Logging With Network Policy Server

Note  Internet Authentication Service (IAS) was renamed Network Policy Server (NPS) starting with Windows Server 2008. The content of this topic applies to both IAS and NPS. Throughout the text, NPS is used to refer to all versions of the service, including the versions originally referred to as IAS.

The following table describes only the most important aspects of the RADIUS accounting packets. The RADIUS Accounting Request for Comments document (RFC 2866) provides detailed information on these packets.

RADIUS accounting packets can be divided into the following categories.

Accounting packetDescription
Accounting-OnSent by the Network Access Server (NAS) to indicate that it has restarted.

Contains nas-identifier/ipaddress.

Accounting-OffSent by the NAS to indicate that it is being shutdown.

Contains nas-identifier/ipaddress.

Accounting-StartSent by the NAS, after the user was authenticated and authorized, to indicate the start of a user session.

Contains userid, nas-identifier/ipaddress, plus other information received from the NAS.

Accounting-Stop Sent by the NAS to indicate the end of a user session.

Contains userid, nas-identifier/ipaddress, plus other information received from the NAS.

Accounting-InterimCould be sent periodically by the NAS for each user that is logged on at the NAS.

This feature is generally supported in newer versions of NAS.

 

The following issues are important to consider when collecting accounting information made available through RADIUS:

  • In rare cases, packets could be lost during transmission and may never reach the RADIUS server.
  • The RADIUS server is not notified if the NAS aborts.
  • ISDN supports multiple sessions and each session generates an Accounting-Start/-Stop pair of packets. There is an accounting attribute called multi-session identifier that clearly identifies such multi-session packets. Check for the multi-session identifier in addition to the session identifier to calculate the number of sessions.

Requests Logged by NPS

By default, NPS does not log any data. NPS can be configured, using the NPS user interface (nps.msc), to log the following requests.

Logged packetDescription
Accounting RequestAny of the accounting packets described in the previous table.
Authentication RequestSent by the NAS on behalf of the connecting user.

The log entries contain only incoming attributes.

Authentication AcceptSent by NPS to indicate that the user connection should be accepted.

The log entries contain only outgoing attributes.

Authentication RejectSent by NPS to indicate that the user connection should be rejected.

The log entries contain only outgoing attributes.

 

Data logged by NPS can go to a text file on the NPS server, or starting with Windows Server 2003, to a central SQL database. For more information on NPS SQL logging, see SQL Programmability.

Related topics

Internet Authentication Service and Network Policy Server
RADIUS Authentication, Authorization, and Accounting
Working with a State Server

 

 

Show:
© 2014 Microsoft