Audit Network Policy Server

Applies to

  • Windows 10
  • Windows Server 2016

Audit Network Policy Server allows you to audit events generated by RADIUS (IAS) and Network Access Protection (NAP) activity related to user access requests. These requests can be Grant, Deny, Discard, Quarantine, Lock, and Unlock.

If you configure this subcategory, an audit event is generated for each IAS and NAP user access request.

This subcategory generates events only if NAS or IAS role is installed on the server.

NAP events can be used to help understand the overall health of the network.

Event volume: Medium to High on servers that are running Network Policy Server (NPS).

Role-specific subcategories are outside the scope of this document.

Computer Type General Success General Failure Stronger Success Stronger Failure Comments
Domain Controller IF IF IF IF IF – if a server has the Network Policy Server (NPS) role installed and you need to monitor access requests and other NPS-related events, enable this subcategory.
Member Server IF IF IF IF IF – if a server has the Network Policy Server (NPS) role installed and you need to monitor access requests and other NPS-related events, enable this subcategory.
Workstation No No No No Network Policy Server (NPS) role cannot be installed on client OS.

6272: Network Policy Server granted access to a user.

6273: Network Policy Server denied access to a user.

6274: Network Policy Server discarded the request for a user.

6275: Network Policy Server discarded the accounting request for a user.

6276: Network Policy Server quarantined a user.

6277: Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy.

6278: Network Policy Server granted full access to a user because the host met the defined health policy.

6279: Network Policy Server locked the user account due to repeated failed authentication attempts.

6280: Network Policy Server unlocked the user account.