none
Questions on NAP IEEE802.1X Event Log RRS feed

  • Question

  • We have some questions on NAP IEEE802.1X event log on Windows Server 2008.
    Could anyone kindly answer the questions ?

    When we tested NAP IEEE802.1X and found that event log on Windows Server 2008
    is different from the case of NAP DHCP.

    In case of NAP 802.1X,
     even when NAP SoH check succeeds, the NPS event log on Windows Server 2008 shows "fail". 
     (Event ID=6276)

    In case of NAP DHCP,  
     when NAP SoH check succeeds, the event log shows "success"(Event ID=6278),
     when NAP SoH check fails, the event log shows "fail"(Event ID=6276).

    We would like to confirm that this is correct specification of Windows Server 2008,
    or it is possible to change the 802.1X event log same as the case of DHCP
    by setting some options on Windows Server 2008.

    Event Log of NAP 802.1X in XML format is shown below.

     <?xml version="1.0" encoding="utf-8" standalone="yes" ?>
    - <Events>
    - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    - <System>
      <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
      <EventID>6276</EventID>
      <Version>0</Version>
      <Level>0</Level>
      <Task>12552</Task>
      <Opcode>0</Opcode>
      <Keywords>0x8020000000000000</Keywords>
      <TimeCreated SystemTime="2008-12-06T05:11:53.500Z" />
      <EventRecordID>64560</EventRecordID>
      <Correlation />
      <Execution ProcessID="564" ThreadID="1188" />
      <Channel>Security</Channel>
      <Computer>Win2008x64.local</Computer>
      <Security />
      </System>
    - <EventData>
      <Data Name="SubjectUserSid">S-1-5-21-1027733147-3524878198-3134188963-1107</Data>
      <Data Name="SubjectUserName">user1</Data>
      <Data Name="SubjectDomainName">QE</Data>
      <Data Name="FullyQualifiedSubjectUserName">QE\user1</Data>
      <Data Name="SubjectMachineSID">S-1-0-0</Data>
      <Data Name="SubjectMachineName">user1</Data>
      <Data Name="FullyQualifiedSubjectMachineName">-</Data>
      <Data Name="MachineInventory">6.0.6001 1.0 x86 Domain Controller</Data>
      <Data Name="CalledStationID">00-15-C6-AF-33-8D</Data>
      <Data Name="CallingStationID">00-50-70-00-D9-13</Data>
      <Data Name="NASIPv4Address">172.16.2.96</Data>
      <Data Name="NASIPv6Address">-</Data>
      <Data Name="NASIdentifier">-</Data>
      <Data Name="NASPortType">Ethernet</Data>
      <Data Name="NASPort">50013</Data>
      <Data Name="ClientName">NAP 802.1x</Data>
      <Data Name="ClientIPAddress">172.16.2.96</Data>
      <Data Name="ProxyPolicyName">NAP 802.1X (Wired)</Data>
      <Data Name="NetworkPolicyName">NAP 802.1X (Wired) Compliant</Data>
      <Data Name="AuthenticationProvider">Windows</Data>
      <Data Name="AuthenticationServer">Win2008x64.local</Data>
      <Data Name="AuthenticationType">PEAP</Data>
      <Data Name="EAPType">Microsoft: EAP-MSCHAP v2</Data>
      <Data Name="AccountSessionIdentifier">-</Data>
      <Data Name="QuarantineState">Quarantined</Data>
      <Data Name="ExtendedQuarantineState">-</Data>
      <Data Name="QuarantineSessionID">{6FA02DF4-D851-4E00-BB76-28C48AE51DF1} - 2008-03-24 09:10:58.453Z</Data>
      <Data Name="QuarantineHelpURL">-</Data>
      <Data Name="QuarantineSystemHealthResult">Windows Security Verification Tool.. Compliant No Data Server Component  0x80270001</Data>
      </EventData>


    Thanks in advance,
    Yoshi
    Monday, December 8, 2008 7:37 AM

Answers

  • Hi Yoshi,

     

    We have investigated your questions regarding NAP event logging on Windows Server 2008, and provide answers as follows.

     

    Windows Security Auditing logs events 6276, 6277, and 6278 for NAP regardless of the enforcement type, e.g. 802.1x wired, 802.1x wireless, DHCP, IPsec, TSG, VPN. The network access is however granted to the NAP client based on the policy being enforced.

     

    For your NAP 802.1X event logging, the Event ID 6276 matches the "NAP 802.1X (Wired) Compliant" policy, as you notice in the event data section.

      <EventData>

      <Data Name="NetworkPolicyName">NAP 802.1X (Wired) Compliant</Data>

      <Data Name="QuarantineSystemHealthResult">Windows Security Verification Tool. Compliant No Data Server Component  0x80270001</Data>

      </EventData>

     

    The first recommendation would be to check the policies you are matching to ensure they are properly configured. Check both Network Policies and Health Policies, and System Health Validators.

     

    Assuming you are testing your own NAP client implementation, the second recommendation would be to check the configuration of EAP Methods properties on the server. Your NAP client might be requesting some properties that the server is either not configured to support, or does not support. Details on the EAP Methods properties are available at this location: http://msdn.microsoft.com/en-us/library/aa363937(VS.85).aspx

     

    In case you might still require further assistance with your issue regarding configuration and event logging, I would recommend these TechNet NAP resources:

    Microsoft Technet: NAP team forum.

    http://social.technet.microsoft.com/forums/en-US/winserverNAP/threads

    Microsoft TechNet: NAP Blogs

    http://blogs.technet.com/nap/

     

    Regards,

    Edgar

    Wednesday, December 17, 2008 5:16 PM
    Moderator

All replies

  •  

    Yoshi,

    I have alerted our Protocols Support team concerning your questions about MS-SOH and MS-DHCPN. One of our team members will be in contact with you soon.

    Thanks for your questions!

    Richard Guthrie
    Escalation Engineer

    Monday, December 8, 2008 2:55 PM
  • Richard,

    Thank you for your assistance.

    If this is a specification of Windows Server 2008, NAP 802.1X EC Event log 

    or

    if you know another way to know NAP 802.1X EC result on Windows Server 2008,

    could you let us know? 

    Thanks,

    Yoshi

    Friday, December 12, 2008 5:05 AM
  • Hi Yoshi,

     

    We have investigated your questions regarding NAP event logging on Windows Server 2008, and provide answers as follows.

     

    Windows Security Auditing logs events 6276, 6277, and 6278 for NAP regardless of the enforcement type, e.g. 802.1x wired, 802.1x wireless, DHCP, IPsec, TSG, VPN. The network access is however granted to the NAP client based on the policy being enforced.

     

    For your NAP 802.1X event logging, the Event ID 6276 matches the "NAP 802.1X (Wired) Compliant" policy, as you notice in the event data section.

      <EventData>

      <Data Name="NetworkPolicyName">NAP 802.1X (Wired) Compliant</Data>

      <Data Name="QuarantineSystemHealthResult">Windows Security Verification Tool. Compliant No Data Server Component  0x80270001</Data>

      </EventData>

     

    The first recommendation would be to check the policies you are matching to ensure they are properly configured. Check both Network Policies and Health Policies, and System Health Validators.

     

    Assuming you are testing your own NAP client implementation, the second recommendation would be to check the configuration of EAP Methods properties on the server. Your NAP client might be requesting some properties that the server is either not configured to support, or does not support. Details on the EAP Methods properties are available at this location: http://msdn.microsoft.com/en-us/library/aa363937(VS.85).aspx

     

    In case you might still require further assistance with your issue regarding configuration and event logging, I would recommend these TechNet NAP resources:

    Microsoft Technet: NAP team forum.

    http://social.technet.microsoft.com/forums/en-US/winserverNAP/threads

    Microsoft TechNet: NAP Blogs

    http://blogs.technet.com/nap/

     

    Regards,

    Edgar

    Wednesday, December 17, 2008 5:16 PM
    Moderator