locked
Configure Accounting setting for Remote Access data logging RRS feed

  • Question

  • I'm currently using inbox accounting on the Windows Server 2012 R2 DirectAccess servers. As the number of users has ramped up, I've noticed the Windows Internal Database (sqlservr.exe) process is consuming more and more CPU resources.  I thought about switching to RADIUS accounting (just to record connection events).  Has anyone implemented a separate RADIUS server just for accounting of the remote access accounting logs?  If so, which one?  which platform?

    Thanks...

    Monday, September 15, 2014 5:55 PM

All replies

  • Hi There - i have done this a few times fro many organisations and is quite straight forward - i have used Windows 2012 & 2012 R2 Network Policy Server whcih works quite well. An overview is below

    When NPS is used as a RADIUS server, RADIUS messages provide authentication, authorization, and accounting for network access connections in the following way:

    Access servers, such as dial-up network access servers, VPN servers, and wireless access points, receive connection requests from access clients.
    The access server, configured to use RADIUS as the authentication, authorization, and accounting protocol, creates an Access-Request message and sends it to the NPS server. The NPS server evaluates the Access-Request message. If required, the NPS server sends an Access-Challenge message to the access server. The access server processes the challenge and sends an updated Access-Request to the NPS server. The user credentials are checked and the dial-in properties of the user account are obtained by using a secure connection to a domain controller. The connection attempt is authorized with both the dial-in properties of the user account and network policies.
    If the connection attempt is both authenticated and authorized, the NPS server sends an Access-Accept message to the access server. If the connection attempt is either not authenticated or not authorized, the NPS server sends an Access-Reject message to the access server. The access server completes the connection process with the access client and sends an Accounting-Request message to the NPS server, where the message is logged. The NPS server sends an Accounting-Response to the access server.


    John Davies

    Monday, September 22, 2014 11:06 AM