Feature Request - Monitor Windows Server Event logs for User/IP Information

[Keln Taylor]

I have a feature request.

I have been using NxFilter for a couple years.

I have a Windows Active Directory environment with multiple domain controllers and file servers.  

NxMapper doesn't seem to catch all my users because we have so many servers. 

NxLogon and NxClient aren't quite the right fit my organization.

In my environment, I have my domain controller configured to log all authentication requests. 

I also use a Radius Server that is built into Windows (Network Policy Server) to authenticate my wireless clients via 802.x.

This means that LogOn requests, LogOff requests, and Radius Authentication Requests are logged and I can access them in my "event viewer" under "Security".

Would it be possible to have a program that monitors this log for Authentication Requests and reports them to NxFilter?

Example Radius authentication request:

Network Policy Server granted access to a user.

User:
Security ID: HAWKPRS\asmith
Account Name: asm...@mydomain.k12
Account Domain: HAWKPRS
Fully Qualified Account Name: HAWKPRS\asmith
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: E0-1C-41-B6-87-E9:AD-RADIUS
Calling Station Identifier: 24-A2-E1-BA-AD-00
NAS:
NAS IPv4 Address: 192.168.50.6
NAS IPv6 Address: -
NAS Identifier: IS-124-AP1
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: 0
RADIUS Client:
Client Friendly Name: IES APs
Client IP Address: 192.168.50.6
Authentication Details:
Connection Request Policy Name: Secure Wireless Connections
Network Policy Name: Secure Wireless Connections - Faculty
Authentication Provider: Windows
Authentication Server: HS-DC1.mydomain.k12
Authentication Type: PEAP
EAP Type: Microsoft: Secured password (EAP-MSCHAP v2)
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Quarantine Information:
Result: Full Access
Session Identifier: -

Example Windows LogOn:

An account was successfully logged on.

Subject:

Security ID: NULL SID

Account Name: -

Account Domain: -

Logon ID: 0x0

Logon Type: 3

Impersonation Level: Impersonation

New Logon:

Security ID: HAWKPRS\jsmith

Account Name: jsmith

Account Domain: HAWKPRS

Logon ID: 0x3F8DC769

Logon GUID: {986cab8d-aa6d-8269-8b6a-7fc93d8d9929}

Process Information:

Process ID: 0x0

Process Name: -

Network Information:

Workstation Name:

Source Network Address: 10.30.20.229

Source Port: 51553

Detailed Authentication Information:

Logon Process: Kerberos

Authentication Package: Kerberos

Transited Services: -

Package Name (NTLM only): -

Key Length: 0

Example Windows LogOff:

An account was logged off.
Subject:
Security ID: HAWKPRS\jsmith
Account Name: jsmith
Account Domain: HAWKPRS
Logon ID: 0x3F8DC7D0
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.

 

[Jinhee]

Yeah, NxMapper might not be able to catch all the user login events. One of the reasons
is that we get IPv6 addresses instead of IPv4 in some cases. We have no way of tranlating
it to IPv4. We can't make a login session based on IPv6 as we get DNS queries based on IPv4.

Once we thought about going with event log to solve this kind of problem. But nothing better.
We just have the same problem. So it's like it's nothing better than the current NxMapper
and we just need to spend several weeks for it.

I don't know why NxLogon not fitting to your situation but it's our primary solution to AD
single sign-on. And even if all these methods failed you still get login-page.

About Radius, that's too much specific need. Even if we go for event log way it would be
just for login/logoff events.

We don't go for it before we see enough benefit from it. Once we see something it may happen.
But it will take several months to see it as we are busy with the other important things.

[Jahastech]

At the moment, there's some discusstion going on about integrating Radius authentication into NxFilter. We may work on this one as well in future.

[Jahastech]

Searching through old threads, I found this one,

  https://groups.google.com/forum/#!searchin/nxfilter200/radius%7Csort:date/nxfilter200/1eVSOSdt5NI/hAcqHGZfCAAJ

Someone said that he wrote a powershell script for Windows Radius integration. This might be working for you.

[Keln Taylor]

thank you.  I hope to look into this later this year.

[Jahastech]

At the moment, we are working on NxFilter + G Suite Secure LDAP + FreeRadius. When it comes to NxFilter login session, the important thing is getting IP - Username pair. We made some progress with FreeRadius currently and that made me remembering your old post. And I looked into Windows Network Policy Server and Radius. I created 6272, 6278 events but they don't have user IPs. It only sends Radius client IP that is your router IP probably. Do you know how it sends user IP?

[Jahastech]

I noticed that you have an example of Windows Logon event. Does it mean that Windows Logon event follows after NPS access grant? The current version of NxMapper reads event log and it detects user logon event there.

[Keln Taylor]

The Windows Logon Event is completely separate and unrelated to the radius login. I had just provided it for reference.  At the time I posted that example, I thought that the 6272 and 6278 events included the client IP address, but I can see now that they only included the IP address of the access point.  :(

One way to get the client IP address is to look at the IAS logs directly on the radius server (called an NPS server in Windows).

Example from my Radius server C:\Windows\System32\LogFiles\iaslog1218.log:  (one my server this log is incremented when the log file reaches 128mb.  When iaslog1218.log reaches 128mb, then iaslog1219.log will be created.)

# This first line is a windows laptop connecting to the wireless network with a computer account.  We don't care about this one, because when a user logs into the Windows laptop, it will be logged to the event log on the domain controller.

"HS-DC1","IAS",04/03/2019,15:11:27,4,"host/IS-CT1-02.HAWK.PRS",,"C8-67-5E-43-35-D4:AD-RADIUS","1C-65-9D-E3-8C-33",,"10.50.21.30","HS-104-AP1","10.50.20.254",0,0,"10.50.20.254","temp entire HS subnet",04/03/2019 20:11:27,,19,"11ng",,2,,,0,"311 1 10.2.10.23 02/21/2019 13:57:36 1865413",,,,,3,0,316807,26159,"92975A19022876AC",1,10501,3738,188,,"40B0FFEE8A0140A3",,,,,,,,,,,,,,,,,,,"Secure Wireless Connections",,,,,

 #This second shows the user "jwoods logging in from an IP address of 10.50.24.99.    The IP of the access point is 10.50.20.147. (which we really don't care about.)

"HS-DC1","IAS",04/03/2019,15:11:27,4,"jwoods",,"E0-1C-41-27-16-D4:AD-RADIUS","24-24-0E-4D-75-44",,"10.50.24.99","HS-GYM-AP1","10.50.20.147",0,0,"10.50.20.147","temp entire HS subnet",04/03/2019 

20:11:27,,19,"11ng",,2,,,0,"311 1 10.2.10.23 02/21/2019 13:57:36 1894264",,,,,3,0,634072,1626341,"48B25F19-000019B5",1,2580,4615,1607,,"24240e4d7544e01c412716d45ca5095b4e24a5df",,,,,,,,,,,,,,,,,,,"Secure Wireless Connections",,,,,

"HS-DC1","IAS",04/03/2019,15:11:27,4,"wmartin",,"C8-67-5E-44-2B-E4:AD-RADIUS","78-7B-8A-8C-63-35",,"10.40.21.118","MS-167-AP1","10.40.20.157",0,0,"10.40.20.157","temp entire HS subnet",04/03/2019 20:11:27,,19,"11ac",,2,,,0,"311 1 10.2.10.23 02/21/2019 13:57:36 1889759",,,,,3,0,111153,205749,"41797A6A38B32790",1,4301,853,433,,"8EF761897BABE1FC",,,,,,,,,,,,,,,,,,,"Secure Wireless Connections",,,,,

"HS-DC1","IAS",04/03/2019,15:11:27,4,"jdove",,"E0-1C-41-C9-6B-94:AD-RADIUS","54-4E-90-33-A6-97",,"10.20.20.230","PS-110-AP1","10.20.21.1",0,0,"10.20.21.1","temp entire HS subnet",04/03/2019 20:11:26,,19,"11ng",,2,,,0,"311 1 10.2.10.23 02/21/2019 13:57:36 1875521",,,,,3,0,6102151,58900884,"30EDB976-000005FE",1,1560,42761,45127,,"544e9033a697e01c41c96b945ca50d564a2d4ab2",,,,,,,,,,,,,,,,,,,"Secure Wireless Connections",,,,,

"HS-DC1","IAS",04/03/2019,15:11:27,4,"host/K2-laptop19.HAWK.PRS",,"40-18-B1-9E-6A-28:AD-RADIUS","B4-6D-83-96-32-69",,"10.20.21.24","PS-314-AP1","10.20.21.238",0,0,"10.20.21.238","temp entire HS subnet",04/03/2019 20:11:26,,19,"11na",,2,,,0,"311 1 10.2.10.23 02/21/2019 13:57:36 1830800",,,,,3,0,18500266,9938710,"30EDB98F-0000015E",1,12722,50486,32062,,"b46d839632694018b19e6a285ca4e1bc3d39fa4a",,,,,,,,,,,,,,,,,,,"Secure Wireless Connections",,,,,

"HS-DC1","IAS",04/03/2019,15:11:27,4,"jrogers",,"40-18-B1-9E-CB-68:AD-RADIUS","E4-B2-FB-88-9B-2D",,"10.20.20.164","PS-402-AP1","10.20.21.241",0,0,"10.20.21.241","temp entire HS subnet",04/03/2019 20:11:27,,19,"11na",,2,,,0,"311 1 10.2.10.23 02/21/2019 13:57:36 1891339",,,,,3,0,31682,20957,"30EDB962-000007B3",1,20,378,51,,"e4b2fb889b2d4018b19ecb685ca5135b5da82375",,,,,,,,,,,,,,,,,,,"Secure Wireless Connections",,,,,

"HS-DC1","IAS",04/03/2019,15:11:28,4,"host/HP-2018-20.HAWK.PRS",,"E0-1C-41-B6-A4-A8:AD-RADIUS","38-DE-AD-6A-8F-D8",,"10.30.23.77","IS-129-AP1","10.30.22.182",0,0,"10.30.22.182","temp entire HS subnet",04/03/2019 20:11:28,,19,"11na",,2,,,0,"311 1 10.2.10.23 02/21/2019 13:57:36 1842183",,,,,3,0,96112909,66002004,"30EDB944-00000132",1,72146,226127,109440,,"38dead6a8fd8e01c41b6a4a85ca3f99a00143204",,,,,,,,,,,,,,,,,,,"Secure Wireless Connections",,,,,

"HS-DC1","IAS",04/03/2019,15:11:28,4,"churst",,"F0-9C-E9-0D-58-54:AD-RADIUS","60-F4-45-0D-6A-01",,"10.20.22.197","PS-GYM-AP1","10.20.20.150",0,0,"10.20.20.150","temp entire HS subnet",04/03/2019 20:11:28,,19,"11ng",,2,,,0,"311 1 10.2.10.23 02/21/2019 13:57:36 1892685",,,,,3,0,714248,560380,"5C54596F-000002B9",1,2978,5527,1336,,"60f4450d6a01f09ce90d58545ca507cd3f45c8af",,,,,,,,,,,,,,,,,,,"Secure Wireless Connections",,,,,

"HS-DC1","IAS",04/03/2019,15:11:28,4,"host/HP-2017-4.HAWK.PRS",,"C8-67-5E-43-F8-64:AD-RADIUS","F8-59-71-5C-EB-3F",,"10.50.21.207","HS-203-AP1","10.50.21.85",0,0,"10.50.21.85","temp entire HS subnet",04/03/2019 20:11:27,,19,"11ac",,2,,,0,"311 1 10.2.10.23 02/21/2019 13:57:36 1837087",,,,,3,0,39096739,249782000,"0CAC5128674F3CA7",1,9342,128817,249659,,"912F8C6299613C47",,,,,,,,,,,,,,,,,,,"Secure Wireless Connections",,,,,

"HS-DC1","IAS",04/03/2019,15:11:28,1,"hphillips","HAWKPRS\hphillips","40-18-B1-9E-7B-D4:AD-RADIUS","20-EE-28-8F-79-98",,,"PS-403-AP1","10.20.22.16",0,0,"10.20.22.16","temp entire HS subnet",,,19,,,2,5,"Secure Wireless Connections - Faculty",0,"311 1 10.2.10.23 02/21/2019 13:57:36 1897856",,,,,,,,,"28A0D4BE-00000D73",,,,,,"20ee288f79984018b19e7bd45ca5136f15cf401d",,,,,,,,,,,,,,,,,,,"Secure Wireless Connections",1,,,,

"HS-DC1","IAS",04/03/2019,15:11:28,11,,"HAWKPRS\hphillips",,,,,,,,0,"10.20.22.16","temp entire HS subnet",,,,,,,5,"Secure Wireless Connections - Faculty",0,"311 1 10.2.10.23 02/21/2019 13:57:36 1897856",60,,,,,,,,"28A0D4BE-00000D73",,,,,,,,,,,,,,,,,,,,,,,,,"Secure Wireless Connections",1,,,,

"HS-DC1","IAS",04/03/2019,15:11:28,4,"host/MB02-9.HAWK.PRS",,"C8-67-5E-A0-49-A4:AD-RADIUS","80-86-F2-5E-16-54",,"10.50.26.134","PRMBA-BL-AP1","10.50.21.97",0,0,"10.50.21.97","temp entire HS subnet",04/03/2019 20:11:28,,19,"11ac",,2,,,0,"311 1 10.2.10.23 02/21/2019 13:57:36 1894581",,,,,3,0,13079827,842373655,"E829009C22453F31",1,2421,84406,596727,,"99A23DAFE0C0D517",,,,,,,,,,,,,,,,,,,"Secure Wireless Connections",,,,,

"HS-DC1","IAS",04/03/2019,15:11:28,1,"hphillips","HAWKPRS\hphillips","40-18-B1-9E-7B-D4:AD-RADIUS","20-EE-28-8F-79-98",,,"PS-403-AP1","10.20.22.16",0,0,"10.20.22.16","temp entire HS subnet",,,19,,,2,5,"Secure Wireless Connections - Faculty",0,"311 1 10.2.10.23 02/21/2019 13:57:36 1897857",,,,,,,,,"28A0D4BE-00000D73",,,,,,"20ee288f79984018b19e7bd45ca5136f15cf401d",,,,,,,,,,,,,,,,,,,"Secure Wireless Connections",1,,,,

"HS-DC1","IAS",04/03/2019,15:11:28,11,,"HAWKPRS\hphillips",,,,,,,,0,"10.20.22.16","temp entire HS subnet",,,,,,,5,"Secure Wireless Connections - Faculty",0,"311 1 10.2.10.23 02/21/2019 13:57:36 1897857",30,,,,,,,,"28A0D4BE-00000D73",,,,,,,,,,,,,,,,,,,,,,,,,"Secure Wireless Connections",1,,,,

"HS-DC1","IAS",04/03/2019,15:11:28,4,"rtoland",,"C8-67-5E-A0-44-E4:AD-RADIUS","10-98-C3-B7-B5-B3",,"10.40.20.106","MS-129-AP1","10.40.20.203",0,0,"10.40.20.203","temp entire HS subnet",04/03/2019 20:11:28,,19,"11ac",,2,,,0,"311 1 10.2.10.23 02/21/2019 13:57:36 1891221",,,,,3,0,1169557,5333942,"3C620B5F9F908EC2",1,3260,3293,5038,,"6D7D716F33C9EF07",,,,,,,,,,,,,,,,,,,"Secure Wireless Connections",,,,,

"HS-DC1","IAS",04/03/2019,15:11:28,1,"hphillips","HAWKPRS\hphillips","40-18-B1-9E-7B-D4:AD-RADIUS","20-EE-28-8F-79-98",,,"PS-403-AP1","10.20.22.16",0,0,"10.20.22.16","temp entire HS subnet",,,19,,,2,5,"Secure Wireless Connections - Faculty",0,"311 1 10.2.10.23 02/21/2019 13:57:36 1897858",,,,,,,,,"28A0D4BE-00000D73",,,,,,"20ee288f79984018b19e7bd45ca5136f15cf401d",,,,,,,,,,,,,,,,,,,"Secure Wireless Connections",1,,,,

"HS-DC1","IAS",04/03/2019,15:11:28,11,,"HAWKPRS\hphillips",,,,,,,,0,"10.20.22.16","temp entire HS subnet",,,,,,,5,"Secure Wireless Connections - Faculty",0,"311 1 10.2.10.23 02/21/2019 13:57:36 1897858",30,,,,,,,,"28A0D4BE-00000D73",,,,,,,,,,,,,,,,,,,,,,,,,"Secure Wireless Connections",1,,,,

"HS-DC1","IAS",04/03/2019,15:11:28,1,"hphillips","HAWKPRS\hphillips","40-18-B1-9E-7B-D4:AD-RADIUS","20-EE-28-8F-79-98",,,"PS-403-AP1","10.20.22.16",0,0,"10.20.22.16","temp entire HS subnet",,,19,,,2,5,"Secure Wireless Connections - Faculty",0,"311 1 10.2.10.23 02/21/2019 13:57:36 1897859",,,,,,,,,"28A0D4BE-00000D73",,,,,,"20ee288f79984018b19e7bd45ca5136f15cf401d",,,,,,,,,,,,,,,,,,,"Secure Wireless Connections",1,,,,

"HS-DC1","IAS",04/03/2019,15:11:28,11,,"HAWKPRS\hphillips",,,,,,,,0,"10.20.22.16","temp entire HS subnet",,,,,,,5,"Secure Wireless Connections - Faculty",0,"311 1 10.2.10.23 02/21/2019 13:57:36 1897859",30,,,,,,,,"28A0D4BE-00000D73",,,,,,,,,,,,,,,,,,,,,,,,,"Secure Wireless Connections",1,,,,

[Jahastech]

Thanks, we will look into NPS log.

[Jahastech]

I am not so sure about this NPS log way. Its file name is different on my system and the info from AP is vendor specific. So we can't expect 100% same result with all these APs or routers and switches. At the moment, we are working on FreeRADIUS integration.

  https://www.reddit.com/r/nxfilter/comments/bn28x9/freeradius_integration_project_for_sso/

If you are willing to do some scripting job, I guess you already can implement AD integration through FreeRADIUS. Anyway, take a look at it.

[Jahastech]

@Keln

What's your AP modle name? Is it a Cisco product? And how many APs you have? We may try NxMapper way as FreeRADIUS + AD requires complicated setting procedures. But I want to know if we can expect the same log format from all the APs.

[Keln Taylor]

We have around 150 Aerohive APs.  mostly the AP130 model. 

[Jahastech]

 Do you see any other log files in C:\Windows\System32\LogFiles except NPS log files?

[Jahastech]

Try this one,

  http://nxfilter.org/imsi/nxmapper-4.0.7.exe

We tested it today with Unifi router. It worked fine. We use RADIUS account request data so must set your router to send RADIUS account request. And there's several second delay for receiving the first RADIUS account request. It means you may need to set up a default user to associate whole your network IP range so that your users don't get redirected to NxFilter login page.

[Suporte SAC - Kernel TI]

Just install on AD Server?

[Jahastech]

Did you set up NPS? Install it on DC running your NPS.

[Bruno Emanuel]

We want to test it. But help me to undestand how to install on our network.

We have some AD Servers distributed on several units. On each Unit we have a NxFilter installed using Globlist, for now.

So, to use integrated with Radius, will we need to install NxMapper on each server because each unit has his own NxFilter ?

[Jahastech]

It depends on where your NPS server is. NxMapper reads and parse NPS log files to detect usersnames and client IPs. In my case, I use this tutorial for setup my router and Windows server.

  https://blog.ui.com/2016/11/04/managing-radius-authentication-unifi/

So set up a NPS server first and then send your RADIUS account data to it from your router.

[Jahastech]

If I were you I would try to use just one server first. And see what happens and then move to the nextf.

[Bruno Emanuel]

This is on log:

 INFO [05-28 12:53:42] - Program.ParseIasLogFile, ctime parse error, System.FormatException: String was not recognized as a valid DateTime.
   at System.DateTimeParse.Parse(String s, DateTimeFormatInfo dtfi, DateTimeStyles styles)
   at main.Program.LineToRad(String line)

[Bruno Emanuel]

We are using WPA Enterprise

Some part of log:

"SERVERAD","IAS",02/12/2019,19:33:05,1,"3010598","domain.br/DOMAIN/CAMP-ITA/CTIC-ITA/3010598","FC-EC-DA-AE-20-80:DOMAIN_ADM","D0-04-01-50-37-A4",,,"fcecdaac2080",,,0,"IP.XX.15.35","AP15UBQT035",,,19,"CONNECT 0Mbps 802.11b",,2,5,"Connections to other access servers",0,"311 1 IP.YY.80.23 02/06/2019 20:30:20 2",,,,,,,,,"00BFB91CECA8D4E9",,,,,,,,,,,,,,,,,,,,,,,,,"Use Windows authentication for all users",1,,,,
"SERVERAD","IAS",02/12/2019,19:33:05,3,,"domain.br/DOMAIN/CAMP-ITA/CTIC-ITA/3010598",,,,,,,,0,"IP.XX.15.35","AP15UBQT035",,,,,,,5,"Connections to other access servers",65,"311 1 IP.YY.80.23 02/06/2019 20:30:20 2",,,,,,,,,"00BFB91CECA8D4E9",,,,,,,,,,,,,,,,,,,,,,,,,"Use Windows authentication for all users",1,,,,

[Jahastech]

OK. Can you send me your log file to sup...@nxfilter.org. I will update it tomorrow.

[Jahastech]

And send me the log files as well.

[Jahastech]

Are you saying it crashed at that Exception point? That exception is excaped. But we want to see which line caused it.

[Bruno Emanuel]

We sent the logs to the support email

[Jahastech]

Unexpected format. Your log files started with,

  "SVMW99NPS023","IAS",05/28/2019,13:11:14,4,"20191008.ITA0002",,"FE-EC-DA-AD-25-6C:IFMA_ACAD","58-F1-02-F0-90-C7",,"10.15.6.118","FCECDAAC256CE83CE4E7",,,0,"172.16.15.60","IFMA15",05/28/2019 16:11:14,,19,"CONNECT 0Mbps 802.11b",,2,,,0,"311 1 10.99.80.23 05/23/2019 15:20:22 530737",,,,,1,0,,,"D43E014AC50A7D26",1,,,,,,,,,,,,,,,,,,,,,,,,"Secure Wireless Connections",,,,,

But after several lines,

  172.16.15.21,20181002.ITA0053,05/28/2019,13:11:23,IAS,SVMW99NPS023,40,1,45,1,8,10.15.6.53,32,FCECDAA625B9F518D2DE,30,FE-EC-DA-A7-25-B9:IFMA_ACAD,61,19,6,2,31,64-70-33-5B-AD-9A,77,CONNECT 0Mbps 802.11b,44,E77CEC47FC93C0C5,186,0x000FAC04,187,0x000FAC04,188,0x000FAC01,25,311 1 10.99.80.23 05/23/2019 15:20:22 530750,55,05/28/2019 16:11:23,41,0,4108,172.16.15.21,4116,0,4128,IFMA15,4154,Secure Wireless Connections,4136,4,4142,0

From the first one,

  Username : 20191008.ITA0002

  IP : 10.15.6.118

Right?

[Jahastech]

So from the second one,

  Username : 20181002.ITA0053

  IP : 10.15.6.53

2 different formats from one file.. That makes things ugly.

[Jahastech]

We close this discussion. After all, I don't like Log Parsing way not knowing the formats of log messages. We tried to go for it to provide better options to our users as always. But this kind of goal can't be achieved without user participation. Even if we make it working in an limited lab environment we can't expect it to be working in real world. If there's active feedback from users maybe we can cover more than 95% but it will not be enough by our standard. So we stop NxMapper way here. There are still 2 possible options. One is to go with FreeRADIUS by Rob Asher and the other one is to build our own RADIUS server.

You can view how FreeRADIUS way go on the following link,

  https://www.reddit.com/r/nxfilter/comments/bn28x9/freeradius_integration_project_for_sso/

[Jahastech]

We already started testing for v4.3.4.3 of NxFilter having an integrated RADIUS accounting server. We confirmed that it's working in several testing environment. We will do the final test in several days and it will be released in this month hopefully.

  https://www.reddit.com/r/nxfilter/comments/bv4cxc/new_nxfilter_v4343_supporting_single_signon_by/