Interpreting IAS-formatted log files

  • Artikel

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

 

Interpreting IAS-formatted log files

In the Windows NT 4 version of IAS, log files are formatted by using a method in which attributes are logged as attribute-value pairs. This formatting is supported in IAS in Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; Windows Server 2003, Datacenter Edition; and Windows 2000. The logs that use this format are referred to as IAS-formatted log files. However, in Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; Windows Server 2003, Datacenter Edition; and Windows 2000, this format supports the inclusion of additional information in the log file:

  • In addition to accounting messages (Accounting-On, Accounting-Off, Accounting-Start, Accounting-Stop, and Accounting-Interim), the IAS server also logs authentication messages (Access-Request, Access-Accept, and Access-Reject).

  • All string attributes that contain either unprintable characters or delimiters are printed in hexadecimal format (for example, 0x026).

  • If IAS receives an attribute (RADIUS-standard or vendor-specific) that is not defined in the IAS dictionary, it is logged as a string.

Notes

  • Unless you have migration, compatibility, or other issues that require you to use the IAS format, you should use the database-import log format. Although a database-import log file contains a smaller subset of attributes, it contains the attributes required to support most tracking and accounting activities.

  • To help read and interpret the log files in IAS format, the Iasparse tool is included in the IAS Resources: Windows Deployment and Resource Kits. This tool can be used to parse log files and provide output in a readable format.

Entries recorded in IAS-formatted log files

The following is an example entry (Access-Request) from an IAS-formatted log file.

10.10.10.10,client,06/04/1999,14:42:19,IAS,CLIENTCOMP,6,2,7,1,5,9,61,5,64,1,65,1,31,1

The format of this record, which is the same for all records in your log file, includes a header, followed by the attribute-value pairs for all attributes that are contained in the packet.

The first six record fields make up the header and include:

Value shown in example Attribute ID Data type Represents

10.10.10.10

NAS-IP-Address

IAS Header

Text

The IP address of the NAS that is sending the request.

client

User-Name

IAS Header

Text

The user name that is requesting access.

06/04/1999

Record-Date

IAS Header

Time

The date that the log is written.

14:42:19

Record-Time

IAS Header

Time

The time that the log is written.

IAS

Service-Name

IAS Header

Text

The name of the service that is running on the RADIUS server.

CLIENTCOMP

Computer-Name

IAS Header

Text

The name of the RADIUS server.

Beyond the header, RADIUS attributes and values are listed in pairs in the following format:

<AttributeNumber1>,<ValueForAttributeNumber1>,<AttributeNumber2>,<ValueForAttributeNumber2>,

For example, the two fields after the header contain a 6 and a 2, which can be interpreted as follows:

  • The number 6 represents the RADIUS ID for the Service-Type.

  • The number 2 represents the attribute value for the Service-Type. The RADIUS protocol specifies the following values for the Service-Type attribute:

    • 1 = Login

    • 2 = Framed

    • 3 = Callback Login

    • 4 = Callback Framed

    • 5 = Outbound

    • 6 = Administrative

    • 7 = NAS Prompt

    • 8 = Authenticate Only

    • 9 = Callback NAS Prompt

The value of this attribute is 2 (Framed).

This attribute-value pair is interpreted as Service-Type = Framed, which indicates to the IAS server to provide a framed protocol for the user–for example, Point-to-Point Protocol (PPP) or SLIP.

The following table describes the RADIUS attributes, listed in numerical order, which can be found in an IAS-formatted log file record. Unlike database-import log files, which use a fixed sequence of attributes, the sequence of the attributes in IAS-formatted log files depends upon the sequence used by the access server. For additional information about the sequence of these records, see the documentation for the access server.

Notes

  • This table does not cover vendor-specific attributes (VSAs). For information about interpreting VSAs, see Interpreting IAS IDs for vendor-specific attributes. For more information about VSAs that are supported by your access server, see your access server documentation.

  • The entries in the ID column, which begin with "IAS," are IAS-specific attributes. They are not found in the RADIUS protocol.

Attribute ID Data type Represents

User-Name

1

Text

The user identity, as specified by the user.

NAS-IP-Address

4

Text

The IP address of the NAS originating the request.

NAS-Port

5

Number

The physical port number of the NAS originating the request.

Service-Type

6

Number

The type of service that the user has requested.

Framed-Protocol

7

Number

The protocol to be used.

Framed-IP-Address

8

Text

The framed address to be configured for the user.

Framed-IP-Netmask

9

Text

The IP netmask to be configured for the user.

Framed-Routing

10

Number

The Routing method to be used by the user.

Filter-ID

11

Text

The name of the filter list for the user requesting authentication.

Framed-MTU

12

Number

The maximum transmission unit to be configured for the user.

Framed-Compression

13

Number

The compression protocol to be used.

Login-IP-Host

14

Number

The IP address of the host to which the user should be connected.

Login-Service

15

Number

The service that connects the user to the login host.

Login-TCP-Port

16

Number

The TCP port to which the user should be connected.

Reply-Message

18

Text

The message displayed to the user when an authentication request is accepted.

Callback-Number

19

Text

The callback phone number.

Callback-ID

20

Text

The name of a location to be called by the access server when performing callback.

Framed-Route

22

Text

The routing information that is configured on the access client.

Framed-IPX-Network

23

Number

The IPX network number to be configured on the NAS for the user.

Class

25

Text

The attribute sent to the client in an Access-Accept packet, which is useful for correlating Accounting-Request packets with authentication sessions. The format is:

  • Type Contains the value 25 (1 octet).

  • Length Contains a value of 20 or greater (1 octet).

  • Checksum Contains an Adler-32 checksum that is computed over the remainder of the Class attribute (4 octets).

  • Vendor-ID Contains the ID of the access server vendor (4 octets). The high-order octet is 0 and the low-order 3 octets are the SMI Network Management Private Enterprise Code of the vendor in network byte order, as defined in RFC 1007 "Vendor SMI Network Management Private Enterprise Codes".

  • Version Contains the value of 1 (2 octets).

  • server-Address Contains the IP address of the RADIUS server that issued the Access-Challenge. For multihomed servers, this is the address of the network interface that received the original Access-Request (2 octets).

  • Service-Reboot-Time Specifies the time at which the first serial number was returned (8 octets).

  • Unique-Serial-Number Contains a unique number to distinguish an individual connection attempt (8 octets).

  • String Contains information that is used to classify accounting records for additional analysis (0 or more octets). In IAS, the Class attribute from the profile is copied into the String field.

The Class attribute is used to match the accounting and authentication records if the Class attribute is sent by the network access server in the accounting request packets. The combination of Serial-Number, Service-Reboot-Time, and server-Address must be a unique identification for each authentication that the server accepts.

Vendor-Specific

26

Text

The attribute that is used to support proprietary NAS features.

Session-Timeout

27

Number

The length of time (in seconds) before a session is terminated.

Idle-Timeout

28

Number

The length of idle time (in seconds) before a session is terminated.

Termination-Action

29

Number

The action that the NAS should take when service is completed.

Called-Station-ID

30

Text

The phone number that is dialed by the user.

Calling-Station-ID

31

Text

The phone number from which the call originated.

NAS-Identifier

32

Text

The string that identifies the NAS originating the request.

Login-LAT-Service

34

Text

The host with which the user is to be connected by LAT.

Login-LAT-Node

35

Text

The node with which the user is to be connected by LAT.

Login-LAT-Group

36

Text

The LAT group codes for which the user is authorized.

Framed-AppleTalk-Link

37

Number

The AppleTalk network number for the serial link to the user (this is used only when the user is a router).

Framed-AppleTalk-Network

38

Number

The AppleTalk network number that the NAS must query for existence in order to allocate the user's AppleTalk node.

Framed-AppleTalk-Zone

39

Text

The AppleTalk default zone for the user.

Acct-Status-Type

40

Number

The number that specifies whether an accounting packet starts or stops a bridging, routing, or Terminal server session.

Acct-Delay-Time

41

Number

The length of time (in seconds) for which the NAS has been sending the same accounting packet.

Acct-Input-Octets

42

Number

The number of octets received during the session.

Acct-Output-Octets

43

Number

The number of octets sent during the session.

Acct-Session-ID

44

Text

The unique numeric string that identifies the server session.

Acct-Authentic

45

Number

The number that specifies which server has authenticated an incoming call.

Acct-Session-Time

46

Number

The length of time (in seconds) for which the session has been active.

Acct-Input-Packets

47

Number

The number of packets received during the session.

Acct-Output-Packets

48

Number

The number of packets sent during the session.

Acct-Terminate-Cause

49

Number

The reason that a connection was terminated.

Acct-Multi-SSN-ID

50

Text

The unique numeric string that identifies the multilink session.

Acct-Link-Count

51

Number

The number of links in a multilink session.

Event-Timestamp

55

Time

The date and time that this event occurred on the NAS.

NAS-Port-Type

61

Number

The type of physical port that is used by the NAS originating the request.

Port-Limit

62

Number

The maximum number of ports that the NAS provides to the user.

Login-LAT-Port

63

Number

The port with which the user is connected by Local Area Transport (LAT).

Tunnel-Type

64

Number

The tunneling protocols to be used.

Tunnel-Medium-Type

65

Number

The transport medium to use when creating a tunnel for protocols. For example, L2TP packets can be sent over multiple link layers.

Tunnel-Client-Endpt

66

Text

The IP address of the tunnel client.

Tunnel-server-Endpt

67

Text

The IP address of the tunnel server.

Acct-Tunnel-Connection

68

Text

An identifier assigned to the tunnel.

Password-Retry

75

Number

The number of times a user can try to be authenticated before the NAS terminates the connection.

Prompt

76

Number

A number that indicates to the NAS whether or not it should (Prompt=1) or should not (Prompt=0) echo the user’s response as it is typed.

Connect-Info

77

Text

Information that is used by the NAS to specify the type of connection made. Typical information includes connection speed and data encoding protocols.

Configuration-Token

78

Text

The type of user profile to be used (sent from a RADIUS proxy server to a RADIUS proxy client) in an Access-Accept packet.

Tunnel-Pvt-Group-ID

81

Text

The group ID for a particular tunneled session.

Tunnel-Assignment-ID

82

Text

The tunnel to which a session is to be assigned.

Tunnel-Preference

83

Number

A number that indicates the preference of the tunnel type, as indicated with the Tunnel-Type attribute when multiple tunnel types are supported by the access server.

Acct-Interim-Interval

85

Number

The length of interval (in seconds) between each interim update sent by the NAS.

Ascend

107 to 255

Text

The vendor-specific attributes for Ascend. For more information, see the Ascend documentation.

Client-IP-Address

IAS 4108

Text

The IP address of the RADIUS client.

NAS-Manufacturer

IAS 4116

Number

The manufacturer of the NAS.

MS-CHAP-Error

IAS 4121

Number

The error data that describes an MS-CHAP transaction.

Authentication-Type

IAS 4127

Number

The authentication scheme that is used to verify the user.

Client-Friendly-Name

IAS 4128

Text

The friendly name for the RADIUS client.

SAM-Account-Name

IAS 4129

Text

The user account name in the Security Accounts Manager (SAM) database.

Fully-Qualified-User-Name

IAS 4130

Text

The user name in canonical format.

EAP-Friendly-Name

IAS 4132

Text

The friendly name that is used with Extensible Authentication Protocol (EAP).

Packet-Type

IAS 4136

Number

The type of packet, which can be:

  • 1=Accept-Request

  • 2=Access-Accept

  • 3=Access-Reject

  • 4=Accounting-Request

Reason Code

IAS 4142

Number

The reason for rejecting a user, which can be:

  • 00 = Success

  • 01 = Internal error

  • 02 = Access denied

  • 03 = Malformed request

  • 04 = Global catalog unavailable

  • 05 = Domain unavailable

  • 06 = server unavailable

  • 07 = No such domain

  • 08 = No such user

  • 16 = Authentication failure

  • 17 = Password change failure

  • 18 = Unsupported authentication type

  • 19 = No reversibly encrypted password is stored for the user account

  • 32 = Local users only

  • 33 = Password must be changed

  • 34 = Account disabled

  • 35 = Account expired

  • 36 = Account locked out

  • 37 = Invalid logon hours

  • 38 = Account restriction

  • 48 = Did not match remote access policy

  • 49 = Did not match connection request policy

  • 64 = Dial-in locked out

  • 65 = Dial-in disabled

  • 66 = Invalid authentication type

  • 67 = Invalid calling station

  • 68 = Invalid dial-in hours

  • 69 = Invalid called station

  • 70 = Invalid port type

  • 71 = Invalid restriction

  • 80 = No record

  • 96 = Session timed out

  • 97 = Unexpected request

NP-Policy-Name

IAS 4149

Text

The friendly name of a remote access policy.

Attributes that are not recorded in IAS-formatted log files

Although most of the attributes that are sent by an access server and supported in Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; Windows Server 2003, Datacenter Edition are logged when you specify the use of IAS-formatted log files, some attributes are not logged because they contain sensitive information (for example, passwords) that should not be included. The following table lists some of the attributes that are not logged.

Attribute name ID/Description

User-Password

2

CHAP-Password

3

State

24

Proxy-State

33

CHAP-Challenge

60

Tunnel-Password

69

EAP-Message

79

Signature

80

MS-CHAP-Challenge

Microsoft vendor-specific attribute

MS-CHAP-Response

Microsoft vendor-specific attribute

MS-CHAP-CPW-1

Microsoft vendor-specific attribute

MS-CHAP-CPW-2

Microsoft vendor-specific attribute

MS-CHAP-LM-Enc-PW

Microsoft vendor-specific attribute

MS-CHAP-NT-Enc-PW

Microsoft vendor-specific attribute

MS-CHAP-MPPE-Keys

Microsoft vendor-specific attribute

MS-MPPE-Send-Key

Microsoft vendor-specific attribute

MS-MPPE-Recv-Key

Microsoft vendor-specific attribute

MS-Filter

Microsoft vendor-specific attribute

MS-CHAP2-Response

Microsoft vendor-specific attribute

MS-CHAP2-Success

Microsoft vendor-specific attribute

MS-CHAP2-CPW

Microsoft vendor-specific attribute