Microsoft IAS (RADIUS)

Microsoft Network Policy Server (NPS), previously known as Internet Authentication Service (IAS), is the implementation of the remote-authentication-dial-in-user service (RADIUS). The RADIUS server can perform authentication, authorization, and VPN connections, among other abilities.

You must configure NPS to send its log to a log file, which InsightIDR can then follow and ingest.

To start logging with NPS:

  1. Run the RADIUS Accounting Wizard
  2. Configure NPS Log File Properties
  3. Configure Microsoft IAS in InsightIDR

Microsoft NPS is only available on Windows machines.

Run the RADIUS Accounting Wizard

The Network Policy Server can log its data in several ways, so you must indicate in the logging “Accounting” wizard that NPS should send logs to a log file.

To do so:

  1. On your Windows machine, navigate to Start > System and Security > Administrative Tools > Network Policy Server.
  2. Click the Configure Accounting link.
  1. Select the second option, “Log to a text file on the local computer.”
  2. Click the Next button.
  1. Under “Logging Information,” check on all four of the information types that will be logged to the text file.
    • Optionally check on the box for “Logging Failure” for the log to disregard connection requests during logging failure.
  2. In the “Log File Directory” field, click the Browse button to open the “LogFiles” default path.
  1. Click the Make a New Folder button and name your folder, such as “NPS Logs.” Click the OK button.
  1. Click the Next button.
  2. Review the “Summary” section of the NPS Accounting Wizard. Click the Next button.
  3. Click the Finish button.

Configure NPS Log File Properties

After you successfully finish the Accounting Wizard, you must configure the log properties of the NPS log file.

To do so:

  1. On your Windows machine, navigate to Start > System and Security > Administrative Tools > Network Policy Server.
  2. Click the Change Log File Properties link.
  3. On the “Settings” tab, you will see the same information you configured in the Accounting Wizard. Select the Log File tab.
  1. Under “Format,” select the log format you want to use. InsightIDR accepts the DTS Compliant format.
  2. Under “Create a new log file,” select the frequency of how often you want your Windows machine to create a new log file, or how large the file must become.
  3. Optionally choose to delete older log files when your Disk is full.
  4. Click the Apply button and click the OK button.

For more information, you can read Microsoft’s documentation on NPS log configuration here: https://docs.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-accounting-configure#configure-nps-log-file-properties

Configure InsightIDR to collect data from the event source

After you complete the prerequisite steps and configure the event source to send data, you must add the event source in InsightIDR.

To configure the new event source in InsightIDR:

  1. From the left menu, go to Data Collection and click Setup Event Source > Add Event Source.
  2. Do one of the following:
    • Search for Microsoft IAS in the event sources search bar.
    • In the Product Type filter, select VPN.
  3. Select the Microsoft IAS event source tile.
  4. Choose your collector and select Microsoft IAS (RADIUS) as your event source. You can also name your event source if you want.
  5. Choose the timezone that matches the location of your event source logs.
  6. Optionally choose to send unparsed logs.
  7. Configure your default domain and any advanced settings.
  8. Select Watch Directory as your data collection method and then check the box to Watch shared remote directory.
  9. Select an existing credential for your Windows machine or optionally create a new credential.
  10. Enter the folder path you configure during the RADIUS Accounting Wizard.
  11. Enter the scan interval for how often InsightIDR should check the file path.
  12. Optionally choose to include the file pattern of your log file.
  13. Click the Save button.