<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p><br>
</p>
<p>Hello Roberto -</p>
<p><br>
</p>
<p>As EAP is a sequence of RADIUS requests, anything that interrupts
the sequence will result in a failure.</p>
<p><br>
</p>
<p>Ie. dropped packets, incorrect load-balancing, or even just out
of sequence requests will cause failure.</p>
<p><br>
</p>
<p>This being the case it is entirely possible that the same device
can behave as you observe.</p>
<p><br>
</p>
<p>regards</p>
<p><br>
</p>
<p>Hugh</p>
<p><br>
</p>
<p><br>
</p>
<div class="moz-cite-prefix">On 25/8/2023 04:44, Ullfig, Roberto
Alfredo via radiator wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CO3PR13MB5720DD42090C302280BAB4A0B01DA@CO3PR13MB5720.namprd13.prod.outlook.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<style type="text/css" style="display:none;">P {margin-top:0;margin-bottom:0;}</style>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
That's not always the case though - for example (log chopped).</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof
ContentPasted0">
Aug 24 07:59:46 802.1X OK
<div class="ContentPasted0">Aug 24 08:01:30 802.1X FAILED</div>
Aug 24 09:15:44 802.1X OK<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof
ContentPasted0">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof
ContentPasted0 ContentPasted1 ContentPasted2 ContentPasted3">
139983 failed<br class="ContentPasted3">
357509 ok<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof
ContentPasted0 ContentPasted1 ContentPasted2 ContentPasted3">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof
ContentPasted0 ContentPasted1 ContentPasted2 ContentPasted3
ContentPasted4">
19714 different mac addresses both had a failure and a success.
If it's the same device that's misconfigured it should always
fail</div>
<div class="elementToProof">
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div id="Signature">
<div>
<div id="divtagdefaultwrapper" style="font-size: 12pt;
font-family: Calibri, Arial, Helvetica, sans-serif; color:
rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
<div style="font-family:Tahoma; font-size:13px">---
<div><span id="ms-rterangepaste-start"></span><span
style="font-family:arial,helvetica,sans-serif;
font-size:13px; line-height:16.003px">Roberto Ullfig
- <a class="moz-txt-link-abbreviated" href="mailto:rullfig@uic.edu">rullfig@uic.edu</a></span><br
style="font-family:arial,helvetica,sans-serif;
font-size:13px; line-height:16.003px">
<span style="font-family:arial,helvetica,sans-serif;
font-size:13px; line-height:16.003px">Systems
Administrator</span><br
style="font-family:arial,helvetica,sans-serif;
font-size:13px; line-height:16.003px">
<span style="font-family:arial,helvetica,sans-serif;
font-size:13px; line-height:16.003px">Enterprise
Applications & Services | Technology Solutions</span><br
style="font-family:arial,helvetica,sans-serif;
font-size:13px; line-height:16.003px">
<span style="font-family:arial,helvetica,sans-serif;
font-size:13px; line-height:16.003px">University of
Illinois - Chicago</span>
<div><span id="ms-rterangepaste-end"></span></div>
</div>
</div>
</div>
</div>
</div>
</div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font style="font-size:11pt"
face="Calibri, sans-serif" color="#000000"><b>From:</b>
Ullfig, Roberto Alfredo <a class="moz-txt-link-rfc2396E" href="mailto:rullfig@uic.edu"><rullfig@uic.edu></a><br>
<b>Sent:</b> Thursday, August 24, 2023 1:19 PM<br>
<b>To:</b> Dubravko Penezic <a class="moz-txt-link-rfc2396E" href="mailto:dpenezic@srce.hr"><dpenezic@srce.hr></a>;
<a class="moz-txt-link-abbreviated" href="mailto:radiator@lists.open.com.au">radiator@lists.open.com.au</a> <a class="moz-txt-link-rfc2396E" href="mailto:radiator@lists.open.com.au"><radiator@lists.open.com.au></a><br>
<b>Subject:</b> Re: UNS: [RADIATOR] Basic Question on 802.1X</font>
<div> </div>
</div>
<style type="text/css" style="display:none">p
{margin-top:0;
margin-bottom:0}</style>
<div dir="ltr">
<div class="x_elementToProof"
style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)">
Yes, I think you're right, I spot checked several of them and
they never succeed.</div>
<div class="x_elementToProof">
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div id="x_Signature">
<div>
<div id="x_divtagdefaultwrapper" style="font-size:12pt;
font-family:Calibri,Arial,Helvetica,sans-serif;
color:rgb(0,0,0); background-color:rgb(255,255,255)">
<div style="font-family:Tahoma; font-size:13px">---
<div><span id="x_ms-rterangepaste-start"></span><span
style="font-family:arial,helvetica,sans-serif;
font-size:13px; line-height:16.003px">Roberto
Ullfig - <a class="moz-txt-link-abbreviated" href="mailto:rullfig@uic.edu">rullfig@uic.edu</a></span><br
style="font-family:arial,helvetica,sans-serif;
font-size:13px; line-height:16.003px">
<span style="font-family:arial,helvetica,sans-serif;
font-size:13px; line-height:16.003px">Systems
Administrator</span><br
style="font-family:arial,helvetica,sans-serif;
font-size:13px; line-height:16.003px">
<span style="font-family:arial,helvetica,sans-serif;
font-size:13px; line-height:16.003px">Enterprise
Applications & Services | Technology Solutions</span><br
style="font-family:arial,helvetica,sans-serif;
font-size:13px; line-height:16.003px">
<span style="font-family:arial,helvetica,sans-serif;
font-size:13px; line-height:16.003px">University
of Illinois - Chicago</span>
<div><span id="x_ms-rterangepaste-end"></span></div>
</div>
</div>
</div>
</div>
</div>
</div>
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="x_divRplyFwdMsg" dir="ltr"><font style="font-size:11pt"
face="Calibri, sans-serif" color="#000000"><b>From:</b>
Dubravko Penezic <a class="moz-txt-link-rfc2396E" href="mailto:dpenezic@srce.hr"><dpenezic@srce.hr></a><br>
<b>Sent:</b> Thursday, August 24, 2023 8:34 AM<br>
<b>To:</b> Ullfig, Roberto Alfredo <a class="moz-txt-link-rfc2396E" href="mailto:rullfig@uic.edu"><rullfig@uic.edu></a>;
<a class="moz-txt-link-abbreviated" href="mailto:radiator@lists.open.com.au">radiator@lists.open.com.au</a>
<a class="moz-txt-link-rfc2396E" href="mailto:radiator@lists.open.com.au"><radiator@lists.open.com.au></a><br>
<b>Subject:</b> Re: UNS: [RADIATOR] Basic Question on 802.1X</font>
<div> </div>
</div>
<div class="x_BodyFragment"><font size="2"><span
style="font-size:11pt">
<div class="x_PlainText">Hi Roberto,<br>
<br>
if you "only" see FAILD no error or something elese, in
you log, it is <br>
normal and just reflact fact that is more and more
devices which try to <br>
connect to eduroam, but doesnt have proper
configuration.<br>
<br>
Some time on national level logs FAIL to OK may be
70:30%.<br>
<br>
Regards,<br>
Dubravko<br>
<br>
On 8/24/23 15:28, Ullfig, Roberto Alfredo via radiator
wrote:<br>
> My knowledge of our 802.1X configuration is
barebones and we inherited <br>
> this configuration from ~20 years ago. We are
seeing lots of failures in <br>
> this part for a long time most likely (omitted some
more sensitive details):<br>
> <br>
> <Handler Client-Identifier=n8021x><br>
> #<br>
> # The rock8021x block and 8021x blocks are
identical. The rock8021x <br>
> block is needed as it acts<br>
> # differently than the WISMs in that it does a
login-user rather than a <br>
> access-request. This<br>
> # interferes with the 8021x clause that we have for
uic-guest support<br>
> #<br>
> <AuthBy FILE><br>
> # Users must be in this file to
get anywhere. In this <br>
> example,<br>
> # it reques an entry for
'anonymous' which is the <br>
> standard username<br>
> # in the outer requests, and it
also requires an entry <br>
> for the<br>
> # actual user name who is trying
to connect (ie the <br>
> 'Login name' entered<br>
> # in the Funk Odyssey 'Edit
Profile Properties' page<br>
> Filename %D/users<br>
> <br>
> EAPAnonymous %0@uic.wireless<br>
> EAPType PEAP, TTLS<br>
> EAPTLS_PEAPVersion 0<br>
> EAPTLS_CAFile
/etc/radiator/certificatechain.crt<br>
> EAPTLS_CertificateFile
/etc/radiator/wireless.crt<br>
> EAPTLS_CertificateType PEM<br>
> EAPTLS_PrivateKeyFile
/etc/radiator/wireless.key<br>
> EAPTLS_MaxFragmentSize 1000<br>
> AutoMPPEKeys<br>
> EAPTLS_SessionResumption 0<br>
> </AuthBy><br>
> <br>
> RewriteUsername s/^([^@]+).*/$1/<br>
> RewriteUsername s/\s+//g<br>
> RewriteUsername s/^.*\\(.*)/$1/<br>
> RewriteUsername tr/[A-Z]/[a-z]/<br>
> <br>
> <AuthBy SUSPEND><br>
> Dir /mnt/...<br>
> </AuthBy><br>
> <br>
> <AuthBy SUSPEND><br>
> Dir /mnt/...<br>
> </AuthBy><br>
> <br>
> <AuthBy WIRELESS><br>
> Dir /mnt/...<br>
> </AuthBy><br>
> <br>
> AcctLogFileName %L/wireless-detail<br>
> <br>
> <AuthLog SYSLOG><br>
> LogSuccess 1<br>
> LogFailure 1<br>
> Facility local0<br>
> SuccessFormat %T : '%U' from %C <br>
> mac=%{Calling-Station-Id}
NAS-Id=%{Called-Station-Id} <br>
> PEAP-SSID=%{NAS-Identifier} -- 802.1X OK<br>
> FailureFormat %T : '%u' from %C <br>
> mac=%{Calling-Station-Id}
NAS-Id=%{Called-Station-Id} <br>
> PEAP-SSID=%{NAS-Identifier} -- 802.1X FAILED<br>
> </AuthLog><br>
> <br>
> The failure rate is about 1 out of 3! But this does
not to appear to be <br>
> impacting anyone. The file "users" does not exist
so I assume that <br>
> entire Authby is ignored.<br>
> <br>
> What could be causing these failures? Filesystem
access?<br>
> <br>
> ---<br>
> Roberto Ullfig - <a class="moz-txt-link-abbreviated" href="mailto:rullfig@uic.edu">rullfig@uic.edu</a><br>
> Systems Administrator<br>
> Enterprise Applications & Services | Technology
Solutions<br>
> University of Illinois - Chicago<br>
> <br>
> _______________________________________________<br>
> radiator mailing list<br>
> <a class="moz-txt-link-abbreviated" href="mailto:radiator@lists.open.com.au">radiator@lists.open.com.au</a><br>
> <a
href="https://lists.open.com.au/mailman/listinfo/radiator"
moz-do-not-send="true">https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.open.com.au%2Fmailman%2Flistinfo%2Fradiator&data=05%7C01%7Crullfig%40uic.edu%7Ccd24dab7e4a1484609e308dba4a6e17f%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C638284808887330321%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=QrJdmONwpJpUafGHsjuf4BsGRurB4rcd56JOd4D3%2Fvo%3D&reserved=0</a><br>
</div>
</span></font></div>
</div>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
radiator mailing list
<a class="moz-txt-link-abbreviated" href="mailto:radiator@lists.open.com.au">radiator@lists.open.com.au</a>
<a class="moz-txt-link-freetext" href="https://lists.open.com.au/mailman/listinfo/radiator">https://lists.open.com.au/mailman/listinfo/radiator</a></pre>
</blockquote>
</body>
</html>