EAP-SIM on 2.2.0

Francois Gaudreault fgaudreault at inverse.ca
Wed Sep 12 15:32:02 CEST 2012


Hi again,

>> This is your problem. This is an EAP-AKA/SIM "Client error" packet.
>>
>> 02 - eap response
>> f7 - ID
>> 000c - length
>> 12 - EAP-SIM
>> 0e - subtype 14 - client error
>> 000016010000 - client error junk
> Hmmm interesting.  But how can it be working on 2.1.12 with the exact
> same client and config?  Maybe I can retry with 2.2.0 and see if I still
> get this error on multiple retries.  I'll get back to you.
No go with 2.2.0, tried with multiple clients.  I got you a trace from 
2.1.12, maybe you can see the difference:

ad_recv: Access-Request packet from host 10.0.0.24 port 1051, id=84, 
length=298
	User-Name = "IMSI at wlan.mnc720.mcc302.3gppnetwork.org"
	Calling-Station-Id = "5C-59-48-ED-C4-96"
	NAS-IP-Address = 10.0.0.24
	NAS-Port = 1
	Called-Station-Id = "50-A7-33-31-CF-B8:PacketFence-Ruckus"
	Service-Type = Framed-User
	Framed-MTU = 1400
	NAS-Port-Type = Wireless-802.11
	NAS-Identifier = "50-A7-33-31-CF-B8"
	Connect-Info = "CONNECT 802.11g"
	EAP-Message = 
0x02000038013133303237323033303539333439353340776c616e2e6d6e633732302e6d63633330322e336770706e6574776f726b2e6f7267
	Vendor-25053-Attr-3 = 0x5061636b657446656e63652d5275636b7573
	Message-Authenticator = 0xe41d2cabb012a327e68e0ef19e187cfa
server packetfence {
# Executing section authorize from file 
/usr/local/pf/raddb/sites-enabled/packetfence
+- entering group authorize {...}
[suffix] Looking up realm "wlan.mnc720.mcc302.3gppnetwork.org" for 
User-Name = "IMSI at wlan.mnc720.mcc302.3gppnetwork.org"
[suffix] No such realm "wlan.mnc720.mcc302.3gppnetwork.org"
++[suffix] returns noop
++[preprocess] returns ok
rlm_sim_files: authorized user/imsi IMSI at wlan.mnc720.mcc302.3gppnetwork.org
rlm_sim_files: Adding EAP-Type: eap-sim
++[sim_files] returns ok
[eap] EAP packet type response id 0 length 56
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
rlm_perl: Added pair NAS-Port-Type = Wireless-802.11
rlm_perl: Added pair Service-Type = Framed-User
rlm_perl: Added pair Called-Station-Id = 
50-A7-33-31-CF-B8:PacketFence-Ruckus
rlm_perl: Added pair Calling-Station-Id = 5C-59-48-ED-C4-96
rlm_perl: Added pair Message-Authenticator = 
0xe41d2cabb012a327e68e0ef19e187cfa
rlm_perl: Added pair Vendor-25053-Attr-3 = 
0x5061636b657446656e63652d5275636b7573
rlm_perl: Added pair User-Name = IMSI at wlan.mnc720.mcc302.3gppnetwork.org
rlm_perl: Added pair NAS-Identifier = 50-A7-33-31-CF-B8
rlm_perl: Added pair EAP-Message = 
0x02000038013133303237323033303539333439353340776c616e2e6d6e633732302e6d63633330322e336770706e6574776f726b2e6f7267
rlm_perl: Added pair Connect-Info = CONNECT 802.11g
rlm_perl: Added pair EAP-Type = Identity
rlm_perl: Added pair NAS-IP-Address = 10.0.0.24
rlm_perl: Added pair NAS-Port = 1
rlm_perl: Added pair Framed-MTU = 1400
rlm_perl: Added pair EAP-Sim-Rand3 = 0x658719018376aab4d2a5ccde7a21b651
rlm_perl: Added pair EAP-Sim-Rand2 = 0x12314312514145bbdede1d3a5d7d8d81
rlm_perl: Added pair EAP-Sim-SRES1 = 0x4b0bd392
rlm_perl: Added pair EAP-Sim-SRES2 = 0x3fde44f1
rlm_perl: Added pair EAP-Sim-KC1 = 0x838482d6086d5505
rlm_perl: Added pair EAP-Sim-Rand1 = 0x512317ac521bade521831aa3a3a51231
rlm_perl: Added pair EAP-Sim-KC3 = 0x9f62a11a186fb409
rlm_perl: Added pair EAP-Sim-KC2 = 0xb9ea43fb85bca1a1
rlm_perl: Added pair EAP-Sim-SRES3 = 0x1ed3946d
rlm_perl: Added pair Auth-Type = EAP
rlm_perl: Added pair EAP-Type = SIM
++[packetfence] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/pf/raddb/sites-enabled/packetfence
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type sim
[eap] Underlying EAP-Type set EAP ID to 26
++[eap] returns handled
} # server packetfence
Sending Access-Challenge of id 84 to 10.0.0.24 port 1051
	EAP-Message = 0x011a0014120a00000f0200020001000011010100
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x6594e662658ef44f2c778a0c39bde699
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.0.24 port 1051, id=85, 
length=348
	User-Name = "IMSI at wlan.mnc720.mcc302.3gppnetwork.org"
	Calling-Station-Id = "5C-59-48-ED-C4-96"
	NAS-IP-Address = 10.0.0.24
	NAS-Port = 1
	Called-Station-Id = "50-A7-33-31-CF-B8:PacketFence-Ruckus"
	Service-Type = Framed-User
	Framed-MTU = 1400
	NAS-Port-Type = Wireless-802.11
	NAS-Identifier = "50-A7-33-31-CF-B8"
	Connect-Info = "CONNECT 802.11g"
	EAP-Message = 
0x021a0058120a00000e0e00333133303237323033303539333439353340776c616e2e6d6e633732302e6d63633330322e336770706e6574776f726b2e6f726700100100010705000005f0ed522fe4c61aaef4c1488151e370
	State = 0x6594e662658ef44f2c778a0c39bde699
	Vendor-25053-Attr-3 = 0x5061636b657446656e63652d5275636b7573
	Message-Authenticator = 0x7f5a27e0a1425fa5cd18f46bb0f5b1ef
server packetfence {
# Executing section authorize from file 
/usr/local/pf/raddb/sites-enabled/packetfence
+- entering group authorize {...}
[suffix] Looking up realm "wlan.mnc720.mcc302.3gppnetwork.org" for 
User-Name = "IMSI at wlan.mnc720.mcc302.3gppnetwork.org"
[suffix] No such realm "wlan.mnc720.mcc302.3gppnetwork.org"
++[suffix] returns noop
++[preprocess] returns ok
rlm_sim_files: authorized user/imsi IMSI at wlan.mnc720.mcc302.3gppnetwork.org
rlm_sim_files: Adding EAP-Type: eap-sim
++[sim_files] returns ok
[eap] EAP packet type response id 26 length 88
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
rlm_perl: Added pair NAS-Port-Type = Wireless-802.11
rlm_perl: Added pair Service-Type = Framed-User
rlm_perl: Added pair State = 0x6594e662658ef44f2c778a0c39bde699
rlm_perl: Added pair Called-Station-Id = 
50-A7-33-31-CF-B8:PacketFence-Ruckus
rlm_perl: Added pair Calling-Station-Id = 5C-59-48-ED-C4-96
rlm_perl: Added pair Message-Authenticator = 
0x7f5a27e0a1425fa5cd18f46bb0f5b1ef
rlm_perl: Added pair Vendor-25053-Attr-3 = 
0x5061636b657446656e63652d5275636b7573
rlm_perl: Added pair User-Name = IMSI at wlan.mnc720.mcc302.3gppnetwork.org
rlm_perl: Added pair NAS-Identifier = 50-A7-33-31-CF-B8
rlm_perl: Added pair EAP-Message = 
0x021a0058120a00000e0e00333133303237323033303539333439353340776c616e2e6d6e633732302e6d63633330322e336770706e6574776f726b2e6f726700100100010705000005f0ed522fe4c61aaef4c1488151e370
rlm_perl: Added pair Connect-Info = CONNECT 802.11g
rlm_perl: Added pair EAP-Type = SIM
rlm_perl: Added pair NAS-IP-Address = 10.0.0.24
rlm_perl: Added pair NAS-Port = 1
rlm_perl: Added pair Framed-MTU = 1400
rlm_perl: Added pair EAP-Sim-Rand3 = 0x658719018376aab4d2a5ccde7a21b651
rlm_perl: Added pair EAP-Sim-Rand2 = 0x12314312514145bbdede1d3a5d7d8d81
rlm_perl: Added pair EAP-Sim-SRES1 = 0x4b0bd392
rlm_perl: Added pair EAP-Sim-SRES2 = 0x3fde44f1
rlm_perl: Added pair EAP-Sim-KC1 = 0x838482d6086d5505
rlm_perl: Added pair EAP-Sim-Rand1 = 0x512317ac521bade521831aa3a3a51231
rlm_perl: Added pair EAP-Sim-KC3 = 0x9f62a11a186fb409
rlm_perl: Added pair EAP-Sim-KC2 = 0xb9ea43fb85bca1a1
rlm_perl: Added pair EAP-Sim-SRES3 = 0x1ed3946d
rlm_perl: Added pair Auth-Type = EAP
rlm_perl: Added pair EAP-Type = SIM
++[packetfence] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/pf/raddb/sites-enabled/packetfence
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/sim
[eap] processing type sim
+++> EAP-sim decoded packet:
	NAS-Port-Type = Wireless-802.11
	Service-Type = Framed-User
	State = 0x6594e662658ef44f2c778a0c39bde699
	Called-Station-Id = "50-A7-33-31-CF-B8:PacketFence-Ruckus"
	Calling-Station-Id = "5C-59-48-ED-C4-96"
	Message-Authenticator = 0x7f5a27e0a1425fa5cd18f46bb0f5b1ef
	Vendor-25053-Attr-3 = 0x5061636b657446656e63652d5275636b7573
	User-Name = "IMSI at wlan.mnc720.mcc302.3gppnetwork.org"
	NAS-Identifier = "50-A7-33-31-CF-B8"
	EAP-Message = 
0x021a0058120a00000e0e00333133303237323033303539333439353340776c616e2e6d6e633732302e6d63633330322e336770706e6574776f726b2e6f726700100100010705000005f0ed522fe4c61aaef4c1488151e370
	Connect-Info = "CONNECT 802.11g"
	EAP-Type = SIM
	NAS-IP-Address = 10.0.0.24
	NAS-Port = 1
	Framed-MTU = 1400
	EAP-Sim-Subtype = Start
	EAP-Sim-IDENTITY = 
0x00333133303237323033303539333439353340776c616e2e6d6e633732302e6d63633330322e336770706e6574776f726b2e6f726700
	EAP-Sim-SELECTED_VERSION = 0x0001
	EAP-Sim-NONCE_MT = 0x000005f0ed522fe4c61aaef4c1488151e370
[eap] Underlying EAP-Type set EAP ID to 27
++[eap] returns handled
} # server packetfence
Sending Access-Challenge of id 85 to 10.0.0.24 port 1051
	EAP-Message = 
0x011b0050120b0000010d0000512317ac521bade521831aa3a3a5123112314312514145bbdede1d3a5d7d8d81658719018376aab4d2a5ccde7a21b6510b050000cbf0403a4e9eb5001804115677697857
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x6594e662648ff44f2c778a0c39bde699
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.0.24 port 1051, id=86, 
length=288
	User-Name = "IMSI at wlan.mnc720.mcc302.3gppnetwork.org"
	Calling-Station-Id = "5C-59-48-ED-C4-96"
	NAS-IP-Address = 10.0.0.24
	NAS-Port = 1
	Called-Station-Id = "50-A7-33-31-CF-B8:PacketFence-Ruckus"
	Service-Type = Framed-User
	Framed-MTU = 1400
	NAS-Port-Type = Wireless-802.11
	NAS-Identifier = "50-A7-33-31-CF-B8"
	Connect-Info = "CONNECT 802.11g"
	EAP-Message = 0x021b001c120b00000b0500005ce51fee12ba6c52690ac927bc4451a2
	State = 0x6594e662648ff44f2c778a0c39bde699
	Vendor-25053-Attr-3 = 0x5061636b657446656e63652d5275636b7573
	Message-Authenticator = 0x973d4bff61816c94815b6990fbfe99c4
server packetfence {
# Executing section authorize from file 
/usr/local/pf/raddb/sites-enabled/packetfence
+- entering group authorize {...}
[suffix] Looking up realm "wlan.mnc720.mcc302.3gppnetwork.org" for 
User-Name = "IMSI at wlan.mnc720.mcc302.3gppnetwork.org"
[suffix] No such realm "wlan.mnc720.mcc302.3gppnetwork.org"
++[suffix] returns noop
++[preprocess] returns ok
rlm_sim_files: authorized user/imsi IMSI at wlan.mnc720.mcc302.3gppnetwork.org
rlm_sim_files: Adding EAP-Type: eap-sim
++[sim_files] returns ok
[eap] EAP packet type response id 27 length 28
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
rlm_perl: Added pair NAS-Port-Type = Wireless-802.11
rlm_perl: Added pair Service-Type = Framed-User
rlm_perl: Added pair State = 0x6594e662648ff44f2c778a0c39bde699
rlm_perl: Added pair Called-Station-Id = 
50-A7-33-31-CF-B8:PacketFence-Ruckus
rlm_perl: Added pair Calling-Station-Id = 5C-59-48-ED-C4-96
rlm_perl: Added pair Message-Authenticator = 
0x973d4bff61816c94815b6990fbfe99c4
rlm_perl: Added pair Vendor-25053-Attr-3 = 
0x5061636b657446656e63652d5275636b7573
rlm_perl: Added pair User-Name = IMSI at wlan.mnc720.mcc302.3gppnetwork.org
rlm_perl: Added pair NAS-Identifier = 50-A7-33-31-CF-B8
rlm_perl: Added pair EAP-Message = 
0x021b001c120b00000b0500005ce51fee12ba6c52690ac927bc4451a2
rlm_perl: Added pair Connect-Info = CONNECT 802.11g
rlm_perl: Added pair EAP-Type = SIM
rlm_perl: Added pair NAS-IP-Address = 10.0.0.24
rlm_perl: Added pair NAS-Port = 1
rlm_perl: Added pair Framed-MTU = 1400
rlm_perl: Added pair EAP-Sim-Rand3 = 0x658719018376aab4d2a5ccde7a21b651
rlm_perl: Added pair EAP-Sim-Rand2 = 0x12314312514145bbdede1d3a5d7d8d81
rlm_perl: Added pair EAP-Sim-SRES1 = 0x4b0bd392
rlm_perl: Added pair EAP-Sim-SRES2 = 0x3fde44f1
rlm_perl: Added pair EAP-Sim-KC1 = 0x838482d6086d5505
rlm_perl: Added pair EAP-Sim-Rand1 = 0x512317ac521bade521831aa3a3a51231
rlm_perl: Added pair EAP-Sim-KC3 = 0x9f62a11a186fb409
rlm_perl: Added pair EAP-Sim-KC2 = 0xb9ea43fb85bca1a1
rlm_perl: Added pair EAP-Sim-SRES3 = 0x1ed3946d
rlm_perl: Added pair Auth-Type = EAP
rlm_perl: Added pair EAP-Type = SIM
++[packetfence] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/pf/raddb/sites-enabled/packetfence
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/sim
[eap] processing type sim
MAC check succeed
[eap] Underlying EAP-Type set EAP ID to 28
[eap] Freeing handler
++[eap] returns ok
# Executing section post-auth from file 
/usr/local/pf/raddb/sites-enabled/packetfence
+- entering group post-auth {...}
++[exec] returns noop
rlm_perl: Returning vlan 10 to request from 5c:59:48:ed:c4:96 port 1
rlm_perl: PacketFence RESULT RESPONSE CODE: 2 (2 means OK)
rlm_perl: Added pair NAS-Port-Type = Wireless-802.11
rlm_perl: Added pair Service-Type = Framed-User
rlm_perl: Added pair Called-Station-Id = 
50-A7-33-31-CF-B8:PacketFence-Ruckus
rlm_perl: Added pair State = 0x6594e662648ff44f2c778a0c39bde699
rlm_perl: Added pair Message-Authenticator = 
0x973d4bff61816c94815b6990fbfe99c4
rlm_perl: Added pair Vendor-25053-Attr-3 = 
0x5061636b657446656e63652d5275636b7573
rlm_perl: Added pair Connect-Info = CONNECT 802.11g
rlm_perl: Added pair NAS-IP-Address = 10.0.0.24
rlm_perl: Added pair EAP-Type = SIM
rlm_perl: Added pair Calling-Station-Id = 5C-59-48-ED-C4-96
rlm_perl: Added pair User-Name = IMSI at wlan.mnc720.mcc302.3gppnetwork.org
rlm_perl: Added pair EAP-Sim-Subtype = Challenge
rlm_perl: Added pair NAS-Identifier = 50-A7-33-31-CF-B8
rlm_perl: Added pair EAP-Message = 
0x021b001c120b00000b0500005ce51fee12ba6c52690ac927bc4451a2
rlm_perl: Added pair EAP-Sim-MAC = 0x00005ce51fee12ba6c52690ac927bc4451a2
rlm_perl: Added pair NAS-Port = 1
rlm_perl: Added pair Framed-MTU = 1400
rlm_perl: Added pair EAP-Sim-Rand3 = 0x658719018376aab4d2a5ccde7a21b651
rlm_perl: Added pair EAP-Sim-SRES1 = 0x4b0bd392
rlm_perl: Added pair EAP-Id = 28
rlm_perl: Added pair MS-MPPE-Send-Key = 
0xa7b5d6ea41e522f2d8a5b46febddca821c76e01de9c401fc1d469fa02a499429
rlm_perl: Added pair Tunnel-Type = 13
rlm_perl: Added pair EAP-Sim-KC1 = 0x838482d6086d5505
rlm_perl: Added pair EAP-Sim-Rand1 = 0x512317ac521bade521831aa3a3a51231
rlm_perl: Added pair Message-Authenticator = 
0x00000000000000000000000000000000
rlm_perl: Added pair Tunnel-Private-Group-ID = 10
rlm_perl: Added pair EAP-Sim-KC3 = 0x9f62a11a186fb409
rlm_perl: Added pair EAP-Sim-Rand2 = 0x12314312514145bbdede1d3a5d7d8d81
rlm_perl: Added pair Tunnel-Medium-Type = 6
rlm_perl: Added pair EAP-Sim-SRES2 = 0x3fde44f1
rlm_perl: Added pair User-Name = IMSI at wlan.mnc720.mcc302.3gppnetwork.org
rlm_perl: Added pair MS-MPPE-Recv-Key = 
0x6d540f94b0b70378232cb2d9e5fd90e4c6e11e57902b61d5642bc83de1b6dbfa
rlm_perl: Added pair EAP-Message = 0x031c0004
rlm_perl: Added pair EAP-Sim-KC2 = 0xb9ea43fb85bca1a1
rlm_perl: Added pair EAP-Sim-SRES3 = 0x1ed3946d
rlm_perl: Added pair Auth-Type = EAP
rlm_perl: Added pair EAP-Type = SIM
++[packetfence] returns ok
} # server packetfence
Sending Access-Accept of id 86 to 10.0.0.24 port 1051
	MS-MPPE-Send-Key = 
0xa7b5d6ea41e522f2d8a5b46febddca821c76e01de9c401fc1d469fa02a499429
	Tunnel-Type:0 = VLAN
	Message-Authenticator = 0x00000000000000000000000000000000
	Tunnel-Private-Group-Id:0 = "10"
	Tunnel-Medium-Type:0 = IEEE-802
	User-Name = "IMSI at wlan.mnc720.mcc302.3gppnetwork.org"
	MS-MPPE-Recv-Key = 
0x6d540f94b0b70378232cb2d9e5fd90e4c6e11e57902b61d5642bc83de1b6dbfa
	EAP-Message = 0x031c0004
Finished request 2.

Thanks!


-- 
Francois Gaudreault, ing. jr
fgaudreault at inverse.ca  ::  +1.514.447.4918 (x130) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)


More information about the Freeradius-Users mailing list