Authentication/Accounting failure

Authentication_Accounting_failure_1_Rule (Rule)

Knowledge Base article:

Management Pack
Summary
The Routing and Remote Access service encountered an error while performing authentication or accounting.
 
Causes
The most common reasons for this error are:
  1. The RADIUS server did not respond to authentication/accounting request.
  2. The service failed to retrieve Remote Access Server certificates.
  3. The connection attempt failed because the Windows Authentication could not authenticate the user. The user might have specified incorrect credentials.
  4. The RADIUS server sent an invalid response.
 
Resolutions
  1. Open Routing and Remote Access and verify that
    1. The server name or the IP address of the RADIUS server(s) is spelled correctly.
    2. Secret is correct.
  2. Make sure that the user specifies correct credentials.
  3. Verify whether the network protocols are configured correctly on the server and the client.
 
Sample Event
Sample Event #1: The RADIUS server %1 did not respond to the initial request.Please make sure that the server name or IP address and secret are correct.
Sample Event #2: Could not retrieve the Remote Access Server''s certificate due to thefollowing error: %1
Sample Event #3: The user %1 failed an authentication attempt due to the following reason: %2
Sample Event #4: The user %1 connected from %2 but failed an authentication attempt due to the following reason: %3
Sample Event #5: An invalid response was received from the RADIUS server %1. %2
 
© 2004 Microsoft Corporation, all rights reserved.

Element properties:

TargetMicrosoft.Windows.RemoteAccess.2012.Class.VPNServer
CategoryEventCollection
EnabledTrue
Event SourceRemoteAccess
Alert GenerateFalse
RemotableTrue
Event LogSystem

Member Modules:

ID Module Type TypeId RunAs 
DS DataSource Microsoft.Windows.EventProvider Default
WriteToDB WriteAction Microsoft.SystemCenter.CollectEvent Default

Source Code:

<Rule ID="Authentication_Accounting_failure_1_Rule" Enabled="true" Target="Microsoft.Windows.RemoteAccess.2012.Class.VPNServer" ConfirmDelivery="true" Remotable="true" Priority="Normal" DiscardLevel="100">
<Category>EventCollection</Category>
<DataSources>
<DataSource ID="DS" TypeID="Windows!Microsoft.Windows.EventProvider">
<ComputerName>$Target/Host/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>
<LogName>System</LogName>
<Expression>
<And>
<Expression>
<RegExExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>MatchesRegularExpression</Operator>
<Pattern>^(20146|20168|20187|20189|20196)$</Pattern>
</RegExExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="String">PublisherName</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="String">RemoteAccess</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
</And>
</Expression>
</DataSource>
</DataSources>
<WriteActions>
<WriteAction ID="WriteToDB" TypeID="SystemCenter!Microsoft.SystemCenter.CollectEvent"/>
</WriteActions>
</Rule>