EAP-SIM on 2.2.0

Iliya Peregoudov iperegudov at cboss.ru
Fri Sep 14 08:20:48 CEST 2012 

I have manually parse EAP messages. EAP Identity and AT_IDENTITY are the 
same.

EAP-Message from first Access-Request:

02                                              Code = 2 (EAP-Response)
    00                                           Identifier = 0
       00 38                                     Length = 56
             01                                  Type = 1 (Identity)
                31 33 30 32 37 32 30 34 30 34 34 Type-Data =
          1302720404413890 at wlan.mnc720.mcc302.3gppnetwork.org
31 33 38 39 30 40 77 6c 61 6e 2e 6d 6e 63 37 32
30 2e 6d 63 63 33 30 32 2e 33 67 70 70 6e 65 74
77 6f 72 6b 2e 6f 72 67

EAP-Message from second Access-Request:

02                                              Code = 2 (EAP-Response)
    f6                                           Identifier = 246
       00 58                                     Length = 88
             12                                  Type = 18 (EAP-SIM)
                0a                               Subtype = 10 (SIM-Start)
                   00 00                         Reserved
                         0e                      Attr Type = 14
                                                 (AT_IDENTITY)
                            0e                   Attr Length = 56
                               00 33             Identity Length = 51
                                     31 33 30 32 Value =
          1302720404413890 at wlan.mnc720.mcc302.3gppnetwork.org
37 32 30 34 30 34 34 31 33 38 39 30 40 77 6c 61
6e 2e 6d 6e 63 37 32 30 2e 6d 63 63 33 30 32 2e
33 67 70 70 6e 65 74 77 6f 72 6b 2e 6f 72 67 00
10                                              Attr Type = 16
                                                 (AT_SELECTED_VERSION)
    01                                           Attr Length = 4
       00 01                                     Value = 1
             07                                  Attr Type = 7
                                                 (AT_NONCE_MT)
                05                               Attr Length = 20
                   00 00                         Reserved
                         7a e3 c3 b2 94 fa a5 fa Value = 16 random octets
c8 5c 9c dc 58 73 7c 87

I see AT_IDENTITY is padded with single zero octet. Maybe rlm_eap_sim 
uses wrong length field, namely Attribute Length instead of Identity Length?

Alan DeKok wrote:
> Francois Gaudreault wrote:
>> Ok so I did bisect, and this commit appears to be the problematic one:
>>
>> 177dbabdcef84353768551c0a39d29c566538c06 is the first bad commit
>> commit 177dbabdcef84353768551c0a39d29c566538c06
>> Author: Alan T. DeKok <aland at freeradius.org>
>> Date:   Tue Feb 21 08:57:49 2012 +0100
>>
>>     Try to use identity from SIM protocol, not EAP-Identity
> 
>   Well, the SIM identity doesn't agree with the EAP-Identity.
> 
>   The patch went in because Microsoft ran into inter-operability issues.
>  The SIM identity can change during the protocol exchange.  The old way
> of always using the EAP-Identity was wrong.
> 
>   I'm not sure what to suggest here.  You can delete the patch in your
> private branch.  But that means you'll run into other inter-operability
> issues later.
> 
>   You should probably do a bit more digging to see exactly *what* is
> going on in the failing case.  Knowing that will help come up with a
> decent solution.
> 
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list