Re: [RADIATOR] UNS: Basic Question on 802.1X

[Dubravko Penezic via radiator]

Hi Roberto,

if you "only" see FAILD no error or something elese, in you log,  it is 
normal and just reflact fact that is more and more devices which try to 
connect to eduroam, but doesnt have proper configuration.

Some time on national level logs FAIL to OK may be 70:30%.

Regards,
Dubravko

On 8/24/23 15:28, Ullfig, Roberto Alfredo via radiator wrote:
My knowledge of our 802.1X configuration is barebones and we inherited 
this configuration from ~20 years ago. We are seeing lots of failures in 
this part for a long time most likely (omitted some more sensitive details):

<Handler Client-Identifier=n8021x>
#
# The rock8021x block and 8021x blocks are identical. The rock8021x 
block is needed as it acts
# differently than the WISMs in that it does a login-user rather than a 
access-request. This
# interferes with the 8021x clause that we have for uic-guest support
#
         <AuthBy FILE>
                 # Users must be in this file to get anywhere. In this 
example,
                 # it reques an entry for 'anonymous' which is the 
standard username
                 # in the outer requests, and it also requires an entry 
for the
                 # actual user name who is trying to connect (ie the 
'Login name' entered
                 # in the Funk Odyssey 'Edit Profile Properties' page
                 Filename %D/users

                 EAPAnonymous %0@uic.wireless
                 EAPType PEAP, TTLS
                 EAPTLS_PEAPVersion 0
                 EAPTLS_CAFile /etc/radiator/certificatechain.crt
                 EAPTLS_CertificateFile /etc/radiator/wireless.crt
                 EAPTLS_CertificateType PEM
                 EAPTLS_PrivateKeyFile /etc/radiator/wireless.key
                 EAPTLS_MaxFragmentSize 1000
                 AutoMPPEKeys
                 EAPTLS_SessionResumption 0
         </AuthBy>

         RewriteUsername s/^([^@]+).*/$1/
         RewriteUsername s/\s+//g
         RewriteUsername s/^.*\\(.*)/$1/
         RewriteUsername tr/[A-Z]/[a-z]/

         <AuthBy SUSPEND>
                 Dir /mnt/...
         </AuthBy>

         <AuthBy SUSPEND>
                 Dir /mnt/...
         </AuthBy>

         <AuthBy WIRELESS>
                 Dir /mnt/...
         </AuthBy>

         AcctLogFileName %L/wireless-detail

         <AuthLog SYSLOG>
                 LogSuccess 1
                 LogFailure 1
                 Facility local0
                 SuccessFormat %T : '%U' from %C 
mac=%{Calling-Station-Id} NAS-Id=%{Called-Station-Id} 
PEAP-SSID=%{NAS-Identifier} -- 802.1X OK
                 FailureFormat %T : '%u' from %C 
mac=%{Calling-Station-Id} NAS-Id=%{Called-Station-Id} 
PEAP-SSID=%{NAS-Identifier} -- 802.1X FAILED
         </AuthLog>

The failure rate is about 1 out of 3! But this does not to appear to be 
impacting anyone. The file "users" does not exist so I assume that 
entire Authby is ignored.

What could be causing these failures? Filesystem access?

---
Roberto Ullfig - rull...@uic.edu
Systems Administrator
Enterprise Applications & Services | Technology Solutions
University of Illinois - Chicago

_______________________________________________
radiator mailing list
radiator@lists.open.com.au
https://lists.open.com.au/mailman/listinfo/radiator
_______________________________________________
radiator mailing list
radiator@lists.open.com.au
https://lists.open.com.au/mailman/listinfo/radiator