- IT
- Cancel
Как-то раз
было скучно и
я заметил, что на контроллере домена заканчивается свободное место. С небольшой скоростью, малыми объёмами, но свободное место стабильно кончалось. В поисках утечки наткнулся на каталог «C:\Windows\System32\LogFiles» который занимал около 20 ГБ (!).
Большой объём был занят логами службы Network Policy Server входящей в роль Network Policy and Access Services:
Логирование было настроено, чтобы файлы логов делились по размеру 100 МБ.
При просмотре этих настроек я было удивился, что у логов нет срока годности и что они растут и не затираются. Точнее есть опция «When disk is full delete older log files», но этого мало, нельзя чтобы системный диск был переполнен. После курения TechNet-а всё стало ясно:
To prevent the log files from filling the hard drive, it is strongly recommended that you keep them on a partition that is separate from the system partition.
АХАХАХАХАА. Очень сомневаюсь, что кто-то настраивал логирование должным образом. Наверняка всё ограничивалось выставление размера лога, да и то вряд ли. Особо не заморачиваясь, я решил удалять файлы скриптом на powershell, потому что делать и подключать отдельный диск очень уж не хотелось. В итоге:
<# # Скрипт удаляет логи Network Policy Server старше 90 дней # Местоположение логов считывается из конфиг-файла "C:\Windows\System32\ias\ias.xml" # Тестировалось на Win2008R2 и Network Policy Server 6.1.7601.17514 # # 19.12.2014 # [+] Первая версия скрипта #> $DaysToLive = 90 [Xml]$xml = Get-Content -Path "C:\Windows\System32\ias\ias.xml" -ErrorAction SilentlyContinue $IASXmlFile = $xml.Root.Children.Microsoft_Internet_Authentication_Service.Children.RequestHandlers.Children.Microsoft_Accounting.Properties.Log_File_Directory.'#text' If (([system.String]$IASXmlFile -eq "")) { $IASXmlFile = "C:\Windows\System32\LogFiles" } Get-ChildItem -Path $IASXmlFile -Filter "iaslog*.log" | where {((Get-Date) - $_.LastWriteTime).TotalDays -gt $DaysToLive} | Remove-Item
Путь к логам указывать не нужно, т.к. эта настройка берётся из файла конфигурации NPS — ias.xml.
Home » Security » Windows 2012 R2 NPS log files location configuration
After a bit of frustration working on a project recently with a Windows 2012 R2 NPS RADIUS server, I had a bit of a refresher on Windows 2012 R2 NPS log files location configuration, administration and what I have experienced with logging behavior.
Logging with Network Policy Server is a bit more convoluted than in the old days with plain IAS server. I guess one of the main reasons is that NPS does so much more than just RADIUS. However, when you need to find information about successful and failed logins, where do you look and where are things stored?
Let’s take a look at some of the logging configuration within NPS. If you right click on NPS (Local) click properties, then General tab and make sure Rejected authentication requests and Successful authentication requests are selected.
Under Accounting you can also configure settings related to your log file format, location, and other information. If you click Configure Accounting it launches a wizard that will allow the configuration of most of the log file properties.
Otherwise, you can simply click the Change Log File Properties link and you will have access to most of the options there as well.
I have found on my RADIUS server, the events are not logged to the System Log like NPS service related messages are logged. However, in Server Manager >> NAP I see all the events as they relate to the logins and policy application. Also, the low level logging can be found in c:widowssystem32logfilesIN*.log which you can configure in the wizard and the settings mentioned above.
Some have mentioned having issues seeing anything logged. If so, check your audit policy as it relates to NPS to make sure events are being audited correctly.
auditpol /get /subcategory:"Network Policy Server"
If enabled, the output should be:
System audit policy
Category/Subcategory Setting
Logon/Logoff
Network Policy Server Success and Failure
If it shows ‘No auditing’ run the following:
auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable
Final Thoughts
Hopefully this Windows 2012 R2 NPS log files location configuration post will help any who are struggling trying to make sense of where things are presented from NPS as to login successes and failures. If you have any other tricks up your sleeve you would like to share as to NPS and logging, please comment below.
Brandon Lee is the Senior Writer, Engineer and owner at Virtualizationhowto.com, and a 7-time VMware vExpert, with over two decades of experience in Information Technology. Having worked for numerous Fortune 500 companies as well as in various industries, He has extensive experience in various IT segments and is a strong advocate for open source technologies. Brandon holds many industry certifications, loves the outdoors and spending time with family. Also, he goes through the effort of testing and troubleshooting issues, so you don’t have to.
RADIUS servers are often called AAA (authentication, authorization and accounting) servers because they perform each of those three functions. Accounting – which refers to the process of tracking events as they occur – is something a RADIUS server achieves by generating event logs.
RADIUS logs contain detailed information on the clients accessing your network. Checking here should be one of your first steps when determining what the cause of network connectivity issues is – or when you suspect unauthorized network access. In this blog, we’ll show you exactly where to find RADIUS event logs, and why they’re important.
What are RADIUS Event Logs?
RADIUS servers can be configured to perform event logging, an in-depth record of events related to connection requests from RADIUS clients. These event logs can vary in detail, but they will often show things such as the device, OS, user, whether the authentication was successful or failed, and error messages related to the authentication attempt.
Logs can be generated every time a RADIUS client attempts to authenticate to your network or VPN. They’re a great starting point for determining the root cause of Wi-Fi connectivity issues, or for meeting compliance requirements from auditing or regulatory authorities.
RADIUS Event Log Use Cases
Keeping event logs and regularly auditing them is necessary for modern cybersecurity. RADIUS event logs can be and are used for a variety of purposes, including the following:
- Compliance audits
- Troubleshooting authentication issues
- Troubleshooting Wi-Fi and VPN connectivity problems
- Tracking the devices accessing your network
- SIEM or Syslog alarms
Basically, event logs can be used anytime you need to troubleshoot connection issues for a particular user or device. They can also be imported to any Security Information and Event Management (SIEM) software you use, so you can be alerted right away when connection issues arise. In this way, they can potentially serve as the basis for the first notice you receive when there are problems with authentication to your network.
Finding Logs from Different RADIUS Servers
Network Policy Server (NPS) Logs
Network Policy Server (NPS) is Microsoft’s implementation of RADIUS. Network Policy Server logs can be viewed using Windows Server Manager or Windows Event Viewer UI (another system, part of the larger Windows Server package). You must decide whether you want to log RADIUS client authentication and accounting information to text log files stored on the local computer or to a SQL Server database on either the local computer or a remote computer. Like with other RADIUS servers, NPS event logs contain authentication results and the reason for any failed authentication attempts.
NPS is only suitable as an addition to an existing Windows Server in most environments. Its logs may not be as detailed as other RADIUS server logs, sometimes missing accurate reasons for connection failures like when users type in wrong passwords.
NPS and Active Directory (AD) are generally tied to on-premise infrastructure, as well. This means that NPS may not be a suitable choice for organizations looking for cloud-based identity management and access control solutions, such as Azure AD (Microsoft Entra ID) or similar.
FreeRADIUS Logs
FreeRADIUS is an open-source RADIUS server free for download and use. It can run on Unix-based platforms.
By default, Free RADIUS stores accounting information in /var/log/freeradius of the Unix platform, but accessing these logs takes some technical expertise.
Where Do I Find Cloud RADIUS Event Logs?
Cloud RADIUS, unlike an NPS server, is a managed and cloud-based platform that can be configured and deployed to any location. It also captures detailed logs for every network connection request and provides extensive information in addition to ACCESS_ACCEPT and ACCESS_REJECT responses.
This information can be easily found in the SecureW2 management portal by navigating to Data & Management, then selecting the RADIUS Events option.
Cloud RADIUS Event Log Fields and Meanings
Cloud RADIUS event logs were designed to provide administrators a clear snapshot of each authentication attempt. As such, we’ve incorporated numerous fields in them, including the following:
⦁ Region – Origin of the connection request.
⦁ Timestamp – Recorded time of the connection request.
⦁ Identity – Username used during the authentication.
⦁ Subject/Common Name – Name of the user using the certificate or token.
⦁ User Principal Name – Email ID of the user trying to connect to the network.
⦁ Device – Information related to the device such as a serial number.
⦁ Certificate serial – Serial number of the device’s certificate trying to connect to the network.
⦁ MAC Address – Media Access Control Address of the device trying to connect to the network.
⦁ Client Public IP – IPv4 address of the device, needed for the network to reach the device.
⦁ Operating System – Software that supports the device trying to connect to the network.
⦁ User Role – The user role designated by the administrator that the user belongs to.
⦁ Network Policy – This shows the network policy that applies to the user.
⦁ RADIUS Reply – Status of the RADIUS Authentication (ACCESS_ACCEPT/ACCESS_REJECT)
⦁ Error Message – If applicable, the reason why the remote access authentication attempt failed.
Cloud RADIUS Event Log Search Filters
RADIUS logs are a great tool for troubleshooting when you start getting reports that users can’t connect to your network. Granular search filters make it simpler to access them, which is why Cloud RADIUS includes a range of search settings.
Narrow your search by checking a specific user, for example, when only a single person is experiencing connectivity issues. You can also search by operating system, MAC address, and more.
Detailed and Easily Accessible Logs with Cloud RADIUS
Event logs serve many purposes: they can be your first line of defense when an unauthorized party accesses your network, they can help you rapidly pinpoint the root cause of network connectivity problems, and they may be required for compliance reasons. Being able to quickly access and read RADIUS records is crucial.
Cloud RADIUS event logs streamline this process. Every authentication attempt is recorded in a detailed entry that provides administrators enhanced visibility. Additionally, granular search filters make it a simple matter to find the exact entry you need when you need it. Organizations using SecureW2’s Cloud RADIUS can not only view events from the management portal, but also export data to a SIEM provider to trigger an alarm and have notifications on the occurrence of connectivity issues.
We have affordable solutions for organizations of every size. Check out our pricing page here.
When Network Policy Server (NPS) is configured as a RADIUS server, it performs authentication, authorization, and accounting for connection requests received from configured RADIUS clients.
If authentication and authorizations are successful, users and computers are granted access to the network resources for which they have permissions.
So far the theory …
I did not get any event logs though ?
So I checked the NPS properties on the newly configured NPS server, and all looked OK ?
I also checked the accounting log settings, and not problems here as well ?
I restarted the NPS service and even the server but no success ?
Solution :
So Google was here to help.
Open the cmd with admin privileges and run this command
auditpol /get /subcategory:"Network Policy Server"
Next run this cmd.
auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable
And check if it shows this result :
Try to log on to the VPN and see if the event logs start appearing.
Which is did in my case
Enjoy !
This entry was posted on Thursday, November 19th, 2020 at 3:49 pm and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
What is a RADIUS event log?
A RADIUS server is responsible for Authorization and Accounting
in addition to its primary role of Authentication, hence its alternate name: “AAA
server”. Given the importance of these tasks, it should come as no surprise that a RADIUS server
is typically configured to log and store a record of all the requests it receives.
RADIUS event logs may be used for:
- Compliance audits
- Troubleshooting authentication issues
- Troubleshooting VPN issues
- Tracking use
- Tracking users
- Tracking devices
And more! RADIUS event logs are a powerful tool for managing your 802.1x network and users.
What information is included in a RADIUS Log?
The data contained within a RADIUS event log varies from RADIUS to RADIUS, but there are some
common fields that you’re likely to find no matter your RADIUS provider.
- Date
- Time
- Name
- Client Type
- Record Type
- Authentication Type
RADIUS vendors with a robust management and reporting suite, like our own SecureW2 Cloud RADIUS,
have the ability to add and remove data fields from event logs. Custom RADIUS event logs can be
particularly useful for compliance audits.
In addition to event logs for authentication and authorization requests, RADIUS servers usually
also log other event types like server startups, shutdowns, or interruptions of service. These
make up a small fraction of the overall logs, but are particularly useful for investigating
outages and the like.
How to view FreeRADIUS logs
FreeRADIUS is an open source framework for implementing your own DIY RADIUS. It requires a lot of
technical expertise and hardware (or cloud server space) to configure and maintain, but it’s
powerful and infinitely customizable.
During the configuration process for a FreeRADIUS
server, admins are required to
designate a folder for RADIUS event log output. FreeRADIUS doesn’t do anything with the logs,
however, so you’ll need to manually process the raw data to a more human readable form if you plan
to make extensive use of the logs.
How to view NPS logs
NPS is Microsoft’s pseudo-RADIUS that has seen widespread adoption due to its tight integration
with the rest of the Microsoft environment. In particular, it plays well with Active Directory
(AD), which is the IdP of choice for many organizations.
Viewing event logs generated by an NPS RADIUS is easy, if a little unintuitive. Rather than
finding them in NPS, check the Windows Event Viewer (another system that’s part of the larger
Windows Server package).
However, neither AD nor NPS have truly made the leap to the cloud. There are workarounds that
allow you to use them in a limited capacity, but organizations that are using cloud directories
like Google, Azure, or Okta should not use stopgap measures for network security. Limited support
and antiquated systems leave your network vulnerable..
The best RADIUS event logging solution
Instead, use a built-for-cloud RADIUS like the aptly-named SecureW2 Cloud RADIUS. Not only has it
been engineered for the ground up for cloud authentication, it also has an incredibly
simple-yet-powerful management interface with unprecedented power over RADIUS event logging.
Unlike our competitors, our cloud PKI isn’t simply a layered directory with some added bells and
whistles. It’s a full-featured PKI security suite that can integrate into your existing network
infrastructure or be used as a turnkey solution.
But wait, there’s more! It comes with the industry’s #1 rated 802.1x onboarding software. So not
only can you easily view RADIUS events, but you can easily see device connectivity issues and
certificate enrollment status all in one place. No longer do admins need to manually scour through
logs, everything needed to troubleshoot issues is available in our easy to use Cloud Management
Portal.
Our Cloud RADIUS is powered by the Dynamic Policy Engine – a network access control solution that
allows the RADIUS to interface directly with any cloud directory to confirm authorization
requests. Instead of relying on insecure credentials or static certificates, you can make
real-time policy decisions based on user attributes stored in the directory.
We have affordable solutions for organizations of every size. Check out our
pricing page here.
Patrick Grubbs
Patrick is an experienced SEO specialist at SecureW2 who also enjoys running, hiking, and reading. With a degree in Biology from College of William & Mary, he got his start in digital content by writing about his ever-expanding collection of succulents and cacti.