[RADIATOR] Basic Question on 802.1X

Ullfig, Roberto Alfredo rullfig at uic.edu
Thu Aug 24 13:28:30 UTC 2023 

My knowledge of our 802.1X configuration is barebones and we inherited this configuration from ~20 years ago. We are seeing lots of failures in this part for a long time most likely (omitted some more sensitive details):

<Handler Client-Identifier=n8021x>
#
# The rock8021x block and 8021x blocks are identical. The rock8021x block is needed as it acts
# differently than the WISMs in that it does a login-user rather than a access-request. This
# interferes with the 8021x clause that we have for uic-guest support
#
        <AuthBy FILE>
                # Users must be in this file to get anywhere. In this example,
                # it reques an entry for 'anonymous' which is the standard username
                # in the outer requests, and it also requires an entry for the
                # actual user name who is trying to connect (ie the 'Login name' entered
                # in the Funk Odyssey 'Edit Profile Properties' page
                Filename %D/users

                EAPAnonymous %0 at uic.wireless
                EAPType PEAP, TTLS
                EAPTLS_PEAPVersion 0
                EAPTLS_CAFile /etc/radiator/certificatechain.crt
                EAPTLS_CertificateFile /etc/radiator/wireless.crt
                EAPTLS_CertificateType PEM
                EAPTLS_PrivateKeyFile /etc/radiator/wireless.key
                EAPTLS_MaxFragmentSize 1000
                AutoMPPEKeys
                EAPTLS_SessionResumption 0
        </AuthBy>

        RewriteUsername s/^([^@]+).*/$1/
        RewriteUsername s/\s+//g
        RewriteUsername s/^.*\\(.*)/$1/
        RewriteUsername tr/[A-Z]/[a-z]/

        <AuthBy SUSPEND>
                Dir /mnt/...
        </AuthBy>

        <AuthBy SUSPEND>
                Dir /mnt/...
        </AuthBy>

        <AuthBy WIRELESS>
                Dir /mnt/...
        </AuthBy>

        AcctLogFileName %L/wireless-detail

        <AuthLog SYSLOG>
                LogSuccess 1
                LogFailure 1
                Facility local0
                SuccessFormat %T : '%U' from %C mac=%{Calling-Station-Id} NAS-Id=%{Called-Station-Id} PEAP-SSID=%{NAS-Identifier} -- 802.1X OK
                FailureFormat %T : '%u' from %C mac=%{Calling-Station-Id} NAS-Id=%{Called-Station-Id} PEAP-SSID=%{NAS-Identifier} -- 802.1X FAILED
        </AuthLog>

The failure rate is about 1 out of 3! But this does not to appear to be impacting anyone. The file "users" does not exist so I assume that entire Authby is ignored.

What could be causing these failures? Filesystem access?

---
Roberto Ullfig - rullfig at uic.edu
Systems Administrator
Enterprise Applications & Services | Technology Solutions
University of Illinois - Chicago
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.open.com.au/pipermail/radiator/attachments/20230824/b2a34d01/attachment.html>

More information about the radiator mailing list