NPS Accounting
Applies To: Windows Server 2008, Windows Server 2008 R2
Network Policy Server (NPS) supports Remote Authentication Dial-In User Service (RADIUS) accounting, which you can use to track network usage for auditing and billing purposes. Accounting data can also be queried to assist with network access troubleshooting.
In this section
Note
In addition to these topics, for more information, see the Windows Server 2003 Help topic Interpreting IAS IDs for vendor-specific attributes. Although this topic documents IAS in Windows Server 2003, the content is also accurate for NPS in Windows Server 2008.
RADIUS accounting provides the following benefits:
Real-time data collection.
Accounting data can be collected from a central location.
Non-Microsoft products can be used to analyze RADIUS accounting data to provide charge-back, troubleshooting, performance, and exception reports.
When configured for accounting, NPS can log accounting data to a log file or to a SQL Server database.
When a RADIUS client is configured to use RADIUS accounting, at the start of service delivery it generates an Accounting-Start message describing the type of service being delivered and the user it is being delivered to. The message is then sent to the RADIUS Accounting server, which sends back an acknowledgment to the RADIUS client. At the end of service delivery, the client generates an Accounting-Stop message describing the type of service that was delivered and optional statistics, such as elapsed time, input and output octets, or input and output packets. It then sends that data to the RADIUS accounting server, which sends back an acknowledgment to the RADIUS client.
The Accounting-Request message (whether for the Start or Stop message) is submitted to the RADIUS accounting server through the network. If no response is returned within a length of time, the request is re-sent a number of times. The client can also forward requests to an alternate server or servers in the event that the primary server is unreachable. An alternate server can be used either after a number of tries to the primary server fail, or in a round-robin fashion. If the RADIUS accounting server cannot successfully record the accounting message, it does not send an Accounting-Response acknowledgment to the RADIUS client. For example, when the log file is full, NPS starts discarding accounting messages. This prompts the RADIUS client to switch to the backup RADIUS accounting server.
NPS log file
NPS can create a log file based on the data returned by the network access servers (NASs). This information is useful for keeping track of usage and correlating authentication information with accounting records (for example, to discover missing records or instances of over-billing).
NPS supports two formats of the log file: Internet Authentication Service (IAS) format and database-compatible format. Database format allows you to keep track of a predetermined set of attributes, and IAS format is more detailed and can contain information about all attributes. Use database-compatible format if you want to import the data directly into a database. IAS format can be used if you need to record more detailed information than the database log format allows.
Note
The NPS log file contains all the NPS user-related events. NPS service and system-related events are recorded in the Event log files.
NPS events and Event Viewer
By using the event logs in Event Viewer, you can monitor NPS errors and other events that you configure NPS to record.
NPS records connection request failure events in the System event log by default. Connection request failure events consist of requests that are rejected or are discarded by NPS. Other NPS authentication events are recorded in the Event Viewer system log on the basis of the settings that you specify in the NPS Microsoft Management Console (MMC) snap-in.
Connection request failure events
Although NPS records connection request failure events by default, you can change the configuration according to your logging needs.
Connection requests are rejected or ignored for a variety of reasons, including the following:
The RADIUS message is not formatted according to RFCs 2865 or 2866.
The RADIUS client is unknown.
The RADIUS client has multiple IP addresses and sent the request on an address other than the one defined in NPS.
The shared secret is not valid.
The Message-Authenticator attribute (also known as a digital signature) sent by the client is not valid.
NPS was unable to locate the domain of the user name.
NPS was unable to connect to the domain of the user name.
NPS was unable to access the user account in the domain.
When NPS rejects a connection request, the information in the event text includes the user name, access server identifiers, the authentication type, the name of the first matching network policy, the reason for the rejection, and other information.
Connection request success events
Although NPS records connection request success events by default, you can change the configuration according to your logging needs.
When NPS accepts a connection request, the information in the event text includes the user name, access server identifiers, the authentication type, and the name of the first matching network policy.
Warning
Logging connection request successes can result in the recording of large volumes of data. If you choose to log successful connection request events, use event logging options in Event Viewer to manage the Event Viewer logs.
Logging secure channel (Schannel) events
Secure channel (Schannel) is a security support provider (SSP) that supports a set of Internet security protocols, such as Secure Sockets Layer (SSL) and Transport Layer Security (TLS). These protocols provide identity authentication and secure, private communication by using encryption.
Logging of client certificate validation failures is a secure channel event, and is not enabled on the NPS server by default. You can enable the logging of additional secure channel events. For more information, see NPS: SCHANNEL.