Monitoring Scenarios
The Network Policy Server Management Pack manages the logical parts of Network Policy Server that an operator or administrator is interested in monitoring, configuring, or reporting on. Each of the following components is critical to Network Policy Server infrastructure.
| Component | Component Description |
|---|---|
Network Policy Server (NPS) |
Network Policy Server (NPS) provides authentication, authorization, and accounting services for network access servers, such as IEEE 802.1X authenticating switches and wireless access points, virtual private network (VPN) servers, dial-up servers, and computers running Windows Server 2008 with Terminal Services Gateway (TS Gateway). |
NPS Accounting |
Network Policy Server (NPS) accounting is the logging of user authentication and accounting requests to a local file or a SQL Server database. |
NPS RADIUS Proxy |
Network Policy Server (NPS) can be used as a RADIUS proxy to provide the routing of RADIUS messages between RADIUS clients (access servers) and RADIUS servers that perform user authentication, authorization, and accounting for the connection attempt. When used as a RADIUS proxy, NPS is a central switching or routing point through which RADIUS access and accounting messages flow. NPS records information about forwarded messages in an accounting log. |
NPS Network Access Protection |
Network Access Protection (NAP) is a client health policy creation, enforcement, and remediation technology that is included in Windows Vista® and Windows Server 2008. With NAP, you can establish health policies that define software requirements, security update requirements, and required configuration settings for computers that connect to your network. |
NPS RADIUS Server |
Network Policy Server (NPS) can be used as a RADIUS server to perform authentication, authorization, and accounting for RADIUS clients. A RADIUS client can be either a network access server or a RADIUS proxy. When NPS is used as a RADIUS server, it provides a central authentication and authorization service for all access requests and a central accounting service for all accounting requests that are sent by RADIUS clients. |
NPS RADIUS Client |
A network access server (NAS) is a device that provides some level of access to a larger network. A NAS using a RADIUS infrastructure is also a RADIUS client, sending connection requests and accounting messages to a RADIUS server for authentication, authorization, and accounting. Client computers, such as wireless laptop computers and other computers running client operating systems, are not RADIUS clients. |
The following sections describe the aspects (operations or types of functionality that a component is designed to perform) and the health states of each component in the Network Policy Server Management Pack, as listed in the previous table. This management pack includes monitoring capabilities for detecting the yellow and red health states in the listed components.
The Windows Server 2008 Network Policy Server Management Pack is designed to monitor the various health states of Network Policy Server. Health states are indicated by color:
- Green: normal operation
- Yellow: degraded operation
- Red: failure
Each health state is related to an aspect. Health states are detected by Detection Rules.
Although the Network Policy Server Management Pack has the ability to detect transitions to specific health states, not all rules in the management pack have been designed to take advantage of the State feature of MOM. In these cases, transitions to specific health states are exposed only through the generation of Alerts and the relevant health state change is not reflected on the Network Policy Server Role and related State Views.
For more information about aspects, see the Errors and Events page in the Windows Server 2008 Technical Library (https://go.microsoft.com/fwlink/?LinkId=107564).
Network Policy Server
| Aspect | Yellow health state | Red health state |
|---|---|---|
NPS Accounting Request Message Processing |
Network Policy Server (NPS) discarded an accounting request because the structure of the accounting request message does not comply with the RADIUS protocol. Accounting data for the connection request is not recorded in the NPS log file or SQL Server database when accounting request messages are discarded. |
Not applicable |
NPS Authentication Status |
When Network Policy Server (NPS) is configured as a RADIUS server, it performs authentication, authorization, and accounting for connection requests received from configured RADIUS clients. If authentication fails, the user is denied access. |
Not applicable |
NPS Processing Status |
This error is typically reported when Network Policy Server (NPS) receives this error from a security subsystem. NPS cannot identify the cause of the subsystem error. |
Not applicable |
NPS License Compliance |
Not applicable |
An attempt to configure Network Policy Server (NPS) failed because the configuration is not compliant with the feature set for this version of Windows Server 2008. |
NPS Server Performance |
Network Policy Server (NPS) or another component on which NPS depends, such as Active Directory Domain Service (AD DS) or SQL Server, is overloaded. Connection request processing is taking place. |
Not applicable |
NPS and Domain Controller Communication |
Network Policy Server (NPS) cannot contact one or more domain controllers, so NPS is using other, available domain controllers to authenticate and authorize connection requests. |
No domain controllers are available and Network Policy Server (NPS) cannot process connection requests. All users connecting to network access servers that are configured as RADIUS clients on the server running NPS will be denied network access. |
NPS Accounting
| Aspect | Yellow health state | Red health state |
|---|---|---|
NPS Accounting Message Processing |
Network Policy Server (NPS) discarded an accounting request. In Windows Server 2008, NPS always logs accounting data locally. However, if SQL logging is configured, NPS also logs to the SQL Server database. When NPS attempts to log to SQL Server and cannot, it discards the request message. |
Not applicable |
NPS Local Log File Status |
Not applicable |
NPS Local Log File Status |
NPS RADIUS Proxy
| Aspect | Yellow health state | Red health state |
|---|---|---|
Remote RADIUS Server Availability |
The Network Policy Server (NPS) proxy is not receiving responses from a remote RADIUS server due to a network error or another problem. NPS cannot forward connection requests to the remote RADIUS server for processing. |
The Network Policy Server (NPS) proxy cannot resolve the name of the remote RADIUS server and therefore cannot forward connection requests to it. The remote RADIUS server cannot process connection requests, and users cannot access the network. |
NPS Proxy Configuration |
On the Network Policy Server (NPS) proxy, a remote RADIUS server is configured with the IP address of the local computer. Due to this configuration error, the NPS proxy cannot forward connection requests to the remote RADIUS server, and users might not be able to access the network. |
Not applicable |
Remote RADIUS Server Configuration |
The Network Policy Server (NPS) proxy received a response from a remote RADIUS server whose IP address is not known to the NPS proxy. There is a configuration error on either the local or remote computer. |
Not applicable |
Remote RADIUS Server Response Status |
The Network Policy Server (NPS) proxy received an invalid response from a member of a remote RADIUS server group. For this reason, users might not be able to access the network. |
Not applicable |
NPS Network Access Protection
| Aspect | Yellow health state | Red health state |
|---|---|---|
NAP Client Health Status |
The user has limited or restricted network access. Users who are quarantined will be denied full network access, but will be allowed to connect to a restricted network where remediation servers provide client computers with the updates they need to comply with health policy. Users who are placed on probation are granted full network access until the probation period defined in the network policy expires, at which time users will be allowed access only to a restricted network where their computers can obtain updates. For noncompliant NAP clients to obtain updates on the restricted network, you must have already deployed remediation servers. |
Not applicable |
NPS RADIUS Server
| Aspect | Yellow health state | Red health state |
|---|---|---|
NPS Server Communication |
Network Policy Server (NPS) received a malformed message from a RADIUS client. NPS cannot process connection requests that are contained in malformed messages. For this reason, users might be denied access to the network. |
Not applicable |
RADIUS Client Availability |
Windows Sockets returned an error to NPS. |
Not applicable |
NPS RADIUS Client
| Aspect | Yellow health state | Red health state |
|---|---|---|
RADIUS Client Configuration |
Network Policy Server (NPS) cannot communicate with a RADIUS client due to an incorrect IP address or another problem. Users might be denied access to the network. |
Not applicable |
RADIUS Client Communication |
Network Policy Server (NPS) cannot communicate with a RADIUS client because the RADIUS message size is too large or the Message Authenticator attribute is missing. Users might be denied access to the network. |
Not applicable |