Windows 7 / Networking

NPS Event Logging

Check the System event log on the NPS server for events with the source NPS for rejected or accepted connection attempts. NPS event log entries contain a lot of information on the connection attempt including the name of the network policy that accepted or rejected the connection attempt. NPS event logging for rejected or accepted connection attempts is enabled by default and is configured from the General tab in the properties dialog box of an NPS server in the Network Policy Server snap-in.

NPS events are stored in the System event log, which can be viewed from the Event Viewer snap-in. To see NPS events, filter the System event log to display only events with the source of NPS. To view the failed authentication events, set the filter for the Source of NPS and the Event ID of 2.

Viewing the NPS events in the System event log is one of the most useful troubleshooting tools for obtaining information about failed authentications. The NPS events are also helpful when troubleshooting network policies. The Proxy-Policy-Name or Policy-Name field in the description of the event records the name of the network policy that either accepted or rejected the connection attempt.

SChannel Logging

Secure channel (SChannel) logging is the logging of detailed information for SChannel events in the System event log. By default, only SChannel error messages are recorded. To log errors, warnings, and informational and successful events, set the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL \EventLogging registry value to 4 (as a DWORD type). With SChannel logging recording all events, it is possible to obtain more information about the certificate exchange and validation process on the NPS server.

SNMP Agent

You can use the Simple Network Management Protocol (SNMP) agent software included with Windows Server 2008 to monitor status information for your NPS server from an SNMP console. NPS supports the RADIUS Authentication Server MIB (RFC 2619) and the RADIUS Accounting Server MIB (RFC 2621). Use Features in the Server Manager console to install the optional SNMP service.

The SNMP service can be used in conjunction with your existing SNMP-based network management infrastructure to monitor your NPS RADIUS servers or proxies.

Reliability and Performance Snap-In

You can use the Reliability and Performance snap-in to monitor counters, create logs, and set alerts for specific NPS components and program processes. You can also use charts and reports to determine how efficiently your server uses NPS and to both identify and troubleshoot potential problems.

You can use the Reliability and Performance snap-in to monitor counters within the following NPS-related performance objects:

  • NPS Accounting Clients
  • NPS Accounting Proxy
  • NPS Accounting Server
  • NPS Authentication Clients
  • NPS Authentication Proxy
  • NPS Authentication Server
  • NPS Remote Accounting Servers
  • NPS Remote Authentication Servers

For more information about how to use the Reliability and Performance snap-in, see the Help and Support Center in Windows Server 2008.

Network Monitor 3.1

You can use Microsoft Network Monitor 3.1 (or later) or a commercial packet analyzer (also known as a network sniffer), to capture and view the authentication and data traffic sent and received by the wireless network adapter. Network Monitor 3.1 (or later) is available as a free download from the Microsoft Download Center at http://www.microsoft.com/downloads. Network Monitor 3.1 includes RADIUS, 802.1X, EAPOL, and EAP parsers. A parser is a component included with Network Monitor that can separate the fields of a protocol header and display their structure and values. Without a parser, Network Monitor 3.1 displays the hexadecimal bytes of a header, which you must parse manually.

For Windows wireless client authentications, you can use Network Monitor 3.1 to capture the set of frames exchanged between the wireless client computer and the wireless AP during the wireless authentication process. You can then use Network Monitor 3.1 to view the individual frames and determine why the authentication failed. Network Monitor 3.1 is also useful for capturing the RADIUS messages that are exchanged between a wireless AP and its RADIUS and for determining the RADIUS attributes of each message.

The proper interpretation of wireless traffic with Network Monitor 3.1 requires an indepth understanding of EAPOL, RADIUS, and other protocols. Network Monitor 3.1 captures can be saved as files and sent to Microsoft support for analysis.

[Previous] [Contents] [Next]