We are setting up netlogin on our network switches to authenticate computers prior to letting them on the network. In the process, the switch will send the MAC address of the computer to the RADIUS server (we are using Windows Server 2003 IAS) to determine what VLAN the computer should be in.

In IAS there is an option for logging where you can log all authentication attempts to a central SQL server (we are using MSSQL Server 2005). This works great... until the SQL server is unavailable. According to Microsoft's own documentation:

If the IAS server cannot establish a connection with SQL Server 2000, the IAS server stops processing authentication and accounting requests and users cannot log on to the network

I couldn't believe what I read, until I tested it. If the logging server is unavailable users cannot log onto the network?!?! Since when is logging a critical function? We have offices in many locations and the SQL server in a central office, so if a link to an outlying office goes down, the users would no longer be able to log onto the network because the SQL server would be unreachable.

Is there any way to log IAS actions without having the whole process fail if the SQL server cannot be reached?

Andy May
  • 919
  • 10
  • 16

3 Answers3


If this is going to be a mission critical thing I'd suggest clustering your SQL Server. That particular drawback is specific to IAS so you'd have to take that up with Microsoft. Sorry :-/

  • 1,307
  • 8
  • 10
  • You're saying have a SQL server at every office and have them all in a cluster, correct? I suppose that is a possibility, but seems extreme just to get some logging. I guess I'll just do local file logging and do something to collect them locally. – Andy May May 28 '09 at 14:30

For security purposes, logging is critical because the first thing hackers will do is disable logging to prevent being busted. SQL Server's own security auditing can be set up to function this same way - if logging stops working, then the instance stops. It's hard-core, but the security geeks say that's the way to go.

Brent Ozar
  • 4,425
  • 17
  • 21
  • Not just SQL Server, but Windows as well. You can have the OS shutdown if the security event log fills up, for instance. – K. Brian Kelley May 28 '09 at 16:57
  • While I agree that logging is critical, I think it should be an option to fail the authentication if the logging server is offline. Automatically failing authentication because the logging server is unavailable seems overkill. – Andy May May 28 '09 at 18:18

Install a local version of SQL Server on each IAS server. If logging isn't critical for you, that should work. It may mean a beefier solution, but that's the only way of doing this without deploying a separate server (which would be my normal preference) just for the SQL Server in each location. You can then use some sort of process to periodically pull records out of each local SQL Server instance to post to a centralized SQL Server for reporting purposes.

K. Brian Kelley
  • 9,004
  • 31
  • 33