This week we started experiencing run-away log files with constant "phantom" (for lack of a better term) log entries. We have 2 NPS servers on individual domains, and I added Connection Request Policy rules to capture foreign domain user
information and forward to the appropriate domains NPS. Ref: https://social.technet.microsoft.com/Forums/en-US/2c4a7aeb-39e6-4efb-898a-77fd1c150da0/nps-proxy-proxy-machine-auth-requests?forum=winserverNAP
Now, there appears to be a situation, perhaps some request that - maybe - has introduced a loop or some other errant behavior on both my NPS servers (there are thousands a second) . The constant log entries look like this...
<Event><Timestamp data_type="4">06/13/2019 15:36:01.668</Timestamp><Computer-Name data_type="1">DOMAIN1-DC2</Computer-Name><Event-Source data_type="1">IAS</Event-Source><Acct-Status-Type data_type="0">7</Acct-Status-Type><Acct-Session-Id data_type="1">08ea4490812a-991628665ac0</Acct-Session-Id><Event-Timestamp data_type="4">06/13/2019 15:11:26</Event-Timestamp><Acct-Delay-Time data_type="0">0</Acct-Delay-Time><NAS-IP-Address data_type="3">10.136.110.5</NAS-IP-Address><NAS-Identifier data_type="1">AP-7</NAS-Identifier><Called-Station-Id data_type="1">08-EA-44-90-81-2A:WESTFIELD-Wireless</Called-Station-Id><Client-IP-Address data_type="3">10.98.11.10</Client-IP-Address><Client-Vendor data_type="0">0</Client-Vendor><Client-Friendly-Name data_type="1">DOMAIN2-DC2</Client-Friendly-Name><Provider-Type data_type="0">2</Provider-Type><Packet-Type data_type="0">4</Packet-Type><Reason-Code data_type="0">0</Reason-Code></Event>So, the request has a NAS ID of a valid wireless AP, but the Client is the "other" NPS server (domain2-dc2). Notice there is no User-Name field ( like <Acct-Authentic data_type="0">1</Acct-Authentic><User-Name
data_type="1">b.rubble</User-Name>). My forward rules are simply user= "domain2\b.rubble" forward to domain2 NPS, & "host/pcname.domain2.org" forward to domain2 NPS - otherwise process the request locally.
So, either an incoming request to domain1 NPS either matches the forwarding rules, or is processed locally. Here, it seems some other requests are being passwed from domain1 to domain2 NPS where it rules wild (and it also work reverse, domain2 to domain1).
I can stop this behavior by disabling communication between the NPS servers (via disabling the radius client entry of the other NPS server). What is also interesting, I ran both servers (with their forwarding functioning) for perhaps 2 hours this morning,
before the problem happened.
Stumped, any ideas anyone?