Event-contents from the domain controller is not completely logged.
For instance, here is an event as generated on the domain controller:
Network Policy Server granted full access to a user because the host met the defined health policy.
User:
Security ID: PXLPERS\20002706
Account Name: 20002706@pxl.be
Account Domain: PXLPERS
Fully Qualified Account Name: PERS.PXL.LOCAL/Personeel/Turan Ascioglu
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: 000B860306A0
Calling Station Identifier: A0A8CD875023
NAS:
NAS IPv4 Address: 192.168.251.240
NAS IPv6 Address: -
NAS Identifier: 192.168.251.240
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: 0
RADIUS Client:
Client Friendly Name: controller240
Client IP Address: 192.168.251.240
Authentication Details:
Connection Request Policy Name: 802.1X and Captive Portal
Network Policy Name: 802.1X and Captive Portal Docenten Wireless
Authentication Provider: Windows
Authentication Server: PXLDC1.PXL.LOCAL
Authentication Type: PEAP
EAP Type: Microsoft: Secured password (EAP-MSCHAP v2)
Account Session Identifier: -
Quarantine Information:
Result: Full Access
Extended-Result: -
Session Identifier: -
Help URL: -
System Health Validator Result(s): -
Mind the part in RED.
Now, compare this to the event as seen by LEM.
Image may be NSFW.
Clik here to view.
This event is logged by the Network Policy server whenever a user authenticates through 802.1x on a Wifi or wired connection. In the source event (red part) I can see the Radius-client (controller, access point or switch) that initiates the peap authentication (192.168.254.240).
However in the event in LEM, nothing is mentioned about the radius client.
This is just an example. I an image a lot of other (maybe) usefull data that is lost.
Is this normal behaviour or can I do something to fix this issue?
Thanks in advance.
Turan