This is just a short, but interesting blog post. When you have to troubleshoot authentication failures in a network that uses Windows Network Policy Server (NPS), the Windows event log is absolutely indispensable. The event log offers everything you need. The success and failure event log entries include all necessary information to get you back on track. If failure events would be logged…
Today, I was playing with Alcatel-Lucent Enterprise OmniSwitches and Access Guardian in my lab. Access Guardian refers to the some OmniSwitch security functions that work together to provide a dynamic, proactive network security solution:
- Universal Network Profile (UNP)
- Authentication, Authorization, and Accounting (AAA)
- Bring Your Own Device (BYOD)
- Captive Portal
- Quarantine Manager and Remediation (QMR)
I have planned to publish some blog posts about Access Guardian in the future, because it is a pretty interesting topic. So stay tuned. :)
802.1x was no big deal, mac-based authentication failed. Okay, let’s take a look into the event log of the NPS… okay, there are the success events for my 802.1x authentication… but where are the failed login attempts? Not a single one was logged. A short Google search showed me the right direction.
Failed logon/ logoff events were not logged
In this case, the NPS role was installed on a Windows Server 2016 domain controller. And it was a german installation, so the output of the commands is also in german. If you have an OS installed in english, you must replace “Netzwerkrichtlinienserver” with “Network Policy Server”.
Right-click the PowerShell Icon and open it as Administrator. Check the current settings:
Windows PowerShell Copyright (C) 2016 Microsoft Corporation. Alle Rechte vorbehalten. PS C:\Windows\system32> auditpol /get /subcategory:"Netzwerkrichtlinienserver" Systemüberwachungsrichtlinie Kategorie/Unterkategorie Einstellung An-/Abmeldung Netzwerkrichtlinienserver Erfolg
As you can see, only successful logon and logoff events were logged.
PS C:\Windows\system32> auditpol /set /subcategory:"Netzwerkrichtlinienserver" /success:enable /failure:enable Der Befehl wurde erfolgreich ausgeführt. PS C:\Windows\system32> auditpol /get /subcategory:"Netzwerkrichtlinienserver" Systemüberwachungsrichtlinie Kategorie/Unterkategorie Einstellung An-/Abmeldung Netzwerkrichtlinienserver Erfolg und Fehler
The option /success:enable /failure:enable activeates the logging of successful and failed logon and logoff attempts.