Microsoft IAS (RADIUS)

Microsoft Network Policy Server (NPS), previously known as Internet Authentication Service (IAS), is the implementation of the remote-authentication-dial-in-user service (RADIUS). The RADIUS server can perform authentication, authorization, and VPN connections, among other abilities.

You must configure NPS to send its log to a log file, which InsightIDR can then follow and ingest.

To start logging with NPS:

  1. Run the RADIUS Accounting Wizard
  2. Configure NPS Log File Properties
  3. Configure Microsoft IAS in InsightIDR

Microsoft NPS is only available on Windows machines.

Run the RADIUS Accounting Wizard

The Network Policy Server can log its data in several ways, so you must indicate in the logging “Accounting” wizard that NPS should send logs to a log file.

To do so:

  1. On your Windows machine, navigate to Start > System and Security > Administrative Tools > Network Policy Server.
  2. Click the Configure Accounting link.
  1. Select the second option, “Log to a text file on the local computer.”
  2. Click the Next button.
  1. Under “Logging Information,” check on all four of the information types that will be logged to the text file.
    • Optionally check on the box for “Logging Failure” for the log to disregard connection requests during logging failure.
  2. In the “Log File Directory” field, click the Browse button to open the “LogFiles” default path.
  1. Click the Make a New Folder button and name your folder, such as “NPS Logs.” Click the OK button.
  1. Click the Next button.
  2. Review the “Summary” section of the NPS Accounting Wizard. Click the Next button.
  3. Click the Finish button.

Configure NPS Log File Properties

After you successfully finish the Accounting Wizard, you must configure the log properties of the NPS log file.

To do so:

  1. On your Windows machine, navigate to Start > System and Security > Administrative Tools > Network Policy Server.
  2. Click the Change Log File Properties link.
  3. On the “Settings” tab, you will see the same information you configured in the Accounting Wizard. Select the Log File tab.
  1. Under “Format,” select the log format you want to use. InsightIDR accepts the DTS Compliant format.
  2. Under “Create a new log file,” select the frequency of how often you want your Windows machine to create a new log file, or how large the file must become.
  3. Optionally choose to delete older log files when your Disk is full.
  4. Click the Apply button and click the OK button.

For more information, you can read Microsoft’s documentation on NPS log configuration here: https://docs.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-accounting-configure#configure-nps-log-file-properties

Configure Microsoft IAS (RADIUS) in InsightIDR

Now you must configure the InsightIDR event source.

To do so:

  1. From your dashboard, select Data Collection on the left hand menu.
  2. When the Data Collection page appears, click the Setup Event Source dropdown and choose Add Event Source.
  3. From the “Security Data” section, click the VPN icon. The “Add Event Source” panel appears.
  4. Choose your collector and select Microsoft IAS (RADIUS) as your event source. You can also name your event source if you want.
  5. Choose the timezone that matches the location of your event source logs.
  6. Optionally choose to send unfiltered logs.
  7. Configure your default domain and any advanced settings.
  8. Select Watch Directory as your data collection method and then check the box to Watch shared remote directory.
  9. Select an existing credential for your Windows machine or optionally create a new credential.
  10. Enter the folder path you configure during the RADIUS Accounting Wizard.
  11. Enter the scan interval for how often InsightIDR should check the file path.
  12. Optionally choose to include the file pattern of your log file.
  13. Click the Save button.