Skip to content
KYRA MDR KYRA MDR Docs

RADIUS Authentication Integration

Overview

RADIUS provides centralized authentication for network access. KYRA MDR collects RADIUS accounting and authentication logs for monitoring network access and VPN authentication. Supports FreeRADIUS and Microsoft NPS.

Prerequisites

  • A KYRA MDR Collector installed and running
  • RADIUS server (FreeRADIUS or Microsoft NPS)
  • Administrative access to the RADIUS server
  • Network connectivity from the RADIUS server to the collector

Configuration

Configure RADIUS logging:

For FreeRADIUS:

/etc/freeradius/radiusd.conf
log {
    destination = syslog
    syslog_facility = local1
}

Forward via rsyslog:

/etc/rsyslog.d/radius.conf
local1.* @@<collector-ip>:514

For Microsoft NPS, configure Windows Event Forwarding to send NPS events to the collector.

Restart the RADIUS service after configuration changes.

Collected Log Types

Log TypeDescriptionSecurity Use
Access-AcceptSuccessful authentication eventsAccess monitoring
Access-RejectFailed authentication eventsBrute force detection
Accounting-StartSession start eventsSession tracking
Accounting-StopSession end eventsUsage monitoring
Access-ChallengeMFA challenge eventsMulti-factor auditing
CoAChange of Authorization eventsDynamic policy changes

Troubleshooting

No RADIUS logs: FreeRADIUS uses files destination by default. Set it to syslog.

Missing accounting data: Verify the NAS is configured for RADIUS accounting.

NPS events: Microsoft NPS logs to Windows Event Log. Use NXLog or WEF to forward events.

Contact kyra@seekerslab.com for support.