events, check Success and Failure. Then run gpupdate /force command in the command prompts to make the policy work at once. This security policy setting determines whether the operating system generates audit events for RADIUS(IAS) and Network Access Protecion(NAP) activity on user access requests(Grant, Deny, Discard, Quarantine, Lock, and Unlock).

    Here is a success case about enabling Network Policy Server logon/logoff auditing via group policy,

    http://social.technet.microsoft.com/Forums/windowsserver/en-US/064f3e68-42fa-4669-aede-838e7cc7df92/nps-events-and-audit-policy?forum=winserverNAP

    And more details about Audit Network Policy Server,please refer to the link below,

    http://technet.microsoft.com/en-us/library/dd772634(v=ws.10).aspx

    Best Regards,

    Tina

    • Marked as answer by Manish KS Tuesday, September 30, 2014 5:15 AM
    Monday, September 22, 2014 1:32 AM

All replies

  • Hi,

    According to your description, maybe auditing is not enabled.

    We can use commands below to ensure that the audit policy is configured to allow logging success and failure events.

    First, run the command below on NPS server to see current audit policy settings:

    auditpol /get /subcategory:"Network Policy Server"

    If both success and failure events are enabled, the output should be:

    System audit policy

    Category/Subcategory                      Setting

    Logon/Logoff

      Network Policy Server                   Success and Failure             

    If it shows "No auditing", we could run the command below to enable it:

    auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable           

    Best Regards,

    Tina

    Tuesday, September 16, 2014 1:25 PM
  • Hi Tina,

    Thanks for reply. When i execute >auditpol /get /subcategory:* its showing all policy are No auditing. I execute >auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable  its enable for some times after few minutes its automatic goes No Auditing. How to set default all audit policy on server. Please help me.  

    System audit policy was changed.

    Subject:

                    Security ID:                            Domain name \User

                    Account Name:                     User

                    Account Domain:                 Domain name

                    Logon ID:                               0x48d4400c

    Audit Policy Change:

                    Category:                               Logon/Logoff

                    Subcategory:                         Network Policy Server

                    Subcategory GUID:               {0cce9243-69ae-11d9-bed3-505054503030}

                    Changes:                                Success Added, Failure added

    System audit policy was changed.

    Subject:

                    Security ID:                            SYSTEM

                    Account Name:                     Hostname$

                    Account Domain:                 Domain name

                    Logon ID:                               0x3e7

    Audit Policy Change:

                    Category:                               Logon/Logoff

                    Subcategory:                         Network Policy Server

                    Subcategory GUID:               {0cce9243-69ae-11d9-bed3-505054503030}

                    Changes:                                Success removed, Failure removed

    Both are same Event ID:  4719

                                Task Category: Audit Policy Change

                               Keywords:  Audit Success


    Thanks, Manish



    • Edited by Manish KS Wednesday, September 17, 2014 6:50 AM
    Wednesday, September 17, 2014 6:34 AM
  • Hi Manish,

    It seems that the setting was overridden. Maybe we can use group policy to enable NPS auditing. Please run gpedit.msc, expand the Computer Configuration àWindows SettingsàSecurity Settingsà Advanced Audit Policy ConfigurationàSystem Audit Policies - Local Group Policy ObjectàLogon/Logoff. Then open Audit Network Policy Server Properties, check Configure the following audit events, check Success and Failure. Then run gpupdate /force command in the command prompts to make the policy work at once. This security policy setting determines whether the operating system generates audit events for RADIUS(IAS) and Network Access Protecion(NAP) activity on user access requests(Grant, Deny, Discard, Quarantine, Lock, and Unlock).

    Here is a success case about enabling Network Policy Server logon/logoff auditing via group policy,

    http://social.technet.microsoft.com/Forums/windowsserver/en-US/064f3e68-42fa-4669-aede-838e7cc7df92/nps-events-and-audit-policy?forum=winserverNAP

    And more details about Audit Network Policy Server,please refer to the link below,

    http://technet.microsoft.com/en-us/library/dd772634(v=ws.10).aspx

    Best Regards,

    Tina

    • Marked as answer by Manish KS Tuesday, September 30, 2014 5:15 AM
    Monday, September 22, 2014 1:32 AM
  • Hi Tina,

    Thanks for reply, I have done above configuration now NPS logs generating but same problem with security logs also its not generating. I have test DC server there are no group policy enable for Auditing but when i execute >auditpool /get /category:* its showing bellow configuration so i want to know where default Audit policy save and how to reset default Audit policy on production DC server.

    System audit policy

    Category/Subcategory                      Setting
    System
      Security System Extension               No Auditing

      System Integrity                        Success and Failure

      IPsec Driver                            No Auditing

      Other System Events                     Success and Failure

      Security State Change                   Success

    Logon/Logoff
      Logon                                   Success and Failure

      Logoff                                  Success

      Account Lockout                         Success

      IPsec Main Mode                         No Auditing

      IPsec Quick Mode                        No Auditing

      IPsec Extended Mode                     No Auditing

      Special Logon                           Success

      Other Logon/Logoff Events               No Auditing

      Network Policy Server                   Success and Failure

    Object Access
      File System                             No Auditing

      Registry                                No Auditing

      Kernel Object                           No Auditing

      SAM                                     No Auditing

      Certification Services                  No Auditing

      Application Generated                   No Auditing

      Handle Manipulation                     No Auditing

      File Share                              No Auditing

      Filtering Platform Packet Drop          No Auditing

      Filtering Platform Connection           No Auditing

      Other Object Access Events              No Auditing

      Detailed File Share                     No Auditing

    Privilege Use
      Sensitive Privilege Use                 No Auditing

      Non Sensitive Privilege Use             No Auditing

      Other Privilege Use Events              No Auditing

    Detailed Tracking
      Process Termination                     No Auditing

      DPAPI Activity                          No Auditing

      RPC Events                              No Auditing

      Process Creation                        No Auditing

    Policy Change
      Audit Policy Change                     Success

      Authentication Policy Change            Success

      Authorization Policy Change             No Auditing

      MPSSVC Rule-Level Policy Change         No Auditing

      Filtering Platform Policy Change        No Auditing

      Other Policy Change Events              No Auditing

    Account Management
      User Account Management                 Success

      Computer Account Management             Success

      Security Group Management               Success

      Distribution Group Management           No Auditing

      Application Group Management            No Auditing

      Other Account Management Events         No Auditing

    DS Access
      Directory Service Changes               No Auditing

      Directory Service Replication           No Auditing

      Detailed Directory Service Replication  No Auditing

      Directory Service Access                Success

    Account Logon
      Kerberos Service Ticket Operations      Success

      Other Account Logon Events              No Auditing

      Kerberos Authentication Service         Success

      Credential Validation                   Success


    Thanks, Manish

    Monday, September 22, 2014 7:10 AM
  • Hi Manish,

    Maybe we forgot something important. If these computers are in a domain environment, then the domain Group Policy will overriden the settings of the domain member computer's local Group Policy. To verify the problem, we can use gpresult /h PathandFileName command to generate a report in html format in DC and RADIUS server .For example, gpresult /h C:\report.html. This report include all Group Policy settings in the computer. If the Auditing is configured successfully, we can see a Local Policies/Audit Policy item. To configure Audit Policy in Domain Group Policy, please run gpmc.msc to open Group Policy Management in the DC, expand Forest:*/Domains/*/Default Domain Policy(* is the domain name), right-click Default Domain Policy, click Edit to open Group Policy Management Editor, then configure the corresponding policies. After configuring all settings, please run gpupdate /force command. We could also view the settings via run gpresult /h command.

    Note: we must log on as an administrator to finish all these operations.

    Best Regards,

    Tina

    Tuesday, September 23, 2014 1:10 PM
  • Hi Tina,

    Thanks for reply. This is my production DC server. I have taken report of auditpol /get /category:* from test DC server and done same configuration on production DC server in  gpedit.msc àComputer Configuration àWindows SettingsàSecurity Settingsà Advanced Audit Policy ConfigurationàSystem Audit Policies - Local Group Policy Objectà and modify in all audit policy as test DC server auditpol report and now i can see all security and NPS logs. I want to know where is the actual location of Auditpol  configuration because on test DC there are no policy showing in GPO & GPEDIT only its showing in auditpol /get /category:*.



    Thanks, Manish

    Wednesday, September 24, 2014 7:35 AM
  • Hi Manish,

    Advanced audit policy stores all of its local security policy values in an audit.csv file located here: %systemroot%\system32\grouppolicy\machine\microsoft\windows nt\audit\audit.csv, which is then copied here: %systemroot%\security\audit\audit.csv. So if you apply advanced audit policy successfully, please find the audit.csv in the NPS server.

    For more details about audit policy, please refer to the link below,

    Getting the Effective Audit Policy in Windows 7 and 2008 R2

    http://blogs.technet.com/b/askds/archive/2011/03/11/getting-the-effective-audit-policy-in-windows-7-and-2008-r2.aspx

    Best Regards,

    Tina

    Monday, September 29, 2014 1:12 AM