5632 A request was made to authenticate to a wireless network
Written when authentication to a wireless network is requested. It captures Wi-Fi authentication attempts via 802.1X and the like.
Overview
The subcategory is Audit Other Logon/Logoff Events. It is generated when an authentication request to a wireless network using 802.1X (a mechanism that authenticates a user/device before network connection) or similar is made. There are success (S) and failure (F) variants.
How it is triggered
- An authentication request when a device connects to Wi-Fi (especially enterprise 802.1X).
Security review points
- You can learn which account/device attempted to authenticate to which wireless network. Note authentication to corporate Wi-Fi by unexpected devices, or bursts of failures (unauthorized connection attempts).
- Together with the wired version 5633, track network-connection authentication. For certificate-based authentication, correlate with related certificate events.
Notes for log review
- It occurs normally and frequently in environments with many mobile devices. Match the device, account, and SSID against normal patterns.
- Confirm narrowed to concentrations of failures or connections by unexpected devices.
Key fields
| Field | Meaning |
|---|---|
Account Name | The account that requested authentication |
| Network information | The target wireless network |