Tag Archives: Log

Microsoft NPS logs not showing in Event Viewer?

One of the best troubleshooting steps for Radius/NPS is to look in the event viewer to see why you are having failures. This shows if the server is actively denying the user login attempts due to Creds/Certificate/etc.

Sometimes your successes for failures do not show up in Event viewer – this is usually to do with audit logging not including everything. There are a few ways to modify this – but here I will show two easy ones.

The first is to use the NPS settings to make sure these logs are recorded – Even those these might be checked, I have seen the logs not recorded. I do believe the Audit policy overrides these settings. Our first step is to open up NPS, and right click on the NPS server.

Then we can open up properties and make sure all settings are checked.

Our next option is to use the Audit policy CLI commands to set the success or failure to enable (Enable – enables logging).

auditpol /set /subcategory:”Network Policy Server” /success:enable /failure:enable

You can get the current settings by running the following command in Admin CMD.

auditpol /get /subcategory:”Network Policy Server”

Cisco ACL Logging: log-input

Using ACL logging can be a very useful tool not only to get info about whats going on, but also for troubleshooting. One way to get much more robust logging is to use the log-input at the end of the ACE.

The log-input command shows the normal things such as source ip/port and destination ip/port but will also so the ingress interface and mac address of the source. Very cool! The following is and example of the output:

*May  1 22:33:38.799: %SEC-6-IPACCESSLOGP: list ACL-IPv4-E0/0-IN permitted
   tcp (Ethernet0/0 000e.9b5a.9839) ->, 1 packet 
*May  1 22:39:15.075: %SEC-6-IPACCESSLOGP: list ACL-IPv4-E0/0-IN permitted
   tcp (Ethernet0/0 000e.9b5a.9839) ->, 9 packets