Event-contents from the domain controller is not completely logged.
For instance, here is an event as generated on the domain controller:
Network Policy Server granted full access to a user because the host met the defined health policy.
User:
Security ID: PXLPERS\20002706
Account Name: 20002706@pxl.be
Account Domain: PXLPERS
Fully Qualified Account Name: PERS.PXL.LOCAL/Personeel/Turan Ascioglu
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: 000B860306A0
Calling Station Identifier: A0A8CD875023
NAS:
NAS IPv4 Address: 192.168.251.240
NAS IPv6 Address: -
NAS Identifier: 192.168.251.240
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: 0
RADIUS Client:
Client Friendly Name: controller240
Client IP Address: 192.168.251.240
Authentication Details:
Connection Request Policy Name: 802.1X and Captive Portal
Network Policy Name: 802.1X and Captive Portal Docenten Wireless
Authentication Provider: Windows
Authentication Server: PXLDC1.PXL.LOCAL
Authentication Type: PEAP
EAP Type: Microsoft: Secured password (EAP-MSCHAP v2)
Account Session Identifier: -
Quarantine Information:
Result: Full Access
Extended-Result: -
Session Identifier: -
Help URL: -
System Health Validator Result(s): -
Mind the part in RED.
Now, compare this to the event as seen by LEM.
This event is logged by the Network Policy server whenever a user authenticates through 802.1x on a Wifi or wired connection. In the source event (red part) I can see the Radius-client (controller, access point or switch) that initiates the peap authentication (192.168.254.240).
However in the event in LEM, nothing is mentioned about the radius client.
This is just an example. I an image a lot of other (maybe) usefull data that is lost.
Is this normal behaviour or can I do something to fix this issue?
Thanks in advance.
Turan