Interpret IAS Format Log Files

  • Article

Applies To: Windows Server 2008, Windows Server 2008 R2

In the Windows NT 4.0 version of Internet Authentication Service (IAS), log files are formatted by using a method in which attributes are logged as attribute-value pairs. This formatting is supported by Network Policy Server (NPS) in Windows Server 2008 and by IAS in Windows Server 2003 and Windows 2000 Server. The logs that use this format are referred to as IAS format log files. However, in Windows Server 2008, Windows Server 2003, and Windows 2000, this format supports the inclusion of additional information in the log file:

  • In addition to accounting messages (Accounting-On, Accounting-Off, Accounting-Start, Accounting-Stop, and Accounting-Interim), the NPS server also logs authentication messages (Access-Request, Access-Accept, and Access-Reject).

  • All string attributes that contain either unprintable characters or delimiters are printed in hexadecimal format (for example, 0x026).

  • If NPS receives an attribute (RADIUS-standard or vendor-specific) that is not defined in the NPS dictionary, it is logged as a string.

Note

Unless you have migration, compatibility, or other issues that require you to use IAS format, use the database-compatible format or SQL Server logging. Although a database-compatible log file contains a smaller subset of attributes, it contains the attributes required to support most tracking and accounting activities.

Entries recorded in IAS format log files

The following is an example entry (Access-Request) from an IAS format log file.

10.10.10.10,client,06/04/1999,14:42:19,NPS,CLIENTCOMP,6,2,7,1,5,9,61,5,64,1,65,1,31,1

The format of this record, which is the same for all records in your log file, includes a header, followed by the attribute-value pairs for all attributes that are contained in the packet.

The first six record fields make up the header and are described in the following table.

Value shown in example Attribute ID Data type Represents

10.10.10.10

NAS-IP-Address

IAS Header

Text

The IP address of the network access server (NAS) that is sending the request.

client

User-Name

IAS Header

Text

The user name that is requesting access.

06/04/1999

Record-Date

IAS Header

Time

The date that the log is written.

14:42:19

Record-Time

IAS Header

Time

The time that the log is written.

NPS

Service-Name

IAS Header

Text

The name of the service that is running on the RADIUS server.

CLIENTCOMP

Computer-Name

IAS Header

Text

The name of the RADIUS server.

Beyond the header, RADIUS attributes and values are listed in pairs in the following format:

<AttributeNumber1>,<ValueForAttributeNumber1>,<AttributeNumber2>,<ValueForAttributeNumber2>

For example, the two fields after the header contain a 6 and a 2, which can be interpreted as follows:

  • The number 6 represents the RADIUS ID for the Service-Type.

  • The number 2 represents the attribute value for the Service-Type. The RADIUS protocol specifies the following values for the Service-Type attribute:

    • 1 = Login

    • 2 = Framed

    • 3 = Callback Login

    • 4 = Callback Framed

    • 5 = Outbound

    • 6 = Administrative

    • 7 = NAS Prompt

    • 8 = Authenticate Only

    • 9 = Callback NAS Prompt

The value of this attribute is 2 (Framed).

This attribute-value pair is interpreted as Service-Type = Framed, which indicates to the NPS server to provide a framed protocol for the user – for example, Point-to-Point Protocol (PPP) or Serial Line Internet Protocol (SLIP).

The following table describes the RADIUS attributes, listed in numerical order, which can be found in an IAS format log file. Unlike database import log files, which use a fixed sequence of attributes, the sequence of the attributes in IAS format log files depends upon the sequence used by the network access server (NAS). For additional information about the sequence of these records, see the documentation for the NAS.

Additional information

  • This table does not cover vendor-specific attributes (VSAs). For more information about VSAs that are supported by your NAS, see your NAS documentation.

  • The entries in the ID column that begin with "IAS" are NPS/IAS-specific attributes. They are not found in the RADIUS protocol.

Attribute ID Data type Represents

User-Name

1

Text

The user identity, as specified by the user.

NAS-IP-Address

4

Text

The IP address of the NAS originating the request.

NAS-Port

5

Number

The physical port number of the NAS originating the request.

Service-Type

6

Number

The type of service that the user has requested.

Framed-Protocol

7

Number

The protocol to be used.

Framed-IP-Address

8

Text

The framed IP address to be configured for the user.

Framed-IP-Netmask

9

Text

The IP netmask to be configured for the user.

Framed-Routing

10

Number

The routing method to be used by the user.

Filter-ID

11

Text

The name of the filter list for the user requesting authentication.

Framed-MTU

12

Number

The maximum transmission unit (MTU) to be configured for the user.

Framed-Compression

13

Number

The compression protocol to be used.

Login-IP-Host

14

Number

The IP address of the host to which the user should be connected.

Login-Service

15

Number

The service that connects the user to the login host.

Login-TCP-Port

16

Number

The TCP port to which the user is to be connected.

Reply-Message

18

Text

The message displayed to the user when an authentication request is accepted.

Callback-Number

19

Text

The callback phone number.

Callback-ID

20

Text

The name of a location to be called by the access server when performing callback.

Framed-Route

22

Text

The routing information that is configured on the access client.

Framed-IPX-Network

23

Number

The Internetwork Packet Exchange (IPX) network number to be configured on the NAS for the user.

Class

25

Text

The attribute sent to the client in an Access-Accept packet, which is useful for correlating Accounting-Request packets with authentication sessions. The format is:

  • Type contains the value 25 (1 octet).

  • Length contains a value of 20 or greater (1 octet).

  • Checksum contains an Adler-32 checksum that is computed over the remainder of the Class attribute (4 octets).

  • Vendor-ID contains the ID of the NAS vendor (4 octets). The high-order octet is 0 and the low-order 3 octets are the SMI Network Management Private Enterprise Code of the vendor in network byte order, as defined in "Private Enterprise Numbers" at https://go.microsoft.com/fwlink/?LinkId=131594.

  • Version contains the value of 1 (2 octets).

  • Server-Address contains the IP address of the RADIUS server that issued the Access-Challenge message. For multihomed servers, this is the address of the network interface that received the original Access-Request message (2 octets).

  • Service-Reboot-Time specifies the time at which the first serial number was returned (8 octets).

  • Unique-Serial-Number contains a unique number to distinguish an individual connection attempt (8 octets).

  • String contains information that is used to classify accounting records for additional analysis (0 or more octets). In NPS, the Class attribute is copied into the String field.

The Class attribute is used to match the accounting and authentication records if it is sent by the NAS in the Accounting-Request message. The combination of Serial-Number, Service-Reboot-Time, and Server-Address must be a unique identification for each authentication that the RADIUS server performs.

Vendor-Specific

26

Text

The attribute that is used to support proprietary NAS features.

Session-Timeout

27

Number

The length of time (in seconds) before a session is terminated.

Idle-Timeout

28

Number

The length of idle time (in seconds) before a session is terminated.

Termination-Action

29

Number

The action that the NAS is to take when service is completed.

Called-Station-ID

30

Text

The phone number that is dialed by the user.

Calling-Station-ID

31

Text

The phone number from which the call originated.

NAS-Identifier

32

Text

The string that identifies the NAS originating the request.

Login-LAT-Service

34

Text

The host with which the user is to be connected by Local Area Transport (LAT).

Login-LAT-Node

35

Text

The node with which the user is to be connected by LAT.

Login-LAT-Group

36

Text

The LAT group codes for which the user is authorized.

Framed-AppleTalk-Link

37

Number

The AppleTalk network number for the serial link to the user (this is used only when the user is a router).

Framed-AppleTalk-Network

38

Number

The AppleTalk network number that the NAS must query for existence in order to allocate the user AppleTalk node.

Framed-AppleTalk-Zone

39

Text

The AppleTalk default zone for the user.

Acct-Status-Type

40

Number

The number that specifies whether an accounting packet starts or stops a bridging, routing, or Terminal Services session.

Acct-Delay-Time

41

Number

The length of time (in seconds) for which the NAS has been sending the same accounting packet.

Acct-Input-Octets

42

Number

The number of octets received by NPS during the session.

Acct-Output-Octets

43

Number

The number of octets sent by NPS during the session.

Acct-Session-ID

44

Text

The unique numeric string that identifies the server session.

Acct-Authentic

45

Number

The number that specifies which server has authenticated an incoming call.

Acct-Session-Time

46

Number

The length of time (in seconds) for which the session has been active.

Acct-Input-Packets

47

Number

The number of packets received by NPS during the session.

Acct-Output-Packets

48

Number

The number of packets sent by NPS during the session.

Acct-Terminate-Cause

49

Number

The reason that a connection was terminated by NPS.

Acct-Multi-SSN-ID

50

Text

The unique numeric string that identifies the multilink session.

Acct-Link-Count

51

Number

The number of links in a multilink session.

Event-Timestamp

55

Time

The date and time that this event occurred on the NAS.

NAS-Port-Type

61

Number

The type of physical port that is used by the NAS originating the request.

Port-Limit

62

Number

The maximum number of ports that the NAS provides to the user.

Login-LAT-Port

63

Number

The port with which the user is connected by LAT.

Tunnel-Type

64

Number

The tunneling protocols to be used.

Tunnel-Medium-Type

65

Number

The transport medium to use when creating a tunnel for protocols. For example, L2TP packets can be sent over multiple link layers.

Tunnel-Client-Endpt

66

Text

The IP address of the tunnel client.

Tunnel-Server-Endpt

67

Text

The IP address of the tunnel server.

Acct-Tunnel-Connection

68

Text

An identifier assigned to the tunnel.

Password-Retry

75

Number

The number of times a user can try to be authenticated before the NAS terminates the connection.

Prompt

76

Number

A number that indicates to the NAS whether or not it should (Prompt=1) or should not (Prompt=0) echo the user response as it is typed.

Connect-Info

77

Text

Information that is used by the NAS to specify the type of connection made. Typical information includes connection speed and data encoding protocols.

Configuration-Token

78

Text

The type of user profile to be used (sent from a RADIUS proxy server to a RADIUS client) in an Access-Accept packet.

Tunnel-Pvt-Group-ID

81

Text

The group ID for a specific tunneled session.

Tunnel-Assignment-ID

82

Text

The tunnel to which a session is to be assigned.

Tunnel-Preference

83

Number

A number that indicates the preference of the tunnel type, as indicated by the Tunnel-Type attribute when multiple tunnel types are supported by the NAS.

Acct-Interim-Interval

85

Number

The length of interval (in seconds) between each interim update sent by the NAS.

Ascend

107 to 255

Text

The vendor-specific attributes for Ascend. For more information, see the Ascend documentation.

Client-IP-Address

IAS 4108

Text

The IP address of the RADIUS client.

NAS-Manufacturer

IAS 4116

Number

The manufacturer of the NAS.

MS-CHAP-Error

IAS 4121

Number

The error data that describes a Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) transaction.

Authentication-Type

IAS 4127

Number

The authentication scheme that is used to verify the user.

Client-Friendly-Name

IAS 4128

Text

The friendly name for the RADIUS client.

SAM-Account-Name

IAS 4129

Text

The user account name in the Security Accounts Manager (SAM) database.

Fully-Qualified-User-Name

IAS 4130

Text

The user name in canonical format.

EAP-Friendly-Name

IAS 4132

Text

The friendly name that is used with Extensible Authentication Protocol (EAP).

Packet-Type

IAS 4136

Number

The type of packet, which can be:

  • 1 = Accept-Request

  • 2 = Access-Accept

  • 3 = Access-Reject

  • 4 = Accounting-Request

Reason-Code

IAS 4142

Number

The reason for rejecting a connection request:

  • 00 = Success

  • 01 = Internal error

  • 02 = Access denied

  • 03 = Malformed request

  • 04 = Global catalog unavailable

  • 05 = Domain unavailable

  • 06 = Server unavailable

  • 07 = No such domain

  • 08 = No such user

  • 16 = Authentication failure

  • 17 = Password change failure

  • 18 = Unsupported authentication type

  • 19 = No reversibly encrypted password is stored for the user account

  • 32 = Local users only

  • 33 = Password must be changed

  • 34 = Account disabled

  • 35 = Account expired

  • 36 = Account locked out

  • 37 = Logon hours are not valid

  • 38 = Account restriction

  • 48 = Did not match network policy

  • 49 = Did not match connection request policy

  • 64 = Dial-in locked out

  • 65 = Dial-in disabled

  • 66 = Authentication type is not valid

  • 67 = Calling station is not valid

  • 68 = Dial-in hours are not valid

  • 69 = Called station is not valid

  • 70 = Port type is not valid

  • 71 = Restriction is not valid

  • 80 = No record

  • 96 = Session timed out

  • 97 = Unexpected request

NP-Policy-Name

IAS 4149

Text

The friendly name of a network policy.

Attributes that are not recorded in IAS format log files

Although most attributes sent by access servers are logged in IAS format log files, some attributes are not logged because they contain sensitive information. For example, user passwords are not logged for security reasons. The following table lists some of the attributes that are not logged.

Attribute name ID/Description

User-Password

2

CHAP-Password

3

State

24

Proxy-State

33

CHAP-Challenge

60

Tunnel-Password

69

EAP-Message

79

Signature

80

MS-CHAP-Challenge

Microsoft vendor-specific attribute

MS-CHAP-Response

Microsoft vendor-specific attribute

MS-CHAP-CPW-1

Microsoft vendor-specific attribute

MS-CHAP-CPW-2

Microsoft vendor-specific attribute

MS-CHAP-LM-Enc-PW

Microsoft vendor-specific attribute

MS-CHAP-NT-Enc-PW

Microsoft vendor-specific attribute

MS-CHAP-MPPE-Keys

Microsoft vendor-specific attribute

MS-MPPE-Send-Key

Microsoft vendor-specific attribute

MS-MPPE-Recv-Key

Microsoft vendor-specific attribute

MS-Filter

Microsoft vendor-specific attribute

MS-CHAP2-Response

Microsoft vendor-specific attribute

MS-CHAP2-Success

Microsoft vendor-specific attribute

MS-CHAP2-CPW

Microsoft vendor-specific attribute