Microsoft Network Policy Server Events

Version 2

    Microsoft Network Policy Server Events

    This template assesses the status and overall performance of a Microsoft Network Policy Server (NPS). This template uses Windows System and Security Event Logs.

    Prerequisites: WMI access to the target server.

    Credentials: Windows Administrator on the target server.

    Monitored Components

    Note: All Windows Event Log monitors should return zero values. Returned values other than zero indicate an abnormality. Examining the Windows System and Security log files should provide information pertaining to the issue.

    Note: Detailed information about all these events can be found here: http://technet.microsoft.com/en-us/library/cc732054(WS.10).aspx.

    Warning: NPS discarded the request for a user

    This monitor returns the number of events when the Network Policy Server discarded the request for a user.

    Type of event: Warning. Event ID: 6274.

    This condition occurs when the NPS discards accounting requests because the structure of the accounting request message that was sent by a RADIUS client does not comply with the RADIUS protocol. You should reconfigure, upgrade, or replace the RADIUS client.

    Warning: Domain Controller is not responsive

    This monitor returns the number of events when domain controller is not responsive.

    Type of event: Warning. Event ID: 4401.

    You should check your domain controller availability.

    Warning: NPS denied access to a user

    This monitor returns the number of events when the Network Policy Server denied access to a user.

    Type of event: Warning. Event ID: 6273.

    This error might be caused by one of the following conditions:

      • The user does not have valid credentials;
      • The connection method is not allowed by the network policy;
      • The network access server is under attack;
      • NPS does not have access to the user account database on the domain controller;
      • NPS log files and/or the SQL Server database is not available.

    Warning: Internal error

    This monitor returns the number of events when an internal error occurred while processing a request.

    Type of event: Warning. Event ID: 12.

    This error is typically returned when an exception that is not identified by some other error occurs. This error can also be returned by Extensible Authentication Protocol (EAP) or Schannel.

    Warning: NPS discarded the accounting request for a user

    This monitor returns the number of events when Network Policy Server discarded the accounting request for a user.

    Type of event: Warning. Event ID: 6275.

    Network corruption, latency, or other network problems unrelated to NPS might produce this condition. Wait a short while to see if the condition still exists. This problem might resolve itself.

    Warning: Remote RADIUS server has not responded

    This monitor returns the number of events when the remote RADIUS server has not responded to consecutive requests.

    Type of event: Warning. Event ID: 36.

    You should manually check the availability of the remote RADIUS server.

    Warning: Server communication problems

    This monitor returns the number of events when NPS cannot communicate with RADIUS clients due to different errors in the RADIUS message.

    Type of event: Warning. Event ID: 15,16,17,18,19.

    This condition can occur if the server running NPS receives one of the following from a RADIUS client:

      • A response of a malformed message;
      • A response that contains an incorrect value in the Code field;
      • An Access-Request message that does not contain a Message-Authenticator attribute;
      • A response that contains a message authenticator that is not valid;
      • An Access-Request message that contains an Extensible Authentication Protocol (EAP) message, but no Message-Authenticator attribute.

    Network corruption, latency, or other network problems unrelated to NPS might produce this condition. Wait a short while to confirm that the condition still exists. This problem might resolve itself.

    Warning: NPS could not send a response due to network problems

    This monitor returns the number of events when NPS could not send a response due to a network error. The data is the error code generated by Windows Sockets.

    Type of event: Warning. Event ID: 22.

    Use Windows Sockets error messages and documentation to determine the Windows Sockets reason for failure and to help determine the steps for a resolution. For more information, see Windows Sockets Error Codes at http://go.microsoft.com/fwlink/?LinkId=95404.

    Warning: RADIUS error occurred

    This monitor returns the number of events when a RADIUS error occurred.

    Type of event: Warning. Event ID: 23.

    Use Windows Sockets error messages and documentation to determine the Windows Sockets reason for failure and to help determine the steps for a resolution. For more information, see Windows Sockets Error Codes at http://go.microsoft.com/fwlink/?LinkId=95404.

    Warning: Message with invalid authenticator

    This monitor returns the number of events when a RADIUS message was received from a RADIUS client with an invalid authenticator.

    Type of event: Warning. Event ID: 14.

    This is typically caused by mismatched shared secrets. Verify the configuration of the shared secret for the RADIUS client in the Network Policy Server snap-in and the configuration of the network access server.

    Warning: Response to client exceeds maximum message length

    This monitor returns the number of events when the response to a RADIUS client exceeds the maximum RADIUS message length of 4096 bytes.

    Type of event: Warning. Event ID: 21.

    This condition can occur under the following circumstances:

      • The RADIUS client configuration is incorrect and NPS received a RADIUS message that contains an authenticator that is not valid
      • The RADIUS client needs to be updated because the size of the RADIUS message received from the RADIUS client exceeds the message size specified in the RADIUS protocol.

    Warning: Could not resolve the name of RADIUS client

    This monitor returns the number of events when the name of the RADIUS client could not be resolved. The data returned is the error code generated by Windows Sockets.

    Type of event: Warning. Event ID: 10.

    This condition can occur under the following circumstances:

      • In the NPS Microsoft Management Console (MMC), a RADIUS client is configured by fully qualified domain name (FQDN) or NetBIOS name, rather than by IP address, and NPS has not received a DNS server response to the name resolution query. Without the IP address provided by the name resolution query, NPS cannot contact the RADIUS client;
      • NPS is receiving communication from a RADIUS client that is not configured in the NPS MMC;
      • In the NPS MMC, a RADIUS client is configured by either IPv4 or IPv6 address, but the format of the IP address is incorrect.

    Warning: Wrong RADIUS clients IP address

    This monitor returns the number of events when the IP address of the RADIUS client is not a valid IP address.

    Type of event: Warning. Event ID: 11.

    This condition can occur under the following circumstances:

      • In the NPS Microsoft Management Console (MMC), a RADIUS client is configured by fully qualified domain name (FQDN) or NetBIOS name rather than by IP address, and NPS has not received a DNS server response to the name resolution query. Without the IP address provided by the name resolution query, NPS cannot contact the RADIUS client
      • NPS is receiving communication from a RADIUS client that is not configured in the NPS MMC;
      • In the NPS MMC, a RADIUS client is configured by either IPv4 or IPv6 address, but the format of the IP address is incorrect.

    Warning: Message received from invalid RADIUS client IP

    This monitor returns the number of events when a RADIUS message was received from the invalid RADIUS client IP address.

    Type of event: Warning. Event ID: 13.

    This condition can occur under the following circumstances:

      • In the NPS Microsoft Management Console (MMC), a RADIUS client is configured by fully qualified domain name (FQDN) or NetBIOS name rather than by IP address, and NPS has not received a DNS server response to the name resolution query. Without the IP address provided by the name resolution query, NPS cannot contact the RADIUS client;
      • NPS is receiving communication from a RADIUS client that is not configured in the NPS MMC;
      • In the NPS MMC, a RADIUS client is configured by either IPv4 or IPv6 address, but the format of the IP address is incorrect.

    Error: No available domain controllers

    This monitor returns the number of events that occur when there is no domain controller available for the domain.

    Type of event: Error. Event ID: 4402.

    You should check your domain controller availability.

    Error: NPS license compliance

    This monitor returns the number of events when this edition of Windows Server cannot support any of the following NPS configurations:

      • More than 50 RADIUS clients;
      • More than two RADIUS server groups;
      • Client identification by subnet mask.

    Type of event: Error. Event ID: 46.

    To set up your server to support any of these configurations, install a Windows Server edition without these limitations.

    Error: Disk is full

    This monitor returns the number of events that occur when a disk is full. NPS could not delete older log files to create free space or could not find older an log file to delete and create free space.

    Type of event: Error. Event ID: 43,44.

    You should verify that there is free disk space.

    Error: RADIUS proxy could not resolve the name of remote server

    This monitor returns the number of events when the RADIUS Proxy could not resolve the name of remote RADIUS server in a remote RADIUS server group to an IP address.

    Type of event: Error. Event ID: 24.

    You should manually check DNS settings and the availability of the remote RADIUS server.

    Error: Unable to forward request to remote server

    This monitor returns the number of events that occur when the RADIUS Proxy was unable to forward a RADIUS request to a remote RADIUS server because of a network error.

    Type of event: Error. Event ID: 33.

    You should manually check network configuration.

     

    Portions of this document were originally created by and are excerpted from the following sources:

    Kiong Software and Microsoft Corporation, “Performance Counters for Microsoft Products,” Copyright © 2008 Microsoft Corporation. 
    All rights reserved. Available at
    http://www.docstoc.com/docs/69756322/Performance-Counters-for-Microsoft-Products

    .