Hi Roberto,
if you "only" see FAILD no error or something elese, in you log, it is
normal and just reflact fact that is more and more devices which try to
connect to eduroam, but doesnt have proper configuration.
Some time on national level logs FAIL to OK may be 70:30%.
Regards,
Dubravko
On 8/24/23 15:28, Ullfig, Roberto Alfredo via radiator wrote:
My knowledge of our 802.1X configuration is barebones and we inherited
this configuration from ~20 years ago. We are seeing lots of failures in
this part for a long time most likely (omitted some more sensitive details):
<Handler Client-Identifier=n8021x>
#
# The rock8021x block and 8021x blocks are identical. The rock8021x
block is needed as it acts
# differently than the WISMs in that it does a login-user rather than a
access-request. This
# interferes with the 8021x clause that we have for uic-guest support
#
<AuthBy FILE>
# Users must be in this file to get anywhere. In this
example,
# it reques an entry for 'anonymous' which is the
standard username
# in the outer requests, and it also requires an entry
for the
# actual user name who is trying to connect (ie the
'Login name' entered
# in the Funk Odyssey 'Edit Profile Properties' page
Filename %D/users
EAPAnonymous %0@uic.wireless
EAPType PEAP, TTLS
EAPTLS_PEAPVersion 0
EAPTLS_CAFile /etc/radiator/certificatechain.crt
EAPTLS_CertificateFile /etc/radiator/wireless.crt
EAPTLS_CertificateType PEM
EAPTLS_PrivateKeyFile /etc/radiator/wireless.key
EAPTLS_MaxFragmentSize 1000
AutoMPPEKeys
EAPTLS_SessionResumption 0
</AuthBy>
RewriteUsername s/^([^@]+).*/$1/
RewriteUsername s/\s+//g
RewriteUsername s/^.*\\(.*)/$1/
RewriteUsername tr/[A-Z]/[a-z]/
<AuthBy SUSPEND>
Dir /mnt/...
</AuthBy>
<AuthBy SUSPEND>
Dir /mnt/...
</AuthBy>
<AuthBy WIRELESS>
Dir /mnt/...
</AuthBy>
AcctLogFileName %L/wireless-detail
<AuthLog SYSLOG>
LogSuccess 1
LogFailure 1
Facility local0
SuccessFormat %T : '%U' from %C
mac=%{Calling-Station-Id} NAS-Id=%{Called-Station-Id}
PEAP-SSID=%{NAS-Identifier} -- 802.1X OK
FailureFormat %T : '%u' from %C
mac=%{Calling-Station-Id} NAS-Id=%{Called-Station-Id}
PEAP-SSID=%{NAS-Identifier} -- 802.1X FAILED
</AuthLog>
The failure rate is about 1 out of 3! But this does not to appear to be
impacting anyone. The file "users" does not exist so I assume that
entire Authby is ignored.
What could be causing these failures? Filesystem access?
---
Roberto Ullfig - rull...@uic.edu
Systems Administrator
Enterprise Applications & Services | Technology Solutions
University of Illinois - Chicago
_______________________________________________
radiator mailing list
radiator@lists.open.com.au
https://lists.open.com.au/mailman/listinfo/radiator
_______________________________________________
radiator mailing list
radiator@lists.open.com.au
https://lists.open.com.au/mailman/listinfo/radiator