<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>
</head>
<body dir="ltr">
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
That's not always the case though - for example (log chopped).</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof ContentPasted0">
Aug 24 07:59:46 802.1X OK
<div class="ContentPasted0">Aug 24 08:01:30 802.1X FAILED</div>
Aug 24 09:15:44 802.1X OK<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof ContentPasted0">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof ContentPasted0 ContentPasted1 ContentPasted2 ContentPasted3">
139983 failed<br class="ContentPasted3">
357509 ok<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof ContentPasted0 ContentPasted1 ContentPasted2 ContentPasted3">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof ContentPasted0 ContentPasted1 ContentPasted2 ContentPasted3 ContentPasted4">
19714 different mac addresses both had a failure and a success. If it's the same device that's misconfigured it should always fail</div>
<div class="elementToProof">
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div id="Signature">
<div>
<div></div>
<div id="divtagdefaultwrapper" style="font-size: 12pt; font-family: Calibri, Arial, Helvetica, sans-serif; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
<div style="font-family:Tahoma; font-size:13px">---
<div><span id="ms-rterangepaste-start"></span><span style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">Roberto Ullfig - rullfig@uic.edu</span><br style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">
<span style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">Systems Administrator</span><br style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">
<span style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">Enterprise Applications & Services | Technology Solutions</span><br style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">
<span style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">University of Illinois - Chicago</span>
<div><span id="ms-rterangepaste-end"></span></div>
</div>
</div>
</div>
</div>
</div>
</div>
<div id="appendonsend"></div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> Ullfig, Roberto Alfredo <rullfig@uic.edu><br>
<b>Sent:</b> Thursday, August 24, 2023 1:19 PM<br>
<b>To:</b> Dubravko Penezic <dpenezic@srce.hr>; radiator@lists.open.com.au <radiator@lists.open.com.au><br>
<b>Subject:</b> Re: UNS: [RADIATOR] Basic Question on 802.1X</font>
<div> </div>
</div>
<style type="text/css" style="display:none">
<!--
p
        {margin-top:0;
        margin-bottom:0}
-->
</style>
<div dir="ltr">
<div class="x_elementToProof" style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
Yes, I think you're right, I spot checked several of them and they never succeed.</div>
<div class="x_elementToProof">
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div id="x_Signature">
<div>
<div></div>
<div id="x_divtagdefaultwrapper" style="font-size:12pt; font-family:Calibri,Arial,Helvetica,sans-serif; color:rgb(0,0,0); background-color:rgb(255,255,255)">
<div style="font-family:Tahoma; font-size:13px">---
<div><span id="x_ms-rterangepaste-start"></span><span style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">Roberto Ullfig - rullfig@uic.edu</span><br style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">
<span style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">Systems Administrator</span><br style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">
<span style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">Enterprise Applications & Services | Technology Solutions</span><br style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">
<span style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">University of Illinois - Chicago</span>
<div><span id="x_ms-rterangepaste-end"></span></div>
</div>
</div>
</div>
</div>
</div>
</div>
<div id="x_appendonsend"></div>
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="x_divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" color="#000000" style="font-size:11pt"><b>From:</b> Dubravko Penezic <dpenezic@srce.hr><br>
<b>Sent:</b> Thursday, August 24, 2023 8:34 AM<br>
<b>To:</b> Ullfig, Roberto Alfredo <rullfig@uic.edu>; radiator@lists.open.com.au <radiator@lists.open.com.au><br>
<b>Subject:</b> Re: UNS: [RADIATOR] Basic Question on 802.1X</font>
<div> </div>
</div>
<div class="x_BodyFragment"><font size="2"><span style="font-size:11pt">
<div class="x_PlainText">Hi Roberto,<br>
<br>
if you "only" see FAILD no error or something elese, in you log,  it is <br>
normal and just reflact fact that is more and more devices which try to <br>
connect to eduroam, but doesnt have proper configuration.<br>
<br>
Some time on national level logs FAIL to OK may be 70:30%.<br>
<br>
Regards,<br>
Dubravko<br>
<br>
On 8/24/23 15:28, Ullfig, Roberto Alfredo via radiator wrote:<br>
> My knowledge of our 802.1X configuration is barebones and we inherited <br>
> this configuration from ~20 years ago. We are seeing lots of failures in <br>
> this part for a long time most likely (omitted some more sensitive details):<br>
> <br>
> <Handler Client-Identifier=n8021x><br>
> #<br>
> # The rock8021x block and 8021x blocks are identical. The rock8021x <br>
> block is needed as it acts<br>
> # differently than the WISMs in that it does a login-user rather than a <br>
> access-request. This<br>
> # interferes with the 8021x clause that we have for uic-guest support<br>
> #<br>
>          <AuthBy FILE><br>
>                  # Users must be in this file to get anywhere. In this <br>
> example,<br>
>                  # it reques an entry for 'anonymous' which is the <br>
> standard username<br>
>                  # in the outer requests, and it also requires an entry <br>
> for the<br>
>                  # actual user name who is trying to connect (ie the <br>
> 'Login name' entered<br>
>                  # in the Funk Odyssey 'Edit Profile Properties' page<br>
>                  Filename %D/users<br>
> <br>
>                  EAPAnonymous %0@uic.wireless<br>
>                  EAPType PEAP, TTLS<br>
>                  EAPTLS_PEAPVersion 0<br>
>                  EAPTLS_CAFile /etc/radiator/certificatechain.crt<br>
>                  EAPTLS_CertificateFile /etc/radiator/wireless.crt<br>
>                  EAPTLS_CertificateType PEM<br>
>                  EAPTLS_PrivateKeyFile /etc/radiator/wireless.key<br>
>                  EAPTLS_MaxFragmentSize 1000<br>
>                  AutoMPPEKeys<br>
>                  EAPTLS_SessionResumption 0<br>
>          </AuthBy><br>
> <br>
>          RewriteUsername s/^([^@]+).*/$1/<br>
>          RewriteUsername s/\s+//g<br>
>          RewriteUsername s/^.*\\(.*)/$1/<br>
>          RewriteUsername tr/[A-Z]/[a-z]/<br>
> <br>
>          <AuthBy SUSPEND><br>
>                  Dir /mnt/...<br>
>          </AuthBy><br>
> <br>
>          <AuthBy SUSPEND><br>
>                  Dir /mnt/...<br>
>          </AuthBy><br>
> <br>
>          <AuthBy WIRELESS><br>
>                  Dir /mnt/...<br>
>          </AuthBy><br>
> <br>
>          AcctLogFileName %L/wireless-detail<br>
> <br>
>          <AuthLog SYSLOG><br>
>                  LogSuccess 1<br>
>                  LogFailure 1<br>
>                  Facility local0<br>
>                  SuccessFormat %T : '%U' from %C <br>
> mac=%{Calling-Station-Id} NAS-Id=%{Called-Station-Id} <br>
> PEAP-SSID=%{NAS-Identifier} -- 802.1X OK<br>
>                  FailureFormat %T : '%u' from %C <br>
> mac=%{Calling-Station-Id} NAS-Id=%{Called-Station-Id} <br>
> PEAP-SSID=%{NAS-Identifier} -- 802.1X FAILED<br>
>          </AuthLog><br>
> <br>
> The failure rate is about 1 out of 3! But this does not to appear to be <br>
> impacting anyone. The file "users" does not exist so I assume that <br>
> entire Authby is ignored.<br>
> <br>
> What could be causing these failures? Filesystem access?<br>
> <br>
> ---<br>
> Roberto Ullfig - rullfig@uic.edu<br>
> Systems Administrator<br>
> Enterprise Applications & Services | Technology Solutions<br>
> University of Illinois - Chicago<br>
> <br>
> _______________________________________________<br>
> radiator mailing list<br>
> radiator@lists.open.com.au<br>
> <a href="https://lists.open.com.au/mailman/listinfo/radiator">https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.open.com.au%2Fmailman%2Flistinfo%2Fradiator&data=05%7C01%7Crullfig%40uic.edu%7Ccd24dab7e4a1484609e308dba4a6e17f%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C638284808887330321%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=QrJdmONwpJpUafGHsjuf4BsGRurB4rcd56JOd4D3%2Fvo%3D&reserved=0</a><br>
</div>
</span></font></div>
</div>
</body>
</html>