Tracing Untraceable AD Account Lockouts

active-directory radius windows-ias-server

I have only just finished a call with Microsoft about exactly this, so hopefully the following information will help :)

Authentication attempts can happen at a couple of spots, and notably if you are using PEAP authentication for wireless connections, authentication negotiation also occurs through the EAPHost service.

The EAPHost service I find doesn't have fantastic authentication logging (it's miserable actually - trace file), so if for whatever reason authentication fails in EAPHost, the authentication failure attempt is logged using the somewhat generic authentication eventIDs in the event log and nothing at all in IAS Logs.

What we did discover was that a newly built RADIUS server was logging far more information in the IAS logs than our in production system. I went through an reconfigured logging through the configuration log to include accounting information (tick all the boxes in the wizard!), restarted the service and found all that missing IAS events were now being logged including MAC Addresses and SSIDs into the IAS Log files.

Hope this may help :)

Related

Windows 8.1 Pro migrating "Microsoft live" account to domain account
docker-compose down with a non-default yml file name
How to convert BigInt to Number in JavaScript?
How can I replace newlines using PowerShell?
XSL: Avoid exporting namespace definitions to resulting XML documents
windbg: Command output to text file
How do I search git history for a disappeared line?
HTML - Arabic Support
How can I copy/clone a site on iis7
Is there some "Feature Graphic" generator for Google Play? [closed]
In PHPUnit, how do I indicate different with() on successive calls to a mocked method?
Differences between svn merge left, right & working files after conflicts