How to track RADIUS authentication failure

With Native AD Auditing
With ADAudit Plus

How AD Audit Plus can help

With AD Audit Plus, you can view all your RADIUS logons from an easy-to-use dashboard.

To view an audit report on RADIUS Logon Failure:

Click on the 'Reports' Tab and then expand Local Logon-Logoff and select RADIUS Logon Failure.
Select the Domain
Select the Computer. You can use the "Add" button to select computers including domain controllers or member servers can be selected.
Select the 'Period' for which you want to view the logon failures.
This lists the audit information on 'Logon History of the selected computers' for the selected period via RADIUS protocol.

Here's how you can view a history of RADIUS logon failures in native Active Directory.

Pre-requisite: Before you configure a RADIUS server role, you can create a group for AD users, (For example a group named- WFH_Users) who can authenticate using the RADIUS protocol.

RADIUS protocol is a part of Network Policy Server Role.

Step 1: Install RADIUS Server via NPS in Active Directory
Launch the Server Manager in the Windows Server Instance.
Go to Add Roles and Features. You need to walk through the different stages of installation displayed on the left pane to finish installing.
On the Before you Begin pane,click Next. You'll be moved to the Installation Type pane' where you should select type of installation—Role based or Feature based and click Next.
On the Before you Begin pane,click Next. You'll be moved to the Installation Type pane' where you should select type of installation—Role based or Feature based and click Next.
On the Server Roles pane, select the Network Policy and Access Services role from the list of server roles provided. When you move on to the Features pane you can apply the default features that is already selected.
Step 2: Register the NPS Server in Active Directory

Go to the drop down menu under Tools and select Network Policy Server.
This opens up the NPS snap-in. Now you can right click the NPS tree (generally displayed as NPS local) and select the Register NPS server in Active Directory Option.
Click 'Okay' on the confirmation dialog box that is displayed. This NPS server will now be included in the default domain groups called "RAS and IAS Servers".
Step 3: Add a RADIUS Client

A RADIUS client is a device that forwards logon and authentication requests to your NPS.

In the NPS snap-in, expand the NPS tree to find the RADIUS Clients and Servers folder. Expand this folder to view RADIUS Clients and Remote RADIUS Server elements within it.
Right click the RADIUS client element and select New. This directs you to a New RADIUS Client Window. In the Settings tab, select Enable this RADIUS Client.After that you can fill in the fields- Friendly Name (name of the RADIUS client you're assigning) and the IP/DNS Address of the client. Finally you can set up a shared secret key manually.
In the 'Advanced' tab, select the 'Vendor name' associated with your RADIUS client.
Step 4: Setup NPS Policies for Authentication

Setting up an NPS policy allows you to authenticate a distinct group of remote users against your NPS with various levels of access permissions.

Under the NPS (Local) tree expand the 'Policies' tab. Right click 'Network Policies' and select 'New'.
You can name your policy and leave the 'Type of network access server' as unspecified.
You can then specify rules to allow only users within a particular group (for example- WFH_Users) to be allowed to authenticate against NPS by clicking 'Add' against the 'Windows Groups' option.
Against the 'Client Friendly Name' option, 'Add' the client friendly name of the RADIUS client you had specified earlier.
On the 'Next' pane select 'Access Granted'.
Step 5: Configure Accounting for NPS
Open the NPS snap-in.
In the console tree, click Accounting.
In the details pane, select Configure Accounting.
Step 6: Enable NPS Audit

To view a history of RADIUS logon failures in the Event Viewer, you need to enable auditing for NPS.

In the command prompt, you can enable auditing with the following command
auditpol /set /subcategory:"Network Policy Server" //failure:enable
If both success and failure events are enabled, the output should be:

System audit policy

Category/Subcategory Setting

Logon/Logoff

Network Policy Server Failure

Step 7: View RADIUS Logons in Event Viewer.

When a user who has been granted remote access, and has been authenticated, the event is recorded in the Event Viewer.

Open 'Event Viewer' and expand 'Security Logs'. Expand the 'Logon/Logoff' tab and after that expand the 'Network Policy Server' tab.
- Select 'Filter Current Log' from the right pane and search for the following Event IDs
  1. EventID 6273 - Network Policy Server denied access to a user.
  2. EventID 6273 - Network Policy Server denied access to a user.

With this info you can view RADIUS logons failures.

Native auditing becoming a little too much?

Track RADIUS logon failures with ADAudit Plus.

Get Your Free Trial Fully functional 30-day trial

Active Directory auditing

Windows file auditing

NAS device file auditing

Windows server auditing

Workstation auditing

Entra ID auditing

All features →

Help documents

Video zone

Webinars

Product brochures

Case studies

E-books

Awards zone

Study

How tos

Best practices

How to track RADIUS Logon Failure

With Native AD Auditing

With ADAudit Plus

How AD Audit Plus can help

Step 1: Install RADIUS Server via NPS in Active Directory

Step 2: Register the NPS Server in Active Directory

Step 3: Add a RADIUS Client

Step 4: Setup NPS Policies for Authentication

Step 5: Configure Accounting for NPS

Step 6: Enable NPS Audit

Step 7: View RADIUS Logons in Event Viewer.

Related How-tos

Request 1-on-1 demo

Thanks

ADAudit Plus Trusted By

Meet all auditing and IT security needs with ADAudit Plus.

A single pane of glass for complete Active Directory Auditing and Reporting