IAS Troubleshooting Tools | Deploying Secure 802.11 Wireless Networks with Microsoft Windows

IAS Troubleshooting Tools

To help you gather information to troubleshoot problems with IAS, the following tools are available:

IAS event logging and Event Viewer snap-in
Network Monitor
SChannel logging
Tracing
SNMP agent
Performance Logs and Alerts snap-in

IAS Event Logging and Event Viewer Snap-In

To troubleshoot IAS authentication attempts using events in the Microsoft Windows event logs, ensure that event logging is enabled for all types of IAS events (such as rejected, discarded, and successful authentication events). Event logging for all these types of events are enabled by default for both Windows Server 2003 IAS and Windows 2000 IAS. For more information, see Chapter 4, RADIUS, IAS, and Active Directory.

IAS events are stored in the system event log, which can be viewed from the Event Viewer snap-in. Here is an example of the description for a successful authentication event (Source: IAS, Event ID: 1):

User client@example.com was granted access. Fully-Qualified-User-Name = example.com/Users/Client NAS-IP-Address = 10.7.0.4 NAS-Identifier = <not present> Client-Friendly-Name = Building 7 Wireless AP Client-IP-Address = 10.7.0.4 NAS-Port-Type = Wireless-IEEE 802.11 NAS-Port = 6 Policy-Name = Wireless Remote Access Policy Authentication-Type = EAP EAP-Type = Smart Card or other Certificate

To view the failed authentication events, use the Event Viewer to view the events with the Source of IAS and the Event ID of 2.

Viewing the IAS events in the system event log is one of the most useful troubleshooting tools for obtaining information about failed authentications. The IAS events are also helpful when troubleshooting remote access policies. When you have multiple remote access policies configured, the Policy-Name field in the event description records the name of the remote access policy that either accepted or rejected the connection attempt.

Network Monitor

You can use Microsoft Network Monitor available in Microsoft Systems Management Server or the Windows 2000 Server and Windows Server 2003 families or a commercial packet analyzer (also known as a network sniffer) to capture and view RADIUS authentication and accounting messages that are sent to and from an IAS RADIUS server or an IAS RADIUS proxy. Network Monitor includes a RADIUS parser, which you can use to view the attributes of a RADIUS message and troubleshoot connection issues.

Network Monitor is useful for checking to see whether RADIUS messages are being exchanged, and for determining the RADIUS attributes of each message.

SChannel Logging

Secure channel (SChannel) logging is the logging of detailed information for SChannel events in the system event log. By default, only SChannel error messages are recorded. To log errors, warnings, informational, and successful events, set the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\EventLogging registry value to 4 (as a DWORD type). With SChannel logging recording all events, it is possible to obtain more information about the certificate exchange and validation process on the IAS server.

Tracing

As described in Chapter 14, Troubleshooting the Windows Wireless Client, Windows Server 2003 and Windows 2000 have an extensive tracing capability that creates tracing files that describe the internal behavior of Windows components during the authentication and authorization process. This information is typically useful only to Microsoft support engineers, who might request that you create trace files for a connection attempt during their investigation of a support issue.

You can enable the components in Windows Server 2003 to log tracing information to files by using the netsh command for specific components or for all components.

To enable and disable tracing for a specific component, the command is

netsh ras set tracing component enabled disabled

in which component is a component in the list of components found in the registry under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing. For example, to enable tracing for the IASRAD component, the command is

netsh ras set tracing iasrad enabled

Although you can enable tracing for individual components of IAS, it is easier to turn tracing on for all the IAS components at once. Microsoft support engineers typically want see all the trace files, rather than the trace file for an individual component. To enable tracing for all components, the command is

netsh ras set tracing * enabled

To disable tracing for all components, the command is

netsh ras set tracing * disabled

The log files that are generated are stored in the SystemRoot\tracing folder.

TIP
Tracing consumes system resources and should be used sparingly during the investigation of a support issue. After the trace is done or the problem is identified, you should disable tracing. Do not leave tracing enabled on multiprocessor computers.

SNMP Agent

You can use the Simple Network Management Protocol (SNMP) agent software included with Windows 2000 Server and Windows Server 2003 to monitor status information for your IAS server from an SNMP console. IAS supports the RADIUS Authentication Server MIB (RFC 2619) and the RADIUS Accounting Server MIB (RFC 2621). Use Control Panel-Add/Remove Programs to install the SNMP agent as an optional management and monitoring tool.

The SNMP agent can be used in conjunction with your existing SNMP-based network management infrastructure to monitor your IAS RADIUS servers or proxies.

Performance Logs And Alerts Snap-In

You can use the Performance Logs And Alerts snap-in to monitor counters, create logs, and set alerts for specific IAS components and program processes. You can also use charts and reports to determine how efficiently your server uses IAS and to both identify and troubleshoot potential problems.

You can use the Performance Logs And Alerts snap-in to monitor counters within the following IAS-related performance objects:

IAS Accounting Clients
IAS Accounting Proxy
IAS Accounting Server
IAS Authentication Clients
IAS Authentication Proxy
IAS Authentication Server
IAS Remote Accounting Servers
IAS Remote Authentication Servers

For more information about how to use the Performance Logs And Alerts snap-in, see Windows 2000 Server Help or the Help and Support Center for Windows Server 2003.