EAP-SIM authentication failed

Yann R. Moupinda yannm1 at hotmail.com
Thu Nov 15 17:46:49 CET 2012


Hi guys,

i'm still trying to authenticate a EAP SIM Client with 
the Freeraduis 3.0.0. By Using the Nokia E51 and E52, the eap-sim 
authentication process just stops after the raduis has sent the " 
EAP-REQUEST, SIM-CHALLENGE" (containing AT_RAND and AT_MAC) message (see
 log info.).
I did some changes in the in the " eapsimlib.c" regarding the AT_IDENTITY by using the patch 'commit cfd61d24b99022eb613054bbf7e0da4fa3af1bde' but the result didn't change. 

I decided to change the Client. I downloaded and installed 
Xsupplicant 2.2.3.553 on my windows XP. This is a software capable to be
 used as EAP-SIM Client. I didn't change anything on the server side. 
This time Xsupplicant replys with a " EAP-RESPONSE, SIM-CHALLENGE" 
(containing AT_MAC) after recieving the " EAP-REQUEST, SIM-CHALLENGE" 
(containing AT_RAND and AT_MAC). The Freeradius Server recieves the " 
EAP-RESPONSE, SIM-CHALLENGE" (containing AT_MAC), says that the received
 MAC doesn't match and breaks the authentication process with a "access 
reject"


Here the log messages with Nokia:

Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /var/run/radiusd/radiusd.sock
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Opening new proxy address * port 1814
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.10.212 port 48077, id=19, length=308
    Service-Type = Framed-User
    Framed-MTU = 1400
    User-Name = "1901700000000653 at wlan.mnc070.mcc901.3gppnetwork.org"
    NAS-Port-Id = "ap_hotspot"
    NAS-Port-Type = Wireless-802.11
    Acct-Session-Id = "82500003"
    Acct-Multi-Session-Id = "00-0C-42-64-41-9D-A8-7E-33-3E-9C-5B-82-50-00-00-00-00-00-03"
    Calling-Station-Id = "A8-7E-33-3E-9C-5B"
    Called-Station-Id = "00-0C-42-64-41-9D:YANN"
    EAP-Message = 0x02010038013139303137303030303030303036353340776c616e2e6d6e633037302e6d63633930312e336770706e6574776f726b2e6f7267
    Message-Authenticator = 0x429b263e5293fadbae0a13f28dad2775
    NAS-Identifier = "MT_Yann"
    NAS-IP-Address = 192.168.10.212
(0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(0)   group authorize {
(0)  - entering group authorize {...}
(0)   [preprocess] = ok
(0)   [chap] = noop
(0) auth_log :     expand: %{Packet-Src-IP-Address} -> 192.168.10.212
(0)
 auth_log :     expand: 
/var/log/radiusd/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
 -> /var/log/radiusd/radacct/192.168.10.212/auth-detail-20121108
(0)
 auth_log : 
/var/log/radiusd/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
 expands to /var/log/radiusd/radacct/192.168.10.212/auth-detail-20121108
(0) auth_log :     expand: %t -> Thu Nov  8 14:20:05 2012
(0)   [auth_log] = ok
(0)   [mschap] = noop
(0)   [digest] = noop
(0)
 suffix : Looking up realm "wlan.mnc070.mcc901.3gppnetwork.org" for 
User-Name = "1901700000000653 at wlan.mnc070.mcc901.3gppnetwork.org"
(0) suffix : Found realm "~.*.3gppnetwork.org$"
(0) suffix : Adding Stripped-User-Name = "1901700000000653"
(0) suffix : Adding Realm = "wlan.mnc070.mcc901.3gppnetwork.org"
(0) suffix : Authentication realm is LOCAL.
(0)   [suffix] = ok
rlm_sim_files: authorized user/imsi 1901700000000653 
rlm_sim_files: Adding EAP-Type: eap-sim
(0)   [sim_files] = ok
(0) eap : EAP packet type response id 1 length 56
(0) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(0)   [eap] = ok
(0) Found Auth-Type = EAP
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0)   group authenticate {
(0)  - entering group authenticate {...}
(0) eap : EAP Identity
(0) eap : processing type sim
(0) eap : Underlying EAP-Type set EAP ID to 133
(0)   [eap] = handled
Sending Access-Challenge of id 19 to 192.168.10.212 port 48077
    EAP-Message = 0x01850014120a00000f0200020001000011010100
    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0x077b668807fe746db0e5f555c7ca40d2
(0) Finished request 0.
Waking up in 0.3 seconds.
rad_recv: Access-Request packet from host 192.168.10.212 port 41383, id=20, length=358
    Service-Type = Framed-User
    Framed-MTU = 1400
    User-Name = "1901700000000653 at wlan.mnc070.mcc901.3gppnetwork.org"
    State = 0x077b668807fe746db0e5f555c7ca40d2
    NAS-Port-Id = "ap_hotspot"
    NAS-Port-Type = Wireless-802.11
    Acct-Session-Id = "82500003"
    Acct-Multi-Session-Id = "00-0C-42-64-41-9D-A8-7E-33-3E-9C-5B-82-50-00-00-00-00-00-03"
    Calling-Station-Id = "A8-7E-33-3E-9C-5B"
    Called-Station-Id = "00-0C-42-64-41-9D:YANN"
   
 EAP-Message = 
0x02850058120a000007050000be65a474dc99300354fdd97e5176bbc5100100010e0e00333139303137303030303030303036353340776c616e2e6d6e633037302e6d63633930312e336770706e6574776f726b2e6f726700
    Message-Authenticator = 0x07c87b76cd6232ca08dc4529913d5cac
    NAS-Identifier = "MT_Yann"
    NAS-IP-Address = 192.168.10.212
(1) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(1)   group authorize {
(1)  - entering group authorize {...}
(1)   [preprocess] = ok
(1)   [chap] = noop
(1) auth_log :     expand: %{Packet-Src-IP-Address} -> 192.168.10.212
(1)
 auth_log :     expand: 
/var/log/radiusd/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
 -> /var/log/radiusd/radacct/192.168.10.212/auth-detail-20121108
(1)
 auth_log : 
/var/log/radiusd/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
 expands to /var/log/radiusd/radacct/192.168.10.212/auth-detail-20121108
(1) auth_log :     expand: %t -> Thu Nov  8 14:20:05 2012
(1)   [auth_log] = ok
(1)   [mschap] = noop
(1)   [digest] = noop
(1)
 suffix : Looking up realm "wlan.mnc070.mcc901.3gppnetwork.org" for 
User-Name = "1901700000000653 at wlan.mnc070.mcc901.3gppnetwork.org"
(1) suffix : Found realm "~.*.3gppnetwork.org$"
(1) suffix : Adding Stripped-User-Name = "1901700000000653"
(1) suffix : Adding Realm = "wlan.mnc070.mcc901.3gppnetwork.org"
(1) suffix : Authentication realm is LOCAL.
(1)   [suffix] = ok
rlm_sim_files: authorized user/imsi 1901700000000653 
rlm_sim_files: Adding EAP-Type: eap-sim
(1)   [sim_files] = ok
(1) eap : EAP packet type response id 133 length 88
(1) eap : No EAP Start, assuming it's an on-going EAP conversation
(1)   [eap] = updated
(1)   [files] = noop
(1)   [expiration] = noop
(1)   [logintime] = noop
(1) pap : WARNING! No "known good" password found for the user.  Authentication may fail because of this.
(1)   [pap] = noop
(1) Found Auth-Type = EAP
(1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(1)   group authenticate {
(1)  - entering group authenticate {...}
(1) eap : Request found, released from the list
(1) eap : EAP/sim
(1) eap : processing type sim
+++> EAP-sim decoded packet:
    Service-Type = Framed-User
    Framed-MTU = 1400
    User-Name = "1901700000000653 at wlan.mnc070.mcc901.3gppnetwork.org"
    State = 0x077b668807fe746db0e5f555c7ca40d2
    NAS-Port-Id = "ap_hotspot"
    NAS-Port-Type = Wireless-802.11
    Acct-Session-Id = "82500003"
    Acct-Multi-Session-Id = "00-0C-42-64-41-9D-A8-7E-33-3E-9C-5B-82-50-00-00-00-00-00-03"
    Calling-Station-Id = "A8-7E-33-3E-9C-5B"
    Called-Station-Id = "00-0C-42-64-41-9D:YANN"
   
 EAP-Message = 
0x02850058120a000007050000be65a474dc99300354fdd97e5176bbc5100100010e0e00333139303137303030303030303036353340776c616e2e6d6e633037302e6d63633930312e336770706e6574776f726b2e6f726700
    Message-Authenticator = 0x07c87b76cd6232ca08dc4529913d5cac
    NAS-Identifier = "MT_Yann"
    NAS-IP-Address = 192.168.10.212
    Stripped-User-Name = "1901700000000653"
    Realm = "wlan.mnc070.mcc901.3gppnetwork.org"
    EAP-Type = SIM
    EAP-Sim-Subtype = Start
    EAP-Sim-NONCE_MT = 0x0000be65a474dc99300354fdd97e5176bbc5
    EAP-Sim-SELECTED_VERSION = 0x0001
    EAP-Sim-IDENTITY = 0x3139303137303030303030303036353340776c616e2e6d6e633037302e6d63633930312e336770706e6574776f726b2e6f7267
(1) eap : Underlying EAP-Type set EAP ID to 134
(1)   [eap] = handled
Sending Access-Challenge of id 20 to 192.168.10.212 port 41383
   
 EAP-Message = 
0x01860050120b0000010d00000123456789abcdef0123456789abcdef658719018376aab4d2a5ccde7a21b6510123456789abcdef0123456789abcdff0b050000217a0ab3b008a413f570885bca13bbe8
    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0x077b668806fd746db0e5f555c7ca40d2
(1) Finished request 1.
Going to the next request
Waking up in 0.3 seconds.
Waking up in 4.6 seconds.
(0) Cleaning up request packet ID 19 with timestamp +14
(1) Cleaning up request packet ID 20 with timestamp +14
Ready to process requests.

<---------------------->

Here the log messages by using Xsupplicant:

Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /var/run/radiusd.sock
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Opening new proxy address * port 1814
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.10.212 port 34456, id=63, length=238
        Service-Type = Framed-User
        Framed-MTU = 1400
        User-Name = "1901700000000653"
        NAS-Port-Id = "ap_hotspot"
        NAS-Port-Type = Wireless-802.11
        Acct-Session-Id = "82900026"
        Acct-Multi-Session-Id = "00-0C-42-64-41-9D-00-16-6F-BB-2D-CE-82-90-00-00-00-00-00-26"
        Calling-Station-Id = "00-16-6F-BB-2D-CE"
        Called-Station-Id = "00-0C-42-64-41-9D:YANN"
        EAP-Message = 0x020100150131393031373030303030303030363533
        Message-Authenticator = 0x653921257bd23ec322ee3b4924d32751
        NAS-Identifier = "MT_Yann"
        NAS-IP-Address = 192.168.10.212
(0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(0)   group authorize {
(0)  - entering group authorize {...}
(0)   [preprocess] = ok
(0)   [chap] = noop
(0) auth_log :  expand: %{Packet-Src-IP-Address} -> 192.168.10.212
(0)
 auth_log :  expand: 
/var/log/radiusd/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
 -> /var/log/radiusd/radacct/192.168.10.212/auth-detail-20121114
(0)
 auth_log : 
/var/log/radiusd/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
 expands to /var/log/radiusd/radacct/192.168.10.212/auth-detail-20121114
(0) auth_log :  expand: %t -> Wed Nov 14 17:30:30 2012
(0)   [auth_log] = ok
(0)   [mschap] = noop
(0)   [digest] = noop
(0) suffix : No '@' in User-Name = "1901700000000653", looking up realm NULL
(0) suffix : No such realm "NULL"
(0)   [suffix] = noop
rlm_sim_files: authorized user/imsi 1901700000000653
rlm_sim_files: Adding EAP-Type: eap-sim
(0)   [sim_files] = ok
(0) eap : EAP packet type response id 1 length 21
(0) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(0)   [eap] = ok
(0) Found Auth-Type = EAP
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0)   group authenticate {
(0)  - entering group authenticate {...}
(0) eap : EAP Identity
(0) eap : processing type sim
(0) eap : Underlying EAP-Type set EAP ID to 38
(0)   [eap] = handled
Sending Access-Challenge of id 63 to 192.168.10.212 port 34456
        EAP-Message = 0x01260014120a00000f0200020001000011010100
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x5b17c53a5b31d7c6686a4d2738ee4ab7
(0) Finished request 0.
Waking up in 0.3 seconds.
rad_recv: Access-Request packet from host 192.168.10.212 port 57441, id=64, length=267
        Service-Type = Framed-User
        Framed-MTU = 1400
        User-Name = "1901700000000653"
        State = 0x5b17c53a5b31d7c6686a4d2738ee4ab7
        NAS-Port-Id = "ap_hotspot"
        NAS-Port-Type = Wireless-802.11
        Acct-Session-Id = "82900026"
        Acct-Multi-Session-Id = "00-0C-42-64-41-9D-00-16-6F-BB-2D-CE-82-90-00-00-00-00-00-26"
        Calling-Station-Id = "00-16-6F-BB-2D-CE"
        Called-Station-Id = "00-0C-42-64-41-9D:YANN"
        EAP-Message = 0x02260020120a001b07050000a8605e360593e63583c864b6051046f410010001
        Message-Authenticator = 0x0133a5fba265cea77256e0b429f11c02
        NAS-Identifier = "MT_Yann"
        NAS-IP-Address = 192.168.10.212
(1) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(1)   group authorize {
(1)  - entering group authorize {...}
(1)   [preprocess] = ok
(1)   [chap] = noop
(1) auth_log :  expand: %{Packet-Src-IP-Address} -> 192.168.10.212
(1)
 auth_log :  expand: 
/var/log/radiusd/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
 -> /var/log/radiusd/radacct/192.168.10.212/auth-detail-20121114
(1)
 auth_log : 
/var/log/radiusd/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
 expands to /var/log/radiusd/radacct/192.168.10.212/auth-detail-20121114
(1) auth_log :  expand: %t -> Wed Nov 14 17:30:30 2012
(1)   [auth_log] = ok
(1)   [mschap] = noop
(1)   [digest] = noop
(1) suffix : No '@' in User-Name = "1901700000000653", looking up realm NULL
(1) suffix : No such realm "NULL"
(1)   [suffix] = noop
rlm_sim_files: authorized user/imsi 1901700000000653
rlm_sim_files: Adding EAP-Type: eap-sim
(1)   [sim_files] = ok
(1) eap : EAP packet type response id 38 length 32
(1) eap : No EAP Start, assuming it's an on-going EAP conversation
(1)   [eap] = updated
(1)   [files] = noop
(1)   [expiration] = noop
(1)   [logintime] = noop
(1) pap : WARNING! No "known good" password found for the user.  Authentication may fail because of this.
(1)   [pap] = noop
(1) Found Auth-Type = EAP
(1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(1)   group authenticate {
(1)  - entering group authenticate {...}
(1) eap : Request found, released from the list
(1) eap : EAP/sim
(1) eap : processing type sim
+++> EAP-sim decoded packet:
        Service-Type = Framed-User
        Framed-MTU = 1400
        User-Name = "1901700000000653"
        State = 0x5b17c53a5b31d7c6686a4d2738ee4ab7
        NAS-Port-Id = "ap_hotspot"
        NAS-Port-Type = Wireless-802.11
        Acct-Session-Id = "82900026"
        Acct-Multi-Session-Id = "00-0C-42-64-41-9D-00-16-6F-BB-2D-CE-82-90-00-00-00-00-00-26"
        Calling-Station-Id = "00-16-6F-BB-2D-CE"
        Called-Station-Id = "00-0C-42-64-41-9D:YANN"
        EAP-Message = 0x02260020120a001b07050000a8605e360593e63583c864b6051046f410010001
        Message-Authenticator = 0x0133a5fba265cea77256e0b429f11c02
        NAS-Identifier = "MT_Yann"
        NAS-IP-Address = 192.168.10.212
        EAP-Type = SIM
        EAP-Sim-Subtype = Start
        EAP-Sim-NONCE_MT = 0x0000a8605e360593e63583c864b6051046f4
        EAP-Sim-SELECTED_VERSION = 0x0001
(1) eap : Underlying EAP-Type set EAP ID to 39
(1)   [eap] = handled
Sending Access-Challenge of id 64 to 192.168.10.212 port 57441
       
 EAP-Message = 
0x01270050120b0000010d0000db1f1a922a6044b1ac9193596d34b701a20fd51626bd4f24b91755d927101729eeb85a0437da4ea4ab99cfbc1c439ce40b05000016397dc340ea5e69ab39925507ad8438
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x5b17c53a5a30d7c6686a4d2738ee4ab7
(1) Finished request 1.
Waking up in 0.2 seconds.
rad_recv: Access-Request packet from host 192.168.10.212 port 36917, id=65, length=263
        Service-Type = Framed-User
        Framed-MTU = 1400
        User-Name = "1901700000000653"
        State = 0x5b17c53a5a30d7c6686a4d2738ee4ab7
        NAS-Port-Id = "ap_hotspot"
        NAS-Port-Type = Wireless-802.11
        Acct-Session-Id = "82900026"
        Acct-Multi-Session-Id = "00-0C-42-64-41-9D-00-16-6F-BB-2D-CE-82-90-00-00-00-00-00-26"
        Calling-Station-Id = "00-16-6F-BB-2D-CE"
        Called-Station-Id = "00-0C-42-64-41-9D:YANN"
        EAP-Message = 0x0227001c120b00170b0500007f86aeaeded71ccd418687567f8f8eb3
        Message-Authenticator = 0xf263cce3cc9890197ca080b7f4629af2
        NAS-Identifier = "MT_Yann"
        NAS-IP-Address = 192.168.10.212
(2) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(2)   group authorize {
(2)  - entering group authorize {...}
(2)   [preprocess] = ok
(2)   [chap] = noop
(2) auth_log :  expand: %{Packet-Src-IP-Address} -> 192.168.10.212
(2)
 auth_log :  expand: 
/var/log/radiusd/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
 -> /var/log/radiusd/radacct/192.168.10.212/auth-detail-20121114
(2)
 auth_log : 
/var/log/radiusd/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
 expands to /var/log/radiusd/radacct/192.168.10.212/auth-detail-20121114
(2) auth_log :  expand: %t -> Wed Nov 14 17:30:30 2012
(2)   [auth_log] = ok
(2)   [mschap] = noop
(2)   [digest] = noop
(2) suffix : No '@' in User-Name = "1901700000000653", looking up realm NULL
(2) suffix : No such realm "NULL"
(2)   [suffix] = noop
rlm_sim_files: authorized user/imsi 1901700000000653
rlm_sim_files: Adding EAP-Type: eap-sim
(2)   [sim_files] = ok
(2) eap : EAP packet type response id 39 length 28
(2) eap : No EAP Start, assuming it's an on-going EAP conversation
(2)   [eap] = updated
(2)   [files] = noop
(2)   [expiration] = noop
(2)   [logintime] = noop
(2) pap : WARNING! No "known good" password found for the user.  Authentication may fail because of this.
(2)   [pap] = noop
(2) Found Auth-Type = EAP
(2) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(2)   group authenticate {
(2)  - entering group authenticate {...}
(2) eap : Request found, released from the list
(2) eap : EAP/sim
(2) eap : processing type sim
calculated MAC (05248e0d_917db8e0_55e8b312_b489d982_20c54ef4) did not match
(2) eap : Handler failed in EAP/sim
(2) eap : Failed in EAP select
(2)   [eap] = invalid
(2) Failed to authenticate the user.
(2) Using Post-Auth-Type Reject
(2) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(2)   group REJECT {
(2)  - entering group REJECT {...}
(2) attr_filter.access_reject :         expand: %{User-Name} -> 1901700000000653
(2) attr_filter.access_reject : Matched entry DEFAULT at line 11
(2)   [attr_filter.access_reject] = updated
(2) Finished request 2.
Waking up in 0.2 seconds.
rad_recv: Access-Request packet from host 192.168.10.212 port 36917, id=65, length=263
Discarding duplicate request from client bipsbk port 36917 - ID: 65 due to unfinished request 2
Waking up in 0.6 seconds.
rad_recv: Access-Request packet from host 192.168.10.212 port 36917, id=65, length=263
Discarding duplicate request from client bipsbk port 36917 - ID: 65 due to delayed reject 2
Waking up in 0.4 seconds.
(2) Sending delayed reject
Sending Access-Reject of id 65 to 192.168.10.212 port 36917
        EAP-Message = 0x04270004
        Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.

Has
 anyone an idea why the MAC not matches although Client and Server are 
using the same algorithm version (Version 1 mentioned in AT_VERSION_LIST
 from Server and in AT_SELECTED_VERSION from client) ?

Best regards

Yann 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20121115/35e2aedf/attachment-0001.html>


More information about the Freeradius-Users mailing list