[RADIATOR] Basic Question on 802.1X

Thu, 24 Aug 2023 06:28:38 -0700 

My knowledge of our 802.1X configuration is barebones and we inherited this 
configuration from ~20 years ago. We are seeing lots of failures in this part 
for a long time most likely (omitted some more sensitive details):

<Handler Client-Identifier=n8021x>
#
# The rock8021x block and 8021x blocks are identical. The rock8021x block is 
needed as it acts
# differently than the WISMs in that it does a login-user rather than a 
access-request. This
# interferes with the 8021x clause that we have for uic-guest support
#
        <AuthBy FILE>
                # Users must be in this file to get anywhere. In this example,
                # it reques an entry for 'anonymous' which is the standard 
username
                # in the outer requests, and it also requires an entry for the
                # actual user name who is trying to connect (ie the 'Login 
name' entered
                # in the Funk Odyssey 'Edit Profile Properties' page
                Filename %D/users

                EAPAnonymous %0@uic.wireless
                EAPType PEAP, TTLS
                EAPTLS_PEAPVersion 0
                EAPTLS_CAFile /etc/radiator/certificatechain.crt
                EAPTLS_CertificateFile /etc/radiator/wireless.crt
                EAPTLS_CertificateType PEM
                EAPTLS_PrivateKeyFile /etc/radiator/wireless.key
                EAPTLS_MaxFragmentSize 1000
                AutoMPPEKeys
                EAPTLS_SessionResumption 0
        </AuthBy>

        RewriteUsername s/^([^@]+).*/$1/
        RewriteUsername s/\s+//g
        RewriteUsername s/^.*\\(.*)/$1/
        RewriteUsername tr/[A-Z]/[a-z]/

        <AuthBy SUSPEND>
                Dir /mnt/...
        </AuthBy>

        <AuthBy SUSPEND>
                Dir /mnt/...
        </AuthBy>

        <AuthBy WIRELESS>
                Dir /mnt/...
        </AuthBy>

        AcctLogFileName %L/wireless-detail

        <AuthLog SYSLOG>
                LogSuccess 1
                LogFailure 1
                Facility local0
                SuccessFormat %T : '%U' from %C mac=%{Calling-Station-Id} 
NAS-Id=%{Called-Station-Id} PEAP-SSID=%{NAS-Identifier} -- 802.1X OK
                FailureFormat %T : '%u' from %C mac=%{Calling-Station-Id} 
NAS-Id=%{Called-Station-Id} PEAP-SSID=%{NAS-Identifier} -- 802.1X FAILED
        </AuthLog>

The failure rate is about 1 out of 3! But this does not to appear to be 
impacting anyone. The file "users" does not exist so I assume that entire 
Authby is ignored.

What could be causing these failures? Filesystem access?

---
Roberto Ullfig - rull...@uic.edu
Systems Administrator
Enterprise Applications & Services | Technology Solutions
University of Illinois - Chicago

_______________________________________________
radiator mailing list
radiator@lists.open.com.au
https://lists.open.com.au/mailman/listinfo/radiator

Reply via email to