
<html>

<head>

<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">

<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>

</head>

<body dir="ltr">

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof ContentPasted0">

Understood about "dropped packets, incorrect load-balancing, or even just out of sequence requests will cause failure." <span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">- but with 1 out of 3 login failures

 shouldn't we be seeing lots of complaints about the inability to connect to WiFi. We did have a network load balancer issue this week that did cause an small uptick in 802.1X failures and this generated many complaints from users unable to login. It seems

 like these 1 out of 3 login failures aren't actually being generated by a user attempting to login (or they would be complaining) - can wireless controllers send spurious logins to the radius servers, something like a keepalive or are these just failed logins

 that the user doesn't notice for some odd reason.</span></div>

<div class="elementToProof">

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">

<br>

</div>

<div id="Signature">

<div>

<div></div>

<div id="divtagdefaultwrapper" style="font-size: 12pt; font-family: Calibri, Arial, Helvetica, sans-serif; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">

<div style="font-family:Tahoma; font-size:13px">---

<div><span id="ms-rterangepaste-start"></span><span style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">Roberto Ullfig - rullfig@uic.edu</span><br style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">

<span style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">Systems Administrator</span><br style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">

<span style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">Enterprise Applications & Services | Technology Solutions</span><br style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">

<span style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">University of Illinois - Chicago</span>

<div><span id="ms-rterangepaste-end"></span></div>

</div>

</div>

</div>

</div>

</div>

</div>

<div id="appendonsend"></div>

<hr style="display:inline-block;width:98%" tabindex="-1">

<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> Hugh Irvine <hugh@radiatorsoftware.com><br>

<b>Sent:</b> Thursday, August 24, 2023 10:46 PM<br>

<b>To:</b> Ullfig, Roberto Alfredo <rullfig@uic.edu>; Dubravko Penezic <dpenezic@srce.hr>; radiator@lists.open.com.au <radiator@lists.open.com.au><br>

<b>Subject:</b> Re: [RADIATOR] UNS: Basic Question on 802.1X</font>

<div> </div>

</div>

<div>

<p><br>

</p>

<p>Hello Roberto -</p>

<p><br>

</p>

<p>As EAP is a sequence of RADIUS requests, anything that interrupts the sequence will result in a failure.</p>

<p><br>

</p>

<p>Ie. dropped packets, incorrect load-balancing, or even just out of sequence requests will cause failure.</p>

<p><br>

</p>

<p>This being the case it is entirely possible that the same device can behave as you observe.</p>

<p><br>

</p>

<p>regards</p>

<p><br>

</p>

<p>Hugh</p>

<p><br>

</p>

<p><br>

</p>

<div class="x_moz-cite-prefix">On 25/8/2023 04:44, Ullfig, Roberto Alfredo via radiator wrote:<br>

</div>

<blockquote type="cite"><style type="text/css" style="display:none">

<!--

p

        {margin-top:0;

        margin-bottom:0}

-->

</style>

<div class="x_elementToProof" style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">

That's not always the case though - for example (log chopped).</div>

<div class="x_elementToProof" style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">

<br>

</div>

<div class="x_elementToProof x_ContentPasted0" style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">

Aug 24 07:59:46 802.1X OK

<div class="x_ContentPasted0">Aug 24 08:01:30 802.1X FAILED</div>

Aug 24 09:15:44 802.1X OK<br>

</div>

<div class="x_elementToProof x_ContentPasted0" style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">

<br>

</div>

<div class="x_elementToProof x_ContentPasted0 x_ContentPasted1 x_ContentPasted2 x_ContentPasted3" style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">

139983 failed<br class="x_ContentPasted3">

357509 ok<br>

</div>

<div class="x_elementToProof x_ContentPasted0 x_ContentPasted1 x_ContentPasted2 x_ContentPasted3" style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">

<br>

</div>

<div class="x_elementToProof x_ContentPasted0 x_ContentPasted1 x_ContentPasted2 x_ContentPasted3 x_ContentPasted4" style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">

19714 different mac addresses both had a failure and a success. If it's the same device that's misconfigured it should always fail</div>

<div class="x_elementToProof">

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">

<br>

</div>

<div id="x_Signature">

<div>

<div id="x_divtagdefaultwrapper" style="font-size:12pt; font-family:Calibri,Arial,Helvetica,sans-serif; color:rgb(0,0,0); background-color:rgb(255,255,255)">

<div style="font-family:Tahoma; font-size:13px">---

<div><span id="x_ms-rterangepaste-start"></span><span style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">Roberto Ullfig -

<a class="x_moz-txt-link-abbreviated" href="mailto:rullfig@uic.edu">rullfig@uic.edu</a></span><br style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">

<span style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">Systems Administrator</span><br style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">

<span style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">Enterprise Applications & Services | Technology Solutions</span><br style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">

<span style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">University of Illinois - Chicago</span>

<div><span id="x_ms-rterangepaste-end"></span></div>

</div>

</div>

</div>

</div>

</div>

</div>

<hr tabindex="-1" style="display:inline-block; width:98%">

<div id="x_divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" color="#000000" style="font-size:11pt"><b>From:</b> Ullfig, Roberto Alfredo

<a class="x_moz-txt-link-rfc2396E" href="mailto:rullfig@uic.edu"><rullfig@uic.edu></a><br>

<b>Sent:</b> Thursday, August 24, 2023 1:19 PM<br>

<b>To:</b> Dubravko Penezic <a class="x_moz-txt-link-rfc2396E" href="mailto:dpenezic@srce.hr">

<dpenezic@srce.hr></a>; <a class="x_moz-txt-link-abbreviated" href="mailto:radiator@lists.open.com.au">

radiator@lists.open.com.au</a> <a class="x_moz-txt-link-rfc2396E" href="mailto:radiator@lists.open.com.au">

<radiator@lists.open.com.au></a><br>

<b>Subject:</b> Re: UNS: [RADIATOR] Basic Question on 802.1X</font>

<div> </div>

</div>

<style type="text/css" style="display:none">

<!--

p

        {margin-top:0;

        margin-bottom:0}

-->

</style>

<div dir="ltr">

<div class="x_x_elementToProof" style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">

Yes, I think you're right, I spot checked several of them and they never succeed.</div>

<div class="x_x_elementToProof">

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">

<br>

</div>

<div id="x_x_Signature">

<div>

<div id="x_x_divtagdefaultwrapper" style="font-size:12pt; font-family:Calibri,Arial,Helvetica,sans-serif; color:rgb(0,0,0); background-color:rgb(255,255,255)">

<div style="font-family:Tahoma; font-size:13px">---

<div><span id="x_x_ms-rterangepaste-start"></span><span style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">Roberto Ullfig -

<a class="x_moz-txt-link-abbreviated" href="mailto:rullfig@uic.edu">rullfig@uic.edu</a></span><br style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">

<span style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">Systems Administrator</span><br style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">

<span style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">Enterprise Applications & Services | Technology Solutions</span><br style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">

<span style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">University of Illinois - Chicago</span>

<div><span id="x_x_ms-rterangepaste-end"></span></div>

</div>

</div>

</div>

</div>

</div>

</div>

<hr tabindex="-1" style="display:inline-block; width:98%">

<div id="x_x_divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" color="#000000" style="font-size:11pt"><b>From:</b> Dubravko Penezic

<a class="x_moz-txt-link-rfc2396E" href="mailto:dpenezic@srce.hr"><dpenezic@srce.hr></a><br>

<b>Sent:</b> Thursday, August 24, 2023 8:34 AM<br>

<b>To:</b> Ullfig, Roberto Alfredo <a class="x_moz-txt-link-rfc2396E" href="mailto:rullfig@uic.edu">

<rullfig@uic.edu></a>; <a class="x_moz-txt-link-abbreviated" href="mailto:radiator@lists.open.com.au">

radiator@lists.open.com.au</a> <a class="x_moz-txt-link-rfc2396E" href="mailto:radiator@lists.open.com.au">

<radiator@lists.open.com.au></a><br>

<b>Subject:</b> Re: UNS: [RADIATOR] Basic Question on 802.1X</font>

<div> </div>

</div>

<div class="x_x_BodyFragment"><font size="2"><span style="font-size:11pt">

<div class="x_x_PlainText">Hi Roberto,<br>

<br>

if you "only" see FAILD no error or something elese, in you log,  it is <br>

normal and just reflact fact that is more and more devices which try to <br>

connect to eduroam, but doesnt have proper configuration.<br>

<br>

Some time on national level logs FAIL to OK may be 70:30%.<br>

<br>

Regards,<br>

Dubravko<br>

<br>

On 8/24/23 15:28, Ullfig, Roberto Alfredo via radiator wrote:<br>

> My knowledge of our 802.1X configuration is barebones and we inherited <br>

> this configuration from ~20 years ago. We are seeing lots of failures in <br>

> this part for a long time most likely (omitted some more sensitive details):<br>

> <br>

> <Handler Client-Identifier=n8021x><br>

> #<br>

> # The rock8021x block and 8021x blocks are identical. The rock8021x <br>

> block is needed as it acts<br>

> # differently than the WISMs in that it does a login-user rather than a <br>

> access-request. This<br>

> # interferes with the 8021x clause that we have for uic-guest support<br>

> #<br>

>          <AuthBy FILE><br>

>                  # Users must be in this file to get anywhere. In this <br>

> example,<br>

>                  # it reques an entry for 'anonymous' which is the <br>

> standard username<br>

>                  # in the outer requests, and it also requires an entry <br>

> for the<br>

>                  # actual user name who is trying to connect (ie the <br>

> 'Login name' entered<br>

>                  # in the Funk Odyssey 'Edit Profile Properties' page<br>

>                  Filename %D/users<br>

> <br>

>                  EAPAnonymous %0@uic.wireless<br>

>                  EAPType PEAP, TTLS<br>

>                  EAPTLS_PEAPVersion 0<br>

>                  EAPTLS_CAFile /etc/radiator/certificatechain.crt<br>

>                  EAPTLS_CertificateFile /etc/radiator/wireless.crt<br>

>                  EAPTLS_CertificateType PEM<br>

>                  EAPTLS_PrivateKeyFile /etc/radiator/wireless.key<br>

>                  EAPTLS_MaxFragmentSize 1000<br>

>                  AutoMPPEKeys<br>

>                  EAPTLS_SessionResumption 0<br>

>          </AuthBy><br>

> <br>

>          RewriteUsername s/^([^@]+).*/$1/<br>

>          RewriteUsername s/\s+//g<br>

>          RewriteUsername s/^.*\\(.*)/$1/<br>

>          RewriteUsername tr/[A-Z]/[a-z]/<br>

> <br>

>          <AuthBy SUSPEND><br>

>                  Dir /mnt/...<br>

>          </AuthBy><br>

> <br>

>          <AuthBy SUSPEND><br>

>                  Dir /mnt/...<br>

>          </AuthBy><br>

> <br>

>          <AuthBy WIRELESS><br>

>                  Dir /mnt/...<br>

>          </AuthBy><br>

> <br>

>          AcctLogFileName %L/wireless-detail<br>

> <br>

>          <AuthLog SYSLOG><br>

>                  LogSuccess 1<br>

>                  LogFailure 1<br>

>                  Facility local0<br>

>                  SuccessFormat %T : '%U' from %C <br>

> mac=%{Calling-Station-Id} NAS-Id=%{Called-Station-Id} <br>

> PEAP-SSID=%{NAS-Identifier} -- 802.1X OK<br>

>                  FailureFormat %T : '%u' from %C <br>

> mac=%{Calling-Station-Id} NAS-Id=%{Called-Station-Id} <br>

> PEAP-SSID=%{NAS-Identifier} -- 802.1X FAILED<br>

>          </AuthLog><br>

> <br>

> The failure rate is about 1 out of 3! But this does not to appear to be <br>

> impacting anyone. The file "users" does not exist so I assume that <br>

> entire Authby is ignored.<br>

> <br>

> What could be causing these failures? Filesystem access?<br>

> <br>

> ---<br>

> Roberto Ullfig - <a class="x_moz-txt-link-abbreviated" href="mailto:rullfig@uic.edu">

rullfig@uic.edu</a><br>

> Systems Administrator<br>

> Enterprise Applications & Services | Technology Solutions<br>

> University of Illinois - Chicago<br>

> <br>

> _______________________________________________<br>

> radiator mailing list<br>

> <a class="x_moz-txt-link-abbreviated" href="mailto:radiator@lists.open.com.au">

radiator@lists.open.com.au</a><br>

> <a href="https://lists.open.com.au/mailman/listinfo/radiator" originalsrc="https://lists.open.com.au/mailman/listinfo/radiator" shash="M4UsjXNgUziMHP3GNVekttEX7URTva4Gc4VFWux1NoxN6sVC2wRSiOVXk1ujYcQJRYPpjpmRJd5Wm9MAnoZa/z7sNiYa37kZ3CvLYJryVvmNSX9x8GWnoWY7KClO1B7tLCsu/X7l3sPdQls5/mqDUraO2DLsqy4mcR+X0fbsd1U=">

https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.open.com.au%2Fmailman%2Flistinfo%2Fradiator&data=05%7C01%7Crullfig%40uic.edu%7Ccd24dab7e4a1484609e308dba4a6e17f%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C638284808887330321%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=QrJdmONwpJpUafGHsjuf4BsGRurB4rcd56JOd4D3%2Fvo%3D&reserved=0</a><br>

</div>

</span></font></div>

</div>

<br>

<fieldset class="x_moz-mime-attachment-header"></fieldset>

<pre class="x_moz-quote-pre">_______________________________________________

radiator mailing list

<a class="x_moz-txt-link-abbreviated" href="mailto:radiator@lists.open.com.au">radiator@lists.open.com.au</a>

<a class="x_moz-txt-link-freetext" href="https://lists.open.com.au/mailman/listinfo/radiator" originalsrc="https://lists.open.com.au/mailman/listinfo/radiator" shash="M4UsjXNgUziMHP3GNVekttEX7URTva4Gc4VFWux1NoxN6sVC2wRSiOVXk1ujYcQJRYPpjpmRJd5Wm9MAnoZa/z7sNiYa37kZ3CvLYJryVvmNSX9x8GWnoWY7KClO1B7tLCsu/X7l3sPdQls5/mqDUraO2DLsqy4mcR+X0fbsd1U=">https://lists.open.com.au/mailman/listinfo/radiator</a></pre>

</blockquote>

</div>

</body>

</html>