ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Network Policy Server monitoring dashboard showing authentication events and security logs
Event ID 6273InformationMicrosoft-Windows-Security-AuditingWindows

Windows Event ID 6273 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6273 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 20269 min read 0
Event ID 6273Microsoft-Windows-Security-Auditing 5 methods 9 min
Event Reference

What This Event Means

Event ID 6273 represents a successful completion of the RADIUS authentication and authorization process within Microsoft's Network Policy Server infrastructure. When a client device attempts to connect to a network resource protected by 802.1X authentication, VPN gateway, or wireless access point configured for RADIUS authentication, the request flows through NPS for policy evaluation.

The event generates after NPS validates the client's credentials against Active Directory, evaluates applicable network policies, and determines that access should be granted based on configured conditions. This includes checking user group memberships, device compliance status, time-based restrictions, and location-based policies depending on your NPS configuration.

The event record contains comprehensive details including the client's IP address, MAC address, authentication method used (such as PEAP-MSCHAPv2, EAP-TLS, or PAP), the network policy that granted access, and session-specific identifiers. These details prove invaluable for security auditing, compliance reporting, and troubleshooting network access issues.

In modern Windows Server 2025 environments, this event integrates with advanced security features like conditional access policies and device compliance checks, making it a critical component of zero-trust network architectures.

Applies to

Windows Server 2019Windows Server 2022Windows Server 2025
Analysis

Possible Causes

  • Successful user authentication through 802.1X enabled network switches or wireless access points
  • VPN client successfully connecting through NPS-protected gateway with valid credentials
  • Wireless device completing WPA2-Enterprise or WPA3-Enterprise authentication
  • Network device authenticating through RADIUS for management access
  • DirectAccess client establishing connection through NPS policy validation
  • Remote Desktop Gateway connection authorized through NPS policies
  • Third-party network equipment using RADIUS authentication against Windows NPS
Resolution Methods

Troubleshooting Steps

01

Review Event Details in Event Viewer

Start by examining the complete event details to understand the authentication context and client information.

  1. Open Event Viewer on your NPS server or domain controller
  2. Navigate to Windows LogsSecurity
  3. Filter for Event ID 6273 using the filter option
  4. Double-click the event to view detailed information including:
    • User name and domain
    • Client IP address and MAC address
    • Authentication method used
    • Network policy name that granted access
    • Session identifier and timestamp
  5. Note the Calling Station ID which typically contains the client's MAC address
  6. Check the NAS-Identifier field to identify which network device processed the request
Pro tip: The Calling Station ID format varies by vendor - Cisco uses hyphens while other vendors may use colons or no separators.
02

Query Events with PowerShell for Analysis

Use PowerShell to extract and analyze Event ID 6273 occurrences for patterns and trends.

  1. Open PowerShell as Administrator on your NPS server
  2. Query recent successful authentications:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=6273} -MaxEvents 50 | Select-Object TimeCreated, Id, @{Name='User';Expression={($_.Message -split '\n' | Where-Object {$_ -like '*User Name:*'}) -replace '.*User Name:\s*',''}}, @{Name='ClientIP';Expression={($_.Message -split '\n' | Where-Object {$_ -like '*Client IP Address:*'}) -replace '.*Client IP Address:\s*',''}}
  3. Filter events by specific user or time range:
    $StartTime = (Get-Date).AddHours(-24)
$Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=6273; StartTime=$StartTime}
$Events | Where-Object {$_.Message -like '*john.doe*'}
  4. Export authentication data for compliance reporting:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=6273; StartTime=(Get-Date).AddDays(-7)} | Select-Object TimeCreated, @{Name='Details';Expression={$_.Message}} | Export-Csv -Path 'C:\Logs\NPS_Access_Granted.csv' -NoTypeInformation
03

Correlate with Network Policy Configuration

Verify that the granted access aligns with your intended network policy configuration and security requirements.

  1. Open Network Policy Server console from Administrative Tools
  2. Navigate to PoliciesNetwork Policies
  3. Locate the policy name mentioned in the Event ID 6273 details
  4. Review the policy conditions to ensure they match your security requirements:
    • User/Group membership requirements
    • Time-based access restrictions
    • Device compliance requirements
    • Location-based conditions
  5. Check the policy constraints and settings:
    • Authentication methods allowed
    • Session timeout values
    • VLAN assignments or IP filters
    • Bandwidth limitations
  6. Verify the policy processing order by checking the Processing Order column
  7. Test policy changes in a controlled environment before production deployment
Warning: Modifying network policies can immediately affect user access. Always test changes during maintenance windows.
04

Monitor Authentication Patterns and Anomalies

Implement monitoring to detect unusual authentication patterns that might indicate security concerns.

  1. Create a PowerShell script to monitor authentication frequency:
    # Monitor for unusual authentication patterns
$Yesterday = (Get-Date).AddDays(-1)
$Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=6273; StartTime=$Yesterday}

# Group by user to identify high-frequency authentications
$UserStats = $Events | ForEach-Object {
    $Message = $_.Message
    $User = ($Message -split '\n' | Where-Object {$_ -like '*User Name:*'}) -replace '.*User Name:\s*',''
    $ClientIP = ($Message -split '\n' | Where-Object {$_ -like '*Client IP Address:*'}) -replace '.*Client IP Address:\s*',''
    [PSCustomObject]@{
        User = $User
        ClientIP = $ClientIP
        TimeCreated = $_.TimeCreated
    }
} | Group-Object User | Select-Object Name, Count | Sort-Object Count -Descending

$UserStats | Where-Object {$_.Count -gt 100}
  2. Set up scheduled tasks to run monitoring scripts and alert on anomalies
  3. Configure Windows Event Forwarding to centralize NPS logs from multiple servers
  4. Use registry settings to increase Security log size if needed:
    Set-ItemProperty -Path 'HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Security' -Name 'MaxSize' -Value 0x6400000  # 100MB
05

Advanced Troubleshooting with NPS Logging

Enable comprehensive NPS logging for detailed authentication flow analysis and advanced troubleshooting scenarios.

  1. Configure NPS accounting and authentication logging:
    • Open Network Policy Server console
    • Right-click NPS (Local) and select Properties
    • Go to the Event Logging tab
    • Enable Success and failure events for both authentication and accounting
  2. Enable detailed request logging:
    • Navigate to Accounting in the NPS console
    • Right-click Log File Properties
    • Configure log file format as IAS (Legacy) or DTS Compliant
    • Set appropriate log file rotation and size limits
  3. Analyze NPS log files for detailed session information:
    # Parse NPS log files for authentication details
$LogPath = 'C:\Windows\System32\LogFiles\IN*.log'
$LogEntries = Get-Content $LogPath | Where-Object {$_ -like '*6273*' -or $_ -like '*Access-Accept*'}
$LogEntries | Select-Object -First 10
  4. Cross-reference Event ID 6273 with corresponding RADIUS accounting start/stop events (Event IDs 6272, 6274)
  5. Use network packet capture tools like Wireshark to analyze RADIUS traffic if authentication issues persist
Pro tip: NPS log files contain more detailed information than Windows Event Logs, including all RADIUS attributes exchanged during authentication.

Overview

Event ID 6273 fires when Microsoft Network Policy Server (NPS) successfully grants network access to a client after completing authentication and authorization checks. This event appears in the Security log on domain controllers and NPS servers running the Network Policy and Access Services role. The event captures critical details about successful RADIUS authentication sessions, including client information, authentication methods, and applied network policies.

This event is essential for network access monitoring in enterprise environments using 802.1X authentication, VPN connections, or wireless network access through RADIUS. System administrators rely on Event ID 6273 to track successful network authentications, validate policy enforcement, and maintain audit trails for compliance requirements. The event provides detailed information about which users or devices gained network access, when the access was granted, and which network policies were applied during the authorization process.

Understanding this event helps administrators monitor network security posture, troubleshoot authentication issues, and ensure proper policy application across network infrastructure components.

Frequently Asked Questions

What does Event ID 6273 mean and when does it occur?+
Event ID 6273 indicates that Network Policy Server (NPS) has successfully granted network access to a client after completing authentication and authorization. It occurs when a user or device successfully authenticates through RADIUS protocols, such as during 802.1X network access, VPN connections, or wireless authentication. The event confirms that the client met all policy requirements and has been granted access to network resources.
How can I identify which network policy granted access in Event ID 6273?+
The network policy name is included in the event details under the 'Network Policy Name' field. To view this information, open the event in Event Viewer and look for the policy name in the event description. You can also extract this information using PowerShell by parsing the event message content. The policy name helps you understand which set of conditions and constraints were applied to grant the access.
Why am I seeing multiple Event ID 6273 entries for the same user?+
Multiple Event ID 6273 entries for the same user are normal and can occur for several reasons: re-authentication intervals configured in your network policies, user switching between different network access points, session renewals for long-running connections, or the user connecting multiple devices. Each successful authentication or re-authentication generates a separate event. You can correlate these events using the session identifier and timestamps to understand the authentication pattern.
How do I correlate Event ID 6273 with failed authentication attempts?+
To correlate successful authentications (Event ID 6273) with failed attempts, look for Event ID 6273's counterpart failure events such as Event ID 6272 (access denied) or authentication failure events. Use PowerShell to query both successful and failed events within the same time frame, filtering by username or client IP address. This correlation helps identify potential security issues, such as brute force attempts followed by successful compromise, or helps troubleshoot intermittent authentication problems.
Can Event ID 6273 help with compliance and security auditing?+
Yes, Event ID 6273 is crucial for compliance and security auditing as it provides a complete audit trail of successful network access grants. The event includes user identity, authentication method, client device information, timestamps, and applied policies. This information supports compliance requirements for standards like PCI DSS, HIPAA, or SOX that require monitoring of network access. You can export these events to SIEM systems or create automated reports to demonstrate proper access controls and policy enforcement.
Documentation

References (2)

1
Microsoft Learn - Network Policy Server OverviewComprehensive documentation about Network Policy Server configuration and management in Windows Server environments.https://learn.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-top
2
Microsoft Docs - Security Auditing EventsOfficial documentation covering Windows security auditing events and their meanings for system administrators.https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/security-auditing-overview
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-6273#nps-authentication#radius-security

Related Windows Events

Windows security monitoring dashboard displaying audit events and privilege tracking logs
Event 6276
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6276 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6276 records when special privileges are assigned to a user account during logon, indicating elevated access rights have been granted for the session.

March 189 min
Windows security monitoring dashboard displaying privilege assignment events in a professional SOC environment
Event 6274
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6274 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6274 records when special privileges are assigned to a new user logon session, indicating elevated access rights have been granted for security-sensitive operations.

March 189 min
Network operations center displaying Windows NPS authentication monitoring dashboards and security event logs
Event 6272
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6272 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6272 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 1812 min
Windows security monitoring dashboard displaying authentication package loading events in Event Viewer
Event 5632
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 5632 – LSA: Authentication Package Loaded

Event ID 5632 indicates that an authentication package has been loaded by the Local Security Authority (LSA). This security audit event tracks when authentication providers are initialized during system startup or security subsystem changes.

March 189 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...