locked
NAP via 802.1X (PEAP-TLS) - no failed authentication requests RRS feed

  • Question

  • Hello,

    I'm trying to secure a LAN with 2008 NPS via 802.1X with PEAP-TLS computer level authentication.  I'm not using any health policies for NAP, only a connection request policy and network policies, i.e. if you don't have the correct cert you cannot connect - no SHV, SHA etc  I'm also using Cisco switches with dynamic VLAN assignment and Windows XP SP3 as the supplicant.

    I've got it all working ok except failed authentication attempts are not logged either in the system32\logfiles or in the event log. If I try and connect with a PC which does not have the correct computer certificate installed the PC fails authentication ok but nothing gets logged. Sucessfully connection are logged fine, both in the system32\log files and in the event log.

    I need to make sure that failed attempts are logged - Can anyone help please ?

    Thanks

    Dan

     

    Thursday, April 22, 2010 3:33 PM

All replies

  • Hi,

    Thank you for your post here.

    Please double check whether Rejected authentication request is set for logging.

    1.    In the NPS console, right click NPS server--->Properties--->General tab.

    2.    Please make sure both Rejected authentication request and Successful authentication request are selected.

    If you have any questions or concerns, please do not hesitate to let me know.

     

     

     

     

    Friday, April 23, 2010 5:27 AM
  • Hi,

    Thanks for your reply - however both successful and rejected requests are enabled on the NPS server.

    I wish it had been that easy ! Any other ideas ?

    Thanks

    Friday, April 23, 2010 8:14 AM
  • I am experiencing the same issue and both Log Accepted and Rejected are selected.

     

    thanks

     

    Friday, April 23, 2010 7:07 PM
  • Hi,

    Does anyone have an answer to this ?

    Thanks

    Dan

    Monday, April 26, 2010 8:40 AM
  •  

    Hi,

     

    Thank you for your update.

     

    Please check how it works if you run the following command to enable both success and failure auditing.


    1. auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable


    2. netsh nps set eventlog accept=Enable Reject=Enable

     


    The iassvcs.dll which handle the event log will format message based on locale setting. I would like to know what language and system locale are set on the Windows Sever 2008 server. Please make sure that corresponding language package installed matches with system "locale" setting. If you are not sure about that, check how it works if you change system locale to "English(Unite State)".

     

    If you have any questions or concerns, please do not hesitate to let me know.

     

     

     

     

    Friday, May 7, 2010 7:58 AM
  • We're seeing the same issue.

    We cannot issue the commands above as it replies we need elevated priveleges.  I had domain admins logon and try it but they got the same message.  Has anyone issued the command and had success getting failed auths to log properly?

    Friday, May 7, 2010 7:15 PM
  • Hello Miles,

    I have run both of these commands and the problem is still there - only sucessful authentication requests are logged.

    I have the system locale setting set to English (United States) on both the NPS (2008 R2) and the Supplicant (Windows 7 Professional).

    Does anyone have failed authentication attempts logged ?

    Thanks

    Dan

    Monday, May 10, 2010 3:29 PM
  • I've logged this issue now with premier support. Hopefully will have an answer in the next few days - will update when its working :-)
    Monday, May 10, 2010 3:56 PM
  • I'm still seeing the issue (or not seeing it!!) after the commands as well.  We're using XP sp3 clients so it appears to definitely be something in the 2008/NAP/Radius combination on the server.  Keep us in the loop if you find a fix.
    Thursday, May 13, 2010 7:11 PM
  • Ok, can you tell me how you are testing a failed auth request ?
    Friday, May 14, 2010 10:44 AM
  • 1) type 1 failure: I take a known good account name and use the wrong password.  I do this 2 times in 1 minute period.

    2) type 2 failure: Make up a username and passord.  I do this 2 times in a 1 minute periode.

     

    I do not see any messages indicating there was even an attempt.  I follow up each test with a good username and password to verify the success of the combination as well as logging on the server.  This should eliminate any transient conditions as well as other possible explanations for failed auth/no logging.

     

    p.s. I had to make a batch file and run as administrator to get it to work.  The results are the same before and after the commands were issued.

    Wednesday, May 19, 2010 6:54 PM