Windows Event ID 5142 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted User Access

Start by examining the complete event details to understand the authentication context:

1. Open Event Viewer → Windows Logs → Security
2. Filter for Event ID 5142 using the filter option
3. Double-click a recent Event ID 5142 entry
4. Review key fields in the event details:
   • Subject: The user account that was granted access
   • Client Machine: Source computer or device
   • Authentication Provider: Method used (Windows, RADIUS proxy)
   • Authentication Server: NPS server processing the request
   • Authentication Type: Protocol used (PEAP, EAP-TLS, PAP, etc.)
   • Network Policy Name: Policy that granted access
5. Note the Calling Station ID and NAS Identifier to identify the access point or switch

Use PowerShell to query multiple events efficiently:

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=5142} -MaxEvents 50 | Select-Object TimeCreated, Id, @{Name='User';Expression={($_.Properties[0].Value)}}, @{Name='ClientMachine';Expression={($_.Properties[4].Value)}}

Use PowerShell to identify authentication trends and potential security concerns:

1. Extract authentication data for analysis:

   $Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=5142; StartTime=(Get-Date).AddDays(-7)}
   $AuthData = $Events | ForEach-Object {
       [PSCustomObject]@{
           Time = $_.TimeCreated
           User = $_.Properties[0].Value
           ClientMachine = $_.Properties[4].Value
           AuthType = $_.Properties[10].Value
           NetworkPolicy = $_.Properties[11].Value
           CallingStationId = $_.Properties[5].Value
       }
   }

2. Group authentications by user to identify patterns:

   $AuthData | Group-Object User | Sort-Object Count -Descending | Select-Object Name, Count

3. Identify authentication methods in use:

   $AuthData | Group-Object AuthType | Sort-Object Count -Descending

4. Check for unusual authentication times or locations:

   $AuthData | Where-Object {$_.Time.Hour -lt 6 -or $_.Time.Hour -gt 22} | Format-Table Time, User, ClientMachine

Verify that successful authentications align with intended network policies:

1. Open Network Policy Server console from Administrative Tools
2. Navigate to Policies → Network Policies
3. Review the network policy mentioned in Event ID 5142
4. Check policy conditions and constraints:
   • User/Group membership requirements
   • Authentication method restrictions
   • Time-of-day limitations
   • Calling station ID filters
5. Verify RADIUS client configuration under RADIUS Clients and Servers
6. Use PowerShell to export NPS configuration for documentation:

   Export-NpsConfiguration -Path "C:\NPSBackup\NPS-Config-$(Get-Date -Format 'yyyy-MM-dd').xml"

7. Review connection request policies that may affect authentication flow
8. Check accounting settings to ensure proper logging is enabled

Correlate NPS events with network device logs for complete authentication visibility:

1. Identify the network access server from the NAS-Identifier field in Event ID 5142
2. Access logs on the corresponding network device (wireless controller, switch, VPN server)
3. Match timestamps and session identifiers between NPS and network device logs
4. Use PowerShell to create correlation reports:

   $NPSEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=5142; StartTime=(Get-Date).AddHours(-1)}
   $CorrelationData = $NPSEvents | ForEach-Object {
       $EventXML = [xml]$_.ToXml()
       [PSCustomObject]@{
           NPSTime = $_.TimeCreated
           SessionId = $EventXML.Event.EventData.Data | Where-Object {$_.Name -eq 'AcctSessionId'} | Select-Object -ExpandProperty '#text'
           CallingStationId = $EventXML.Event.EventData.Data | Where-Object {$_.Name -eq 'CallingStationId'} | Select-Object -ExpandProperty '#text'
           NASIdentifier = $EventXML.Event.EventData.Data | Where-Object {$_.Name -eq 'NASIdentifier'} | Select-Object -ExpandProperty '#text'
       }
   }

5. Export correlation data for analysis:

   $CorrelationData | Export-Csv -Path "C:\Logs\NPS-Correlation-$(Get-Date -Format 'yyyy-MM-dd-HHmm').csv" -NoTypeInformation

6. Review for authentication delays or failures not reflected in NPS logs

Set up proactive monitoring for authentication patterns and security anomalies:

1. Create custom Event Viewer views for NPS authentication monitoring:
   • Right-click Custom Views in Event Viewer
   • Select Create Custom View
   • Filter for Event IDs 5140, 5141, 5142 from Security log
   • Save as "NPS Authentication Events"
2. Configure Windows Event Forwarding for centralized logging:

   wecutil cs "C:\Config\NPSSubscription.xml"

3. Set up PowerShell scheduled tasks for automated analysis:

   $Action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-File C:\Scripts\NPS-Analysis.ps1"
   $Trigger = New-ScheduledTaskTrigger -Daily -At "06:00AM"
   $Settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries
   Register-ScheduledTask -TaskName "NPS Daily Analysis" -Action $Action -Trigger $Trigger -Settings $Settings

4. Integrate with SIEM solutions using Windows Event Forwarding or log shipping
5. Create baseline authentication patterns and alert on deviations
6. Monitor for authentication attempts from unusual locations or times