While debugging EAP-TLS authentication between Windows 7 desktop and the Windows Server 2016 NPS, I noticed that the Event Log for Network Policy and Access Services was pretty empty compared to screenshots that I have found while talking to google.
The only Event IDs that I could see at the time were 4400 generated when NPS connects to AD (LDAP) and 13 when the Nessus scans the network overnight.
There were none of authentication events logged (6272, and 6278) that I have seen on the Internet.
I double checked NPS Event Logging and it was indeed enabled.
Then, I came across an article that suggests that Network Policy Server (NPS) may not log successful authentication events or failed authentication events in the Security log in Event Viewer. This actually talks about Windows 2008, but s I decided to give it a go anyway, and it didn’t work either.
Finally a colleague suggested checking the audit settings in GPO, as he had recollections of changing something there in the rather distant past.
So I talked to google again and figured out that a new Policy with the following settings would be in order.
I applied that to the NPS servers and BOOM!, the authentication events finally started to show up in the Event Log.
I checked archives from ELK going back to 2015 when 802.11x was originally set up and I never seen any of these 6272 Event IDs, not even on NPS running on Windows 2012R2 so my guess is that this is disabled by default and has to be explicitly enabled.
All in all this exercise was worth the trouble because the Event Log is much easier to read than that funny accounting log.