How to track RADIUS Logon Failure

Review RADIUS logon failures Free, fully functional 30-day trial
  • With Native AD Auditing

  • With ADAudit Plus

How AD Audit Plus can help

With AD Audit Plus, you can view all your RADIUS logons from an easy-to-use dashboard.

To view an audit report on RADIUS Logon Failure:

  • Click on the 'Reports' Tab and then expand Local Logon-Logoff and select RADIUS Logon Failure.

  • Select the Domain

  • Select the Computer. You can use the "Add" button to select computers including domain controllers or member servers can be selected.

  • Select the 'Period' for which you want to view the logon failures.

  • This lists the audit information on 'Logon History of the selected computers' for the selected period via RADIUS protocol.

Here's how you can view a history of RADIUS logon failures in native Active Directory.

Pre-requisite: Before you configure a RADIUS server role, you can create a group for AD users, (For example a group named- WFH_Users) who can authenticate using the RADIUS protocol.

  • RADIUS protocol is a part of Network Policy Server Role.

  • Step 1: Install RADIUS Server via NPS in Active Directory
  • Launch the Server Manager in the Windows Server Instance.

  • Go to Add Roles and Features. You need to walk through the different stages of installation displayed on the left pane to finish installing.

  • On the Before you Begin pane,click Next. You'll be moved to the Installation Type pane' where you should select type of installation—Role based or Feature based and click Next.

  • On the Before you Begin pane,click Next. You'll be moved to the Installation Type pane' where you should select type of installation—Role based or Feature based and click Next.

  • On the Server Roles pane, select the Network Policy and Access Services role from the list of server roles provided. When you move on to the Features pane you can apply the default features that is already selected.

  • Step 2: Register the NPS Server in Active Directory

    Go to the drop down menu under Tools and select Network Policy Server.

  • This opens up the NPS snap-in. Now you can right click the NPS tree (generally displayed as NPS local) and select the Register NPS server in Active Directory Option.

  • Click 'Okay' on the confirmation dialog box that is displayed. This NPS server will now be included in the default domain groups called "RAS and IAS Servers".

  • Step 3: Add a RADIUS Client
  • A RADIUS client is a device that forwards logon and authentication requests to your NPS.

  • In the NPS snap-in, expand the NPS tree to find the RADIUS Clients and Servers folder. Expand this folder to view RADIUS Clients and Remote RADIUS Server elements within it.

  • Right click the RADIUS client element and select New. This directs you to a New RADIUS Client Window. In the Settings tab, select Enable this RADIUS Client.After that you can fill in the fields- Friendly Name (name of the RADIUS client you're assigning) and the IP/DNS Address of the client. Finally you can set up a shared secret key manually.

  • In the 'Advanced' tab, select the 'Vendor name' associated with your RADIUS client.

  • Step 4: Setup NPS Policies for Authentication
  • Setting up an NPS policy allows you to authenticate a distinct group of remote users against your NPS with various levels of access permissions.

  • Under the NPS (Local) tree expand the 'Policies' tab. Right click 'Network Policies' and select 'New'.

  • You can name your policy and leave the 'Type of network access server' as unspecified.

  • You can then specify rules to allow only users within a particular group (for example- WFH_Users) to be allowed to authenticate against NPS by clicking 'Add' against the 'Windows Groups' option.

  • Against the 'Client Friendly Name' option, 'Add' the client friendly name of the RADIUS client you had specified earlier.

  • On the 'Next' pane select 'Access Granted'.

  • Step 5: Configure Accounting for NPS
  • Open the NPS snap-in.

  • In the console tree, click Accounting.

  • In the details pane, select Configure Accounting.

  • Step 6: Enable NPS Audit
  • To view a history of RADIUS logon failures in the Event Viewer, you need to enable auditing for NPS.

  • In the command prompt, you can enable auditing with the following command
    auditpol /set /subcategory:"Network Policy Server" //failure:enable

  • If both success and failure events are enabled, the output should be:

  • System audit policy

    Category/Subcategory     Setting

    Logon/Logoff

    Network Policy Server     Failure

  • Step 7: View RADIUS Logons in Event Viewer.
  • When a user who has been granted remote access, and has been authenticated, the event is recorded in the Event Viewer.

  • Open 'Event Viewer' and expand 'Security Logs'. Expand the 'Logon/Logoff' tab and after that expand the 'Network Policy Server' tab.

    • Select 'Filter Current Log' from the right pane and search for the following Event IDs
      1. EventID 6273 - Network Policy Server denied access to a user.
      2. EventID 6273 - Network Policy Server denied access to a user.
  • With this info you can view RADIUS logons failures.

Native auditing becoming a little too much?

Track RADIUS logon failures with ADAudit Plus.

Get Your Free Trial Fully functional 30-day trial

Related How-tos

Request Support

Thanks

One of our solution experts will get in touch with you shortly.

    Please enter business email address
  •  
     
  • By clicking 'Send Request', you agree to processing of personal data according to the Privacy Policy.

© 2019 Zoho Corp. All rights reserved.