The number of RADIUS Access-Reject packets sent to this client.
The number of RADIUS Access-Reject packets sent to this client.
Session Authentication
During this stage, the switch relays EAP messages between the supplicant and the authentication server, copying the EAP message in the EAPoL frame to an attribute-value pair in a RADIUS packet, and the reverse. In the first part of the exchange, the supplicant and the authentication server agree on an EAP method.
The rest of the exchange is defined by the specific EAP method. The EAP method defines the type of credential to be used to validate the supplicant's identity and the way that the credential will be submitted. Depending on the method, the supplicant may submit a password, certificate, token, or other credential, and that credential may be passed inside a TLS-encrypted tunnel, as a hash or some other protected form.
Session Authorization
If the supplicant submits a valid credential, the authentication server will return a RADIUS Access-Accept message with an encapsulated EAP Success message. This sequence indicates to the switch that the supplicant should be allowed access to the port. Optionally, the authentication server may include dynamic network access policy instructions (for example, a dynamic VLAN or access control list [ACL]) in the Access-Accept message. In the absence of dynamic policy instructions, the switch will simply open the port.
If the supplicant submits an invalid credential or is not allowed to access the network for policy reasons, the authentication server will return a RADIUS Access-Reject message with an encapsulated EAP Failure message. This message indicates to the switch that the supplicant should not be allowed access to the port. Depending on how the switch is configured, it may retry authentication, deploy the port to the Auth-Fail VLAN, or try an alternative authentication method.
Session Accounting
If the switch successfully applies the authorization policy, the switch sends a RADIUS Accounting-Request message to the authentication server with details about the authorized session. Accounting-Request messages are sent for both dynamically authorized sessions and locally authorized sessions (for example, guest VLANs and Auth-Fail VLANs).
| Target | Microsoft.NetworkPolicyServer.NPSServers |
| Category | PerformanceCollection |
| Enabled | False |
| Instance Name | NPS Authentication Clients |
| Counter Name | Access-Rejects |
| Frequency | 900 |
| Alert Generate | False |
| Remotable | True |
| ID | Module Type | TypeId | RunAs |
|---|---|---|---|
| DS | DataSource | System.Performance.OptimizedDataProvider | Default |
| WriteToDB | WriteAction | Microsoft.SystemCenter.CollectPerformanceData | Default |
| WriteToDW | WriteAction | Microsoft.SystemCenter.DataWarehouse.PublishPerformanceData | Default |
Home
<Rule ID="Microsoft.NetworkPolicyServer.NPSAuthenticationClientsAccessRejects.PerfRule" Enabled="false" Target="Microsoft.NetworkPolicyServer.NPSServers" ConfirmDelivery="false" Remotable="true" Priority="Normal" DiscardLevel="100">
<Category>PerformanceCollection</Category>
<DataSources>
<DataSource ID="DS" TypeID="Performance!System.Performance.OptimizedDataProvider">
<ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>
<CounterName>Access-Rejects</CounterName>
<ObjectName>NPS Authentication Clients</ObjectName>
<InstanceName/>
<AllInstances>true</AllInstances>
<Frequency>900</Frequency>
<Tolerance>0</Tolerance>
<ToleranceType>Absolute</ToleranceType>
<MaximumSampleSeparation>1</MaximumSampleSeparation>
</DataSource>
</DataSources>
<WriteActions>
<WriteAction ID="WriteToDB" TypeID="SC!Microsoft.SystemCenter.CollectPerformanceData"/>
<WriteAction ID="WriteToDW" TypeID="SCDW!Microsoft.SystemCenter.DataWarehouse.PublishPerformanceData"/>
</WriteActions>
</Rule>