配置网络策略服务器记帐Configure Network Policy Server Accounting

网络策略服务器 NPS 有三种类型的日志 ( 记录 ) :There are three types of logging for Network Policy Server (NPS):

  • 事件日志记录Event logging. 主要用于对连接尝试进行审核和疑难解答。Used primarily for auditing and troubleshooting connection attempts. 可以通过在 NPS 控制台中获取 NPS 属性来配置 NPS 事件日志记录。You can configure NPS event logging by obtaining the NPS properties in the NPS console.

  • 将用户身份验证和记帐请求记录到本地文件Logging user authentication and accounting requests to a local file. 主要用于进行连接分析和记帐。Used primarily for connection analysis and billing purposes. 作为安全调查工具也非常有用,因为它为您提供一种在攻击之后跟踪恶意用户活动的方法。Also useful as a security investigation tool because it provides you with a method of tracking the activity of a malicious user after an attack. 您可以使用记帐配置向导来配置本地文件日志记录。You can configure local file logging using the Accounting Configuration wizard.

  • 将用户身份验证和记帐请求记录到与 XML 兼容的 Microsoft SQL Server 数据库Logging user authentication and accounting requests to a Microsoft SQL Server XML-compliant database. 用于允许多个运行 NPS 的服务器拥有一个数据源。Used to allow multiple servers running NPS to have one data source. 还提供使用关系数据库的优势。Also provides the advantages of using a relational database. 您可以使用记帐配置向导来配置 SQL Server 日志记录。You can configure SQL Server logging by using the Accounting Configuration wizard.

使用记帐配置向导Use the Accounting Configuration wizard

通过使用记帐配置向导,您可以配置以下四个记帐设置:By using the Accounting Configuration wizard, you can configure the following four accounting settings:

  • 仅限 SQL 日志记录SQL logging only. 通过使用此设置,你可以配置一个指向 SQL Server 的数据链接,该链接允许 NPS 连接到 SQL Server 并将其发送到 SQL Server。By using this setting, you can configure a data link to a SQL Server that allows NPS to connect to and send accounting data to the SQL server. 此外,向导还可以在 SQL Server 上配置数据库,以确保数据库与 NPS SQL Server 日志记录兼容。In addition, the wizard can configure the database on the SQL Server to ensure that the database is compatible with NPS SQL server logging.
  • 仅限文本日志记录Text logging only. 通过使用此设置,您可以配置 NPS 以将记帐数据记录到文本文件中。By using this setting, you can configure NPS to log accounting data to a text file.
  • 并行日志记录Parallel logging. 通过使用此设置,你可以配置 SQL Server 的数据链接和数据库。By using this setting, you can configure the SQL Server data link and database. 你还可以配置文本文件日志记录,以便 NPS 同时记录到文本文件和 SQL Server 数据库中。You can also configure text file logging so that NPS logs simultaneously to the text file and the SQL Server database.
  • 带有备份的 SQL 日志记录SQL logging with backup. 通过使用此设置,你可以配置 SQL Server 的数据链接和数据库。By using this setting, you can configure the SQL Server data link and database. 此外,还可以配置 NPS 在 SQL Server 日志记录失败时使用的文本文件日志记录。In addition, you can configure text file logging that NPS uses if SQL Server logging fails.

除了这些设置外,SQL Server 日志记录和文本日志记录还允许您指定在记录失败时 NPS 是否继续处理连接请求。In addition to these settings, both SQL Server logging and text logging allow you to specify whether NPS continues to process connection requests if logging fails. 您可以在 "本地文件日志记录属性"、"SQL server 日志记录属性" 和 "运行记帐配置向导" 中的 "日志记录失败操作" 部分中指定此项。You can specify this in the Logging failure action section in local file logging properties, in SQL server logging properties, and while you are running the Accounting Configuration Wizard.

运行记帐配置向导To run the Accounting Configuration Wizard

若要运行记帐配置向导,请完成以下步骤:To run the Accounting Configuration Wizard, complete the following steps:

  1. 打开 NPS 控制台或 NPS Microsoft 管理控制台 (MMC) 管理单元。Open the NPS console or the NPS Microsoft Management Console (MMC) snap-in.
  2. 在控制台树中,单击 "记帐"。In the console tree, click Accounting.
  3. 在详细信息窗格中,在 "记帐" 中单击 "配置记帐"。In the details pane, in Accounting, click Configure Accounting.

配置 NPS 日志文件属性Configure NPS Log File Properties

你可以配置网络策略服务器 (NPS) 为用户身份验证请求、访问-接受消息、访问-拒绝消息、记帐请求和响应以及定期状态更新执行远程身份验证拨入用户服务 (RADIUS) 。You can configure Network Policy Server (NPS) to perform Remote Authentication Dial-In User Service (RADIUS) accounting for user authentication requests, Access-Accept messages, Access-Reject messages, accounting requests and responses, and periodic status updates. 您可以使用此过程来配置您要在其中存储记帐数据的日志文件。You can use this procedure to configure the log files in which you want to store the accounting data.

有关解释日志文件的详细信息,请参阅解释 NPS 数据库格式日志文件For more information about interpreting log files, see Interpret NPS Database Format Log Files.

若要防止日志文件填充硬盘驱动器,强烈建议将它们保留在与系统分区隔离的分区中。To prevent the log files from filling the hard drive, it is strongly recommended that you keep them on a partition that is separate from the system partition. 下面提供了有关为 NPS 配置记帐的详细信息:The following provides more information about configuring accounting for NPS:

  • 若要发送可共其他过程收集的日志文件数据,可以配置要写入已命名管道的 NPS。To send the log file data for collection by another process, you can configure NPS to write to a named pipe. 若要使用命名管道,请将日志文件文件夹设置为 \ .\pipe 或 \ ComputerName\pipe。To use named pipes, set the log file folder to \.\pipe or \ComputerName\pipe. 命名管道服务器程序创建名为 .\pipe\iaslog.log 的命名管道 \ ,以接受数据。The named pipe server program creates a named pipe called \.\pipe\iaslog.log to accept the data. 使用已命名的管道时,请在“本地文件属性”对话框的“新建日志文件”中,选择“从不(文件大小无限制)”。In the Local file properties dialog box, in Create a new log file, select Never (unlimited file size) when you use named pipes.

  • 可以使用系统环境变量(如 %systemdrive%、%systemroot% 和 windir%,而不是用户变量)来创建日志文件目录。The log file directory can be created by using system environment variables (instead of user variables), such as %systemdrive%, %systemroot%, and %windir%. 例如,下面的路径(使用环境变量% windir%)在 (\System32\Logs 子文件夹中的系统目录下找到日志文件,即%windir%\System32\Logs ) 。For example, the following path, using the environment variable %windir%, locates the log file at the system directory in the subfolder \System32\Logs (that is, %windir%\System32\Logs).

  • 切换日志文件格式不会导致创建新的日志。Switching log file formats does not cause a new log to be created. 如果更改日志文件格式,则更改时处于活动状态的文件将包含两种格式的混合形式(日志开始处的记录将具有以前的格式,日志结尾处的记录将具有新的格式)。If you change log file formats, the file that is active at the time of the change will contain a mixture of the two formats (records at the start of the log will have the previous format, and records at the end of the log will have the new format).

  • 如果 RADIUS 记帐因硬盘驱动器已满或其他原因而失败,则 NPS 将停止处理连接请求,从而防止用户访问网络资源。If RADIUS accounting fails due to a full hard disk drive or other causes, NPS stops processing connection requests, preventing users from accessing network resources.

  • 除了或取代记录到本地文件以外,NPS 还可以记录到 Microsoft® SQL Server?数据库。NPS provides the ability to log to a Microsoft® SQL Server™ database in addition to, or instead of, logging to a local file.

Domain Admins组中的成员身份是执行此过程所需的最低要求。Membership in the Domain Admins group is the minimum required to perform this procedure.

配置 NPS 日志文件属性To configure NPS log file properties

  1. 打开 NPS 控制台或 NPS Microsoft 管理控制台 (MMC) 管理单元。Open the NPS console or the NPS Microsoft Management Console (MMC) snap-in.
  2. 在控制台树中,单击 "记帐"。In the console tree, click Accounting.
  3. 在详细信息窗格的 "日志文件属性" 中,单击 "更改日志文件属性"。In the details pane, in Log File Properties, click Change Log File Properties. 此时将打开 "日志文件属性" 对话框。The Log File Properties dialog box opens.
  4. 在 "日志文件属性" 的 "设置" 选项卡上,在 "记录以下信息" 中,确保选择记录足够的信息来实现会计目标。In Log File Properties, on the Settings tab, in Log the following information, ensure that you choose to log enough information to achieve your accounting goals. 例如,如果日志需要完成会话相关,请选中所有复选框。For example, if your logs need to accomplish session correlation, select all check boxes.
  5. 在 "日志记录失败" 操作中,选择 "如果日志记录失败",请在日志文件已满或由于某种原因而无法使用时,放弃连接请求。In Logging failure action, select If logging fails, discard connection requests if you want NPS to stop processing Access-Request messages when log files are full or unavailable for some reason. 如果希望 NPS 在记录失败的情况下继续处理连接请求,请不要选中此复选框。If you want NPS to continue processing connection requests if logging fails, do not select this check box.
  6. 在 "日志文件属性" 对话框中,单击 "日志文件" 选项卡。In the Log File Properties dialog box, click the Log File tab.
  7. 在 "日志文件" 选项卡上的 "目录" 中,键入要存储 NPS 日志文件的位置。On the Log File tab, in Directory, type the location where you want to store NPS log files. 默认位置为 systemroot\System32\LogFiles 文件夹。The default location is the systemroot\System32\LogFiles folder.
    如果未在 "日志文件目录" 中提供完整路径语句,将使用默认路径。If you do not supply a full path statement in Log File Directory, the default path is used. 例如,如果在 "日志文件目录" 中键入NPSLogFile ,则该文件位于%systemroot%\System32\NPSLogFile。For example, if you type NPSLogFile in Log File Directory, the file is located at %systemroot%\System32\NPSLogFile.
  8. 在 "格式" 中,单击 " DTS 相容"。In Format, click DTS Compliant. 如果需要,可以改为选择旧文件格式,如**ODBC ( 旧版 ) IAS ( 旧版本 ) **。If you prefer, you can instead select a legacy file format, such as ODBC (Legacy) or IAS (Legacy).
    ODBCIAS旧文件类型包含 NPS 发送到其 SQL Server 数据库的信息的子集。ODBC and IAS legacy file types contain a subset of the information that NPS sends to its SQL Server database. 符合 DTS的文件类型的 xml 格式与 NPS 用来将数据导入到其 SQL Server 数据库中的 xml 格式完全相同。The DTS Compliant file type's XML format is identical to the XML format that NPS uses to import data into its SQL Server database. 因此, DTS 兼容文件格式可为 NPS 的标准 SQL Server 数据库提供更高效且更完整的数据传输。Therefore, the DTS Compliant file format provides a more efficient and complete transfer of data into the standard SQL Server database for NPS.
  9. 在 "创建新的日志文件" 中,若要将 NPS 配置为按指定的时间间隔启动新的日志文件,请单击要使用的时间间隔:In Create a new log file, to configure NPS to start new log files at specified intervals, click the interval that you want to use:
    • 对于繁重事务量和日志记录活动,单击 "每天"。For heavy transaction volume and logging activity, click Daily.
    • 对于较少的事务量和日志记录活动,单击每周每月For lesser transaction volumes and logging activity, click Weekly or Monthly.
    • 若要将所有事务都存储在一个日志文件中,请单击 "**从不 ( 限制文件大小 ) **"。To store all transactions in one log file, click Never (unlimited file size).
    • 若要限制每个日志文件的大小,请单击 "当日志文件达到此大小",然后键入文件大小(在此之后创建新的日志)。To limit the size of each log file, click When log file reaches this size, and then type a file size, after which a new log is created. 默认大小为 10 兆字节 (MB)。The default size is 10 megabytes (MB).
  10. 如果希望在硬盘接近容量时,NPS 删除旧日志文件以便为新日志文件创建磁盘空间,请确保选中 "如果磁盘已满,请删除旧的日志文件"。If you want NPS to delete old log files to create disk space for new log files when the hard disk is near capacity, ensure that When disk is full delete older log files is selected. 此选项不可用,但如果创建新的日志文件的值永远不会** ( ) 限制文件大小**,则为。This option is not available, however, if the value of Create a new log file is Never (unlimited file size). 此外,如果最早的日志文件是当前日志文件,则不会将其删除。Also, if the oldest log file is the current log file, it is not deleted.

配置 NPS SQL Server 日志记录Configure NPS SQL Server Logging

您可以使用此过程将 RADIUS 记帐数据记录到运行 Microsoft SQL Server 的本地或远程数据库。You can use this procedure to log RADIUS accounting data to a local or remote database running Microsoft SQL Server.

备注

NPS 将记帐数据格式化为 XML 文档,该文档将其发送到你在 NPS 中指定的 SQL Server 数据库中的report_event存储过程。NPS formats accounting data as an XML document that it sends to the report_event stored procedure in the SQL Server database that you designate in NPS. 若要使 SQL Server 日志记录正常工作,SQL Server 数据库中必须有一个名为report_event的存储过程,该存储过程可接收和分析 NPS 中的 XML 文档。For SQL Server logging to function properly, you must have a stored procedure named report_event in the SQL Server database that can receive and parse the XML documents from NPS.

若要完成该过程,必须至少具有 Domain Admins 的成员资格或同等权限。Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure.

在 NPS 中配置 SQL Server 日志记录To configure SQL Server logging in NPS

  1. 打开 NPS 控制台或 NPS Microsoft 管理控制台 (MMC) 管理单元。Open the NPS console or the NPS Microsoft Management Console (MMC) snap-in.
  2. 在控制台树中,单击 "记帐"。In the console tree, click Accounting.
  3. 在详细信息窗格中SQL Server 日志记录属性中,单击 "更改 SQL Server 日志记录属性"。In the details pane, in SQL Server Logging Properties, click Change SQL Server Logging Properties. 此时将打开SQL Server 日志记录属性"对话框。The SQL Server Logging Properties dialog box opens.
  4. "记录以下信息" 中,选择要记录的信息:In Log the following information, select the information that you want to log:
    • 若要记录所有记帐请求,请单击 "记帐请求"。To log all accounting requests, click Accounting requests.
    • 若要记录身份验证请求,请单击 "身份验证请求"。To log authentication requests, click Authentication requests.
    • 若要记录定期记帐状态,请单击 "定期记帐状态"。To log periodic accounting status, click Periodic accounting status.
    • 若要记录周期性状态(如过渡记帐请求),请单击 "周期性状态"。To log periodic status, such as interim accounting requests, click Periodic status.
  5. 若要配置运行 NPS 的服务器和 SQL Server 之间允许的并发会话数,请在 "最大并发会话数" 中键入一个数字。To configure the number of concurrent sessions allowed between the server running NPS and the SQL Server, type a number in Maximum number of concurrent sessions.
  6. 若要配置 SQL Server 数据源,请在SQL Server 日志记录中,单击 "配置"。To configure the SQL Server data source, in SQL Server Logging, click Configure. 此时将打开 "数据链接属性" 对话框。The Data Link Properties dialog box opens. 在 "连接" 选项卡上,指定下列各项:On the Connection tab, specify the following:
    • 若要指定存储数据库的服务器的名称,请在 "选择或输入服务器名称" 中键入或选择一个名称。To specify the name of the server on which the database is stored, type or select a name in Select or enter a server name.
    • 若要指定用于登录到服务器的身份验证方法,请单击 "使用 WINDOWS NT 集成安全性"。To specify the authentication method with which to log on to the server, click Use Windows NT integrated security. 或者,单击 "使用特定用户名和密码",然后在 "用户名" 和 "密码" 中键入凭据。Or, click Use a specific user name and password, and then type credentials in User name and Password.
    • 若要允许空白密码,请单击 "空白密码"。To allow a blank password, click Blank password.
    • 若要存储密码,请单击 "允许保存密码"。To store the password, click Allow saving password.
    • 若要在运行 SQL Server 的计算机上指定要连接到的数据库,请单击 "选择服务器上的数据库",然后从列表中选择一个数据库名称。To specify which database to connect to on the computer running SQL Server, click Select the database on the server, and then select a database name from the list.
  7. 若要测试 NPS 与 SQL Server 之间的连接,请单击 "测试连接"。To test the connection between NPS and SQL Server, click Test Connection. 单击 "确定" 以关闭数据链接属性Click OK to close Data Link Properties.
  8. 如果你希望 NPS 在 SQL Server 日志记录失败的情况下继续使用文本文件日志记录,请在 "日志记录失败操作" 中选择 "为故障转移启用文本文件日志记录"。In Logging failure action, select Enable text file logging for failover if you want NPS to continue with text file logging if SQL Server logging fails.
  9. 在 "日志记录失败" 操作中,选择 "如果日志记录失败",请在日志文件已满或由于某种原因而无法使用时,放弃连接请求。In Logging failure action, select If logging fails, discard connection requests if you want NPS to stop processing Access-Request messages when log files are full or unavailable for some reason. 如果希望 NPS 在记录失败的情况下继续处理连接请求,请不要选中此复选框。If you want NPS to continue processing connection requests if logging fails, do not select this check box.

Ping user-namePing user-name

某些 RADIUS 代理服务器和网络访问服务器会定期发送身份验证和记帐请求, (称为 ping 请求) 验证 NPS 是否存在于网络上。Some RADIUS proxy servers and network access servers periodically send authentication and accounting requests (known as ping requests) to verify that the NPS is present on the network. 这些 ping 请求包括虚构的用户名。These ping requests include fictional user names. NPS 处理这些请求时,将在事件和记帐日志中填充访问拒绝记录,使得跟踪有效记录更为困难。When NPS processes these requests, the event and accounting logs become filled with access reject records, making it more difficult to keep track of valid records.

ping 用户名配置注册表项时,NPS 会将注册表项的值与其他服务器的 ping 请求中的用户名值进行匹配。When you configure a registry entry for ping user-name, NPS matches the registry entry value against the user name value in ping requests by other servers. Ping 用户名称注册表项指定虚构的用户名 (或包含变量的用户名模式,该名称与 RADIUS 代理服务器和网络访问服务器发送) 的虚拟用户名相匹配。A ping user-name registry entry specifies the fictional user name (or a user name pattern, with variables, that matches the fictional user name) sent by RADIUS proxy servers and network access servers. 当 NPS 接收到与ping 用户名称注册表项值匹配的 ping 请求时,nps 将拒绝身份验证请求,而不处理请求。When NPS receives ping requests that match the ping user-name registry entry value, NPS rejects the authentication requests without processing the request. NPS 不会在任何日志文件中记录涉及虚构用户名的事务,使得事件日志更容易解释。NPS does not record transactions involving the fictional user name in any log files, which makes the event log easier to interpret.

默认情况下,不安装Ping 用户名Ping user-name is not installed by default. 必须将ping 用户名添加到注册表中。You must add ping user-name to the registry. 可以使用注册表编辑器向注册表中添加条目。You can add an entry to the registry using Registry Editor.

注意

注册表编辑不当可能会严重损坏系统。Incorrectly editing the registry might severely damage your system. 在更改注册表之前,应备份计算机上任何有价值的数据。Before making changes to the registry, you should back up any valued data on the computer.

将 ping 用户名称添加到注册表To add ping user-name to the registry

可以通过本地 Administrators 组的成员将 Ping 用户名作为字符串值添加到以下注册表项:Ping user-name can be added to the following registry key as a string value by a member of the local Administrators group:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\IAS\Parameters

  • 名称ping user-nameName: ping user-name
  • 类型:REG_SZType: REG_SZ
  • 数据用户名Data: User name

提示

若要为ping 用户名值指定多个用户名,请在数据中输入名称模式(如 DNS 名称,包括通配符)。To indicate more than one user name for a ping user-name value, enter a name pattern, such as a DNS name, including wildcard characters, in Data.