When checking the Security Event log most events will be recorded as 6272 and 6278 as all users despite compliance are allowed access to the proper Vlan. We need to review all of these event IDs to determine if the computer is compliant until the rules are changed. The following is a list of the event IDs that will show up in the security log:
6272
Network Policy Server granted access to a user.
6273
Network Policy Server denied access to a user.
6274
Network Policy Server discarded the request for a user.
6275
Network Policy Server discarded the accounting request for a user.
6276
Network Policy Server quarantined a user.
6277
Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy.
6278
Network Policy Server granted full access to a user because the host met the defined health policy.
6279
Network Policy Server locked the user account due to repeated failed authentication attempts.
6280
Network Policy Server unlocked the user account.
In the 6272 event you will see the following codes at the bottom. The error code is not actually as useful as the position in the list. Ie. If the error code is the second entry than AV is not up to date or enabled.
On Windows XP:
(0x0 - ) Firewall Status
(0x0 - ) Anti-Virus Status
(0x0 - ) **Not used on XP**
(0x0 - ) Automatic Update Status
(0x0 - ) Update (Patch) Status
(0x0 - ) Update Severity Rating
On Vista:
(0x0 - ) Firewall Status
(0x0 - ) Anti-Virus Status
(0x0 - ) Anti-Virus Up-to-date
(0x0 - ) Anti-Malware Status
(0x0 - ) Anti-Malware Up-to-date
(0x0 - ) Automatic Update Status
(0x0 - ) Update (Patch) Status
(0x0 - ) Update Severity Rating
Severity codes (Last Entry, doesn’t always display)
0x00000040
Unspecified (All)
0x00000080
Low
0x00000100
Moderate
0x00000200
Important
0x00000400
Critical
Error Codes
0xC0FF0001
A system health component is not enabled. Auto Updates or firewall are turned off
0xC0FF0002
A system health component is not installed. AV or FW Not installed
0xC0FF0003
The Windows Security Center service is not running.
0xC0FF0004
The signatures for a particular system health component are not up to date.
0xC0FF0007
This computer will be automatically synchronized with the Windows Server Update Services server and new security updates must be installed.
0xC0FF0017
The Windows Security Health Validator could not process the latest Statement of Health (SoH) because the SoH is invalid.
0xC0FF0018
The Windows Security Center service has not started. An administrator may try to start the service manually.
0xC0FF0047
A third-party system health component is not enabled. Antivirus Definitions
0xC0FF0048
The signatures for a particular third-party system health component are not up to date.
To verfiy local PC can work with NPS:
To verify Group Policy settings on a client computer
1. Click Start, click Run, type cmd, and then press ENTER.
2. In the command window, type netsh nap client show grouppolicy, and then press ENTER.
3. In the command output, under Enforcement clients, verify that the Admin status of the EAP Quarantine Enforcement Client is Enabled.
4. In the command window, type netsh nap client show state, and then press ENTER.
5. In the command output, under Enforcement client state, verify that the Initialized status of the EAP Quarantine Enforcement Client is Yes.
6. Close the command window.
The IAS log is formatted with a header and then attribute pairs. The header is the same on all entries and is in the following format:
Switch IP, USERNAME(or workstaionID, MAC), Date, Time, Service, NPS Server
10.130.50.20,doamin\username,08/03/2009,10:51:35,IAS,WPPRDNAP01
On first request this is then followed by a 6 which is the code for RADIUS ID Service type and should be followed by a 2 for “Framed”
Each code/value pair following represents transactions sent to and from NPS client and server.
Some common attribute pairs: (network policies are 0-100 and SHV codes are >4000)
12 MTU – usually 1500
30 Call Station Dialed – mac address
31 call station originated – mac address
8 Framed IP for user
61 NAS Port
5 NAS Originating Port
87 Ethernet type - fast Ethernet
4 Originating IP
4142 Reason code – at end, usually 0 – successful
4149 Network Policy friendly name
25 Access accept packet – text string sent to client
44 session ID
So a successful authentication should display 3 lines all ending in 0
6 auth type
25 accept
44 establish session
10.130.50.64,domain\username,08/03/2009,10:53:45,IAS,NAP01,44,000035F8,8,10.130.245.5,45,1,49,18,46,816,42,2140516,43,2525972,47,4738,48,7518,40,2,61,15,5,50112,87,FastEthernet1/0/12,30,00-1A-A1-98-3D-0E,31,00-11-25-24-D8-AA,25,311 1 fe80::459a:3414:7ed3:a424 07/30/2009 08:08:15 31327,6,2,4,10.130.50.64,41,0,4108,10.130.50.64,4116,9,4128,NAP Switches,4154,NAP 802.1X (Wired),4136,4,4142,0
6272
Network Policy Server granted access to a user.
6273
Network Policy Server denied access to a user.
6274
Network Policy Server discarded the request for a user.
6275
Network Policy Server discarded the accounting request for a user.
6276
Network Policy Server quarantined a user.
6277
Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy.
6278
Network Policy Server granted full access to a user because the host met the defined health policy.
6279
Network Policy Server locked the user account due to repeated failed authentication attempts.
6280
Network Policy Server unlocked the user account.
In the 6272 event you will see the following codes at the bottom. The error code is not actually as useful as the position in the list. Ie. If the error code is the second entry than AV is not up to date or enabled.
On Windows XP:
(0x0 - ) Firewall Status
(0x0 - ) Anti-Virus Status
(0x0 - ) **Not used on XP**
(0x0 - ) Automatic Update Status
(0x0 - ) Update (Patch) Status
(0x0 - ) Update Severity Rating
On Vista:
(0x0 - ) Firewall Status
(0x0 - ) Anti-Virus Status
(0x0 - ) Anti-Virus Up-to-date
(0x0 - ) Anti-Malware Status
(0x0 - ) Anti-Malware Up-to-date
(0x0 - ) Automatic Update Status
(0x0 - ) Update (Patch) Status
(0x0 - ) Update Severity Rating
Severity codes (Last Entry, doesn’t always display)
0x00000040
Unspecified (All)
0x00000080
Low
0x00000100
Moderate
0x00000200
Important
0x00000400
Critical
Error Codes
0xC0FF0001
A system health component is not enabled. Auto Updates or firewall are turned off
0xC0FF0002
A system health component is not installed. AV or FW Not installed
0xC0FF0003
The Windows Security Center service is not running.
0xC0FF0004
The signatures for a particular system health component are not up to date.
0xC0FF0007
This computer will be automatically synchronized with the Windows Server Update Services server and new security updates must be installed.
0xC0FF0017
The Windows Security Health Validator could not process the latest Statement of Health (SoH) because the SoH is invalid.
0xC0FF0018
The Windows Security Center service has not started. An administrator may try to start the service manually.
0xC0FF0047
A third-party system health component is not enabled. Antivirus Definitions
0xC0FF0048
The signatures for a particular third-party system health component are not up to date.
To verfiy local PC can work with NPS:
To verify Group Policy settings on a client computer
1. Click Start, click Run, type cmd, and then press ENTER.
2. In the command window, type netsh nap client show grouppolicy, and then press ENTER.
3. In the command output, under Enforcement clients, verify that the Admin status of the EAP Quarantine Enforcement Client is Enabled.
4. In the command window, type netsh nap client show state, and then press ENTER.
5. In the command output, under Enforcement client state, verify that the Initialized status of the EAP Quarantine Enforcement Client is Yes.
6. Close the command window.
The IAS log is formatted with a header and then attribute pairs. The header is the same on all entries and is in the following format:
Switch IP, USERNAME(or workstaionID, MAC), Date, Time, Service, NPS Server
10.130.50.20,doamin\username,08/03/2009,10:51:35,IAS,WPPRDNAP01
On first request this is then followed by a 6 which is the code for RADIUS ID Service type and should be followed by a 2 for “Framed”
Each code/value pair following represents transactions sent to and from NPS client and server.
Some common attribute pairs: (network policies are 0-100 and SHV codes are >4000)
12 MTU – usually 1500
30 Call Station Dialed – mac address
31 call station originated – mac address
8 Framed IP for user
61 NAS Port
5 NAS Originating Port
87 Ethernet type - fast Ethernet
4 Originating IP
4142 Reason code – at end, usually 0 – successful
4149 Network Policy friendly name
25 Access accept packet – text string sent to client
44 session ID
So a successful authentication should display 3 lines all ending in 0
6 auth type
25 accept
44 establish session
10.130.50.64,domain\username,08/03/2009,10:53:45,IAS,NAP01,44,000035F8,8,10.130.245.5,45,1,49,18,46,816,42,2140516,43,2525972,47,4738,48,7518,40,2,61,15,5,50112,87,FastEthernet1/0/12,30,00-1A-A1-98-3D-0E,31,00-11-25-24-D8-AA,25,311 1 fe80::459a:3414:7ed3:a424 07/30/2009 08:08:15 31327,6,2,4,10.130.50.64,41,0,4108,10.130.50.64,4116,9,4128,NAP Switches,4154,NAP 802.1X (Wired),4136,4,4142,0
Comments
Post a Comment