none
Phantom log entries - run-away NPS log files (loop?) RRS feed

  • Question

  • This week we started experiencing run-away log files with constant "phantom" (for lack of a better term) log entries.  We have 2 NPS servers on individual domains, and I added Connection Request Policy rules to capture foreign domain user information and forward to the appropriate domains NPS.  Ref: https://social.technet.microsoft.com/Forums/en-US/2c4a7aeb-39e6-4efb-898a-77fd1c150da0/nps-proxy-proxy-machine-auth-requests?forum=winserverNAP

    Now, there appears to be a situation, perhaps some request that - maybe - has introduced a loop or some other errant behavior on both my NPS servers (there are thousands a second) .  The constant log entries look like this...

    <Event><Timestamp data_type="4">06/13/2019 15:36:01.668</Timestamp><Computer-Name data_type="1">DOMAIN1-DC2</Computer-Name><Event-Source data_type="1">IAS</Event-Source><Acct-Status-Type data_type="0">7</Acct-Status-Type><Acct-Session-Id data_type="1">08ea4490812a-991628665ac0</Acct-Session-Id><Event-Timestamp data_type="4">06/13/2019 15:11:26</Event-Timestamp><Acct-Delay-Time data_type="0">0</Acct-Delay-Time><NAS-IP-Address data_type="3">10.136.110.5</NAS-IP-Address><NAS-Identifier data_type="1">AP-7</NAS-Identifier><Called-Station-Id data_type="1">08-EA-44-90-81-2A:WESTFIELD-Wireless</Called-Station-Id><Client-IP-Address data_type="3">10.98.11.10</Client-IP-Address><Client-Vendor data_type="0">0</Client-Vendor><Client-Friendly-Name data_type="1">DOMAIN2-DC2</Client-Friendly-Name><Provider-Type data_type="0">2</Provider-Type><Packet-Type data_type="0">4</Packet-Type><Reason-Code data_type="0">0</Reason-Code></Event>

    So, the request has a NAS ID of a valid wireless AP, but the Client is the "other" NPS server (domain2-dc2).  Notice there is no User-Name field ( like <Acct-Authentic data_type="0">1</Acct-Authentic><User-Name data_type="1">b.rubble</User-Name>).  My forward rules are simply user= "domain2\b.rubble" forward to domain2 NPS, & "host/pcname.domain2.org" forward to domain2 NPS - otherwise process the request locally.

    So, either an incoming request to domain1 NPS either matches the forwarding rules, or is processed locally.  Here, it seems some other requests are being passwed from domain1 to domain2 NPS where it rules wild (and it also work reverse, domain2 to domain1).

    I can stop this behavior by disabling communication between the NPS servers (via disabling the radius client entry of the other NPS server).  What is also interesting, I ran both servers (with their forwarding functioning) for perhaps 2 hours this morning, before the problem happened.

    Stumped, any ideas anyone?

    Friday, June 14, 2019 3:40 PM

Answers

  • Last follow up.  Now that I've run for a least a week with the change, the adjustment noted in this article below appears to have solved the problem.  While I do get the "phantom" log entries at times, they don't "run-away", meaning there is one log entry, not thousands.

    https://docs.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-disable-nas-notifications

    "You can use this procedure to disable the forwarding of start and stop messages from network access servers (NASs) to members of a remote RADIUS server group configured in NPS.

    This creates unnecessary network traffic. To eliminate this traffic, disable NAS notification forwarding for individual servers in each remote RADIUS server group."

    • Marked as answer by Kevin Berrien Tuesday, July 23, 2019 3:53 PM
    Tuesday, July 23, 2019 3:53 PM

All replies

  • Hi,

    it seems some other requests are being passwed from domain1 to domain2 NPS where it rules wild.

    What type of these requests? where are they come from?

    My forward rules are simply user= "domain2\b.rubble" forward to domain2 NPS, & "host/pcname.domain2.org" forward to domain2 NPS - otherwise process the request locally. 

    You can add more conditions to limit request forwarding, such as called station ID.

    Best regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, June 17, 2019 7:59 AM
    Moderator
  • Hi,

    Just checking in to see if the information provided was helpful.

    Please let us know if you would like further assistance.

    Best Regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, June 19, 2019 7:06 AM
    Moderator
  • I disabled the Radius Client entry of the "other domain" radius servers - this stops the issue. 

    I figured when I went into production, and my Network Policies are very specific (previously I had a allow all 802.11 wireless connection request policy in place) I wouldn't see these "phantom" log entries again.

    Today, I went to production, and I immediately saw the issue.  Then it stopped for maybe 10-20 mins, and came back.  It's definitely in relation to the two NPS servers forwarding to each other.

    My problem is, I don't know what these log entries are reporting, and therefore how to address it somehow.  I don't believe called station would work, as I do want to allow request from the other NPS server.

    I would imagine if NPS A forwards a request to NPS B, B will process the request (pass or fail), reply back, and log it.  Except, it seems when I allow NPS A & B to foward to each other, I get certain request that just log and log over and over...

    Friday, July 12, 2019 10:36 PM
  • I did some more digging online, looking specifically for anything in relation to NPS logging and forwarding, and I eventually came across this.  I've applied the change, and I'm not seeing the entries so far (however, it's a weekend and my activity is low and not standard).

    https://docs.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-disable-nas-notifications

    It doesn't address extensive entries in logs but at least it is in relation to forwarding.  I will report back with my results after some real activity.

    Saturday, July 13, 2019 8:32 PM
  • Found another log modification here, involving ping-username requests.  My problematic log entries don't seem to fit these requests.. but I post it here if it's helpful to anyone else...

    https://docs.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-accounting-configure
    Sunday, July 14, 2019 1:26 PM
  • Hi,

    Thanks for your update here and sharing the article as it would be helpful to anyone who encounters similar issues.

    Best regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, July 15, 2019 8:03 AM
    Moderator
  • Last follow up.  Now that I've run for a least a week with the change, the adjustment noted in this article below appears to have solved the problem.  While I do get the "phantom" log entries at times, they don't "run-away", meaning there is one log entry, not thousands.

    https://docs.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-disable-nas-notifications

    "You can use this procedure to disable the forwarding of start and stop messages from network access servers (NASs) to members of a remote RADIUS server group configured in NPS.

    This creates unnecessary network traffic. To eliminate this traffic, disable NAS notification forwarding for individual servers in each remote RADIUS server group."

    • Marked as answer by Kevin Berrien Tuesday, July 23, 2019 3:53 PM
    Tuesday, July 23, 2019 3:53 PM