EAP-SIM configuration on FreeRadius

Sun Jan 6 13:05:31 CET 2013

Dear All,
I am trying to configure freeradius for EAP-SIM authentication, for that i
compiled FreeRadius with "./configure --with-modules="rlm_sim"
--with-modules="rlm_sim_files"". Freeradius is installed successfully as i
have tested it using radtest, as suggested on Freeradius wikis.
i have installed freeradius version 2.2.0
Now in order to test EAP-SIM, i have added the below block in eap.conf file
after mschapv2 block,
    sim {
           }

I am trying to successfully run /src/tests/eapsim-03 example, i have copied
the the below in users file,

1244070100000001 at eapsim.foo     Auth-Type := EAP, EAP-Type := SIM
        EAP-Sim-Rand1 = 0x101112131415161718191a1b1c1d1e1f,
        EAP-Sim-SRES1 = 0xd1d2d3d4,
        EAP-Sim-Rand2 = 0x202122232425262728292a2b2c2d2e2f,
        EAP-Sim-SRES2 = 0xe1e2e3e4,
        EAP-Sim-Rand3 = 0x303132333435363738393a3b3c3d3e3f,
        EAP-Sim-SRES3 = 0xf1f2f3f4,
        EAP-Sim-KC1 = 0xa0a1a2a3a4a5a6a7,
        EAP-Sim-KC2 = 0xb0b1b2b3b4b5b6b7,
        EAP-Sim-KC3 = 0xc0c1c2c3c4c5c6c7,

1232420100000015        Auth-Type := EAP, EAP-Type := SIM
        EAP-Sim-Rand1 = 0x30000000000000000000000000000000,
        EAP-Sim-SRES1 = 0x30112233,
        EAP-Sim-KC1 = 0x445566778899AABB,
        EAP-Sim-Rand2 = 0x31000000000000000000000000000000,
        EAP-Sim-SRES2 = 0x31112233,
        EAP-Sim-KC2 = 0x445566778899AABB,
        EAP-Sim-Rand3 = 0x32000000000000000000000000000000,
        EAP-Sim-SRES3 = 0x32112233,
        EAP-Sim-KC3 = 0x445566778899AABB,

eapsim         Auth-Type := EAP, EAP-Type := SIM
        EAP-Sim-Rand1 = 0xabcd1234abcd1234abcd1234abcd1234,
        EAP-Sim-SRES1 = 0x1234abcd,
        EAP-Sim-KC1 = 0x0011223344556677,
        EAP-Sim-Rand2 = 0xbcd1234abcd1234abcd1234abcd1234a,
        EAP-Sim-SRES2 = 0x234abcd1,
        EAP-Sim-KC2 = 0x1021324354657687,
        EAP-Sim-Rand3 = 0xcd1234abcd1234abcd1234abcd1234ab,
        EAP-Sim-SRES3 = 0x34abcd12,
        EAP-Sim-KC3 = 0x30415263748596a7

but when i try to run client.sh, it gets the following logs,

Sending Access-Request packet to host 127.0.0.1 port 1812, id=64, length=0
        User-Name = "eapsim"
        NAS-IP-Address = 209.87.252.247
        EAP-Code = Response
        EAP-Type-Identity = 0x65617073696d
        Message-Authenticator = 0x30
        NAS-Port = 0
        EAP-Sim-Rand1 = 0xabcd1234abcd1234abcd1234abcd1234
        EAP-Sim-Rand2 = 0xbcd1234abcd1234abcd1234abcd1234a
        EAP-Sim-Rand3 = 0xcd1234abcd1234abcd1234abcd1234ab
        EAP-Sim-SRES1 = 0x1234abcd
        EAP-Sim-SRES2 = 0x234abcd1
        EAP-Sim-SRES3 = 0x34abcd12
        EAP-Sim-KC1 = 0x0011223344556677
        EAP-Sim-KC2 = 0x1021324354657687
        EAP-Sim-KC3 = 0x30415263748596a7
        EAP-Message = 0x023f000b0165617073696d
Received Access-Challenge packet from host 127.0.0.1 port 1812, id=64,
length=78
        EAP-Message = 0x01f30014120a00000f0200020001000011010100
        Message-Authenticator = 0x81ffe249ace5353152e1476e8f7f890b
        State = 0x9a9ec8169a6dda46839134a50c8e1d5d
        EAP-Id = 243
        EAP-Code = Request
        EAP-Type-SIM = 0x0a00000f0200020001000011010100
Sending Access-Request packet to host 127.0.0.1 port 1812, id=65, length=71
        User-Name = "eapsim"
        NAS-IP-Address = 209.87.252.247
        EAP-Code = Response
        Message-Authenticator = 0x00000000000000000000000000000000
        NAS-Port = 0
        EAP-Sim-Rand1 = 0xabcd1234abcd1234abcd1234abcd1234
        EAP-Sim-Rand2 = 0xbcd1234abcd1234abcd1234abcd1234a
        EAP-Sim-Rand3 = 0xcd1234abcd1234abcd1234abcd1234ab
        EAP-Sim-SRES1 = 0x1234abcd
        EAP-Sim-SRES2 = 0x234abcd1
        EAP-Sim-SRES3 = 0x34abcd12
        EAP-Sim-KC1 = 0x0011223344556677
        EAP-Sim-KC2 = 0x1021324354657687
        EAP-Sim-KC3 = 0x30415263748596a7
        EAP-Sim-State = 1
        EAP-Sim-Subtype = Start
        EAP-Sim-SELECTED_VERSION = 0x0001
        EAP-Sim-NONCE_MT = 0x0000c9615ec963ada36f11bd4e81093a7271
        EAP-Sim-IDENTITY = 0x000665617073696d
        EAP-Id = 243
        EAP-Message =
0x02f3002c120a00001001000107050000c9615ec963ada36f11bd4e81093a72710e03000665617073696d0000
        State = 0x9a9ec8169a6dda46839134a50c8e1d5d
Received Access-Challenge packet from host 127.0.0.1 port 1812, id=65,
length=138
        EAP-Message =
0x01f40050120b0000010d0000abcd1234abcd1234abcd1234abcd1234bcd1234abcd1234abcd1234abcd1234acd1234abcd1234abcd1234abcd1234ab0b050000cd1494bcf2173b38d26c31c3872b60f9
        Message-Authenticator = 0x11986571b4665594edefbf3d811efbae
        State = 0x9a9ec8169b6ada46839134a50c8e1d5d
        EAP-Id = 244
        EAP-Code = Request
        EAP-Type-SIM =
0x0b0000010d0000abcd1234abcd1234abcd1234abcd1234bcd1234abcd1234abcd1234abcd1234acd1234abcd1234abcd1234abcd1234ab0b050000cd1494bcf2173b38d26c31c3872b60f9
Input was:
   identity: (len=6)65617073696d
   nonce_mt: c9615ec963ada36f11bd4e81093a7271
   rand0: 00000000000000000000000000000000
   rand1: 00000000000000000000000000000000
   rand2: 00000000000000000000000000000000
   sres0: 1234abcd
   sres1: 234abcd1
   sres2: 34abcd12
   Kc0: 0011223344556677
   Kc1: 1021324354657687
   Kc2: 30415263748596a7
   versionlist[2]: 0001
   select 00 01

Output
mk:         8502e062_35537770_2c0a7c2c_9cfc9fc4_dc4d21d6
K_aut:      b89dafa5_99422bee_db010d3a_6dcded9c
K_encr:     d8a6df78_25d9ad9d_2535083c_33a5c1c6
msk:        f5feb9c1_9dbea4dd_cd94b140_17892e4b_f96327cc
            84b16260_f0e6447b_b201018f_102b2217_bb6717c8
            351115b9_a8248f46_aa33c120_f6e5979f_b27f1c98
            69da98ed
emsk:       8c1c04ef_4b345a29_50980817_563fc216_844d8e0d
            c2e4bc15_886523be_2e149835_ef850c3e_076722dc
            e27926e8_d01d1929_3da147a1_62833433_391b8a9a
            20711dd2
calculated MAC (c412722f_ab82c18d_f5404f45_da872e93_cd950d07 did not match
Sending Access-Request packet to host 127.0.0.1 port 1812, id=66, length=122
        User-Name = "eapsim"
        NAS-IP-Address = 209.87.252.247
        EAP-Code = Response
        Message-Authenticator = 0x00000000000000000000000000000000
        NAS-Port = 0
        EAP-Sim-Rand1 = 0xabcd1234abcd1234abcd1234abcd1234
        EAP-Sim-Rand2 = 0xbcd1234abcd1234abcd1234abcd1234a
        EAP-Sim-Rand3 = 0xcd1234abcd1234abcd1234abcd1234ab
        EAP-Sim-SRES1 = 0x1234abcd
        EAP-Sim-SRES2 = 0x234abcd1
        EAP-Sim-SRES3 = 0x34abcd12
        EAP-Sim-KC1 = 0x0011223344556677
        EAP-Sim-KC2 = 0x1021324354657687
        EAP-Sim-KC3 = 0x30415263748596a7
        EAP-Sim-State = 0
        EAP-Sim-Subtype = Start
        EAP-Sim-SELECTED_VERSION = 0x0001
        EAP-Sim-NONCE_MT = 0x0000c9615ec963ada36f11bd4e81093a7271
        EAP-Sim-IDENTITY = 0x000665617073696d
        EAP-Id = 244
        State = 0x9a9ec8169b6ada46839134a50c8e1d5d
        EAP-Message =
0x02f4002c120a00001001000107050000c9615ec963ada36f11bd4e81093a72710e03000665617073696d0000
Received Access-Challenge packet from host 127.0.0.1 port 1812, id=66,
length=138
        EAP-Message =
0x01f50050120b0000010d0000abcd1234abcd1234abcd1234abcd1234bcd1234abcd1234abcd1234abcd1234acd1234abcd1234abcd1234abcd1234ab0b0500006a93d1ff0e02e0b507f2940ce8e59251
        Message-Authenticator = 0x6c9b33feb4d0851ed9d2c72e94640cc2
        State = 0x9a9ec816986bda46839134a50c8e1d5d
        EAP-Id = 245
        EAP-Code = Request
        EAP-Type-SIM =
0x0b0000010d0000abcd1234abcd1234abcd1234abcd1234bcd1234abcd1234abcd1234abcd1234acd1234abcd1234abcd1234abcd1234ab0b0500006a93d1ff0e02e0b507f2940ce8e59251
radeapclient: sim in state init message challenge is illegal. Reply dropped.

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
This is the eapsim-in.txt file used in client.sh script

User-Name = "eapsim"
NAS-IP-Address = marajade.sandelman.ottawa.on.ca
EAP-Code = Response
EAP-Type-Identity = "eapsim"
Message-Authenticator = 0
NAS-Port = 0
EAP-Sim-Rand1 = 0xabcd1234abcd1234abcd1234abcd1234
EAP-Sim-Rand2 = 0xbcd1234abcd1234abcd1234abcd1234a
EAP-Sim-Rand3 = 0xcd1234abcd1234abcd1234abcd1234ab
EAP-Sim-Sres1 = 0x1234abcd
EAP-Sim-Sres2 = 0x234abcd1
EAP-Sim-Sres3 = 0x34abcd12
EAP-Sim-KC1 = 0x0011223344556677
EAP-Sim-KC2 = 0x1021324354657687
EAP-Sim-KC3 = 0x30415263748596a7

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

while on radius debugging console, it says

rad_recv: Access-Request packet from host 127.0.0.1 port 29859, id=64,
length=71
        User-Name = "eapsim"
        NAS-IP-Address = 209.87.252.247
        Message-Authenticator = 0xcdbcb987fbfe7846c70edb63de2af9bb
        NAS-Port = 0
        EAP-Message = 0x023f000b0165617073696d
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "eapsim", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
can not open /usr/local/etc/raddb/simtriplets.dat: No such file or directory
++[sim_files] returns notfound
[eap] EAP packet type response id 63 length 11
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry eapsim at line 24
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication
may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type sim
[eap] Underlying EAP-Type set EAP ID to 243
++[eap] returns handled
Sending Access-Challenge of id 64 to 127.0.0.1 port 29859
        EAP-Message = 0x01f30014120a00000f0200020001000011010100
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x9a9ec8169a6dda46839134a50c8e1d5d
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 29859, id=65,
length=122
        User-Name = "eapsim"
        NAS-IP-Address = 209.87.252.247
        Message-Authenticator = 0xa62ac94a97d1f99105aef11ea7f7f802
        NAS-Port = 0
        EAP-Message =
0x02f3002c120a00001001000107050000c9615ec963ada36f11bd4e81093a72710e03000665617073696d0000
        State = 0x9a9ec8169a6dda46839134a50c8e1d5d
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "eapsim", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
can not open /usr/local/etc/raddb/simtriplets.dat: No such file or directory
++[sim_files] returns notfound
[eap] EAP packet type response id 243 length 44
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry eapsim at line 24
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication
may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/sim
[eap] processing type sim
+++> EAP-sim decoded packet:
        User-Name = "eapsim"
        NAS-IP-Address = 209.87.252.247
        Message-Authenticator = 0xa62ac94a97d1f99105aef11ea7f7f802
        NAS-Port = 0
        EAP-Message =
0x02f3002c120a00001001000107050000c9615ec963ada36f11bd4e81093a72710e03000665617073696d0000
        State = 0x9a9ec8169a6dda46839134a50c8e1d5d
        EAP-Type = SIM
        EAP-Sim-Subtype = Start
        EAP-Sim-SELECTED_VERSION = 0x0001
        EAP-Sim-NONCE_MT = 0x0000c9615ec963ada36f11bd4e81093a7271
        EAP-Sim-IDENTITY = 0x000665617073696d0000
[eap] Underlying EAP-Type set EAP ID to 244
++[eap] returns handled
Sending Access-Challenge of id 65 to 127.0.0.1 port 29859
        EAP-Message =
0x01f40050120b0000010d0000abcd1234abcd1234abcd1234abcd1234bcd1234abcd1234abcd1234abcd1234acd1234abcd1234abcd1234abcd1234ab0b050000cd1494bcf2173b38d26c31c3872b60f9
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x9a9ec8169b6ada46839134a50c8e1d5d
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 29859, id=66,
length=122
        User-Name = "eapsim"
        NAS-IP-Address = 209.87.252.247
        Message-Authenticator = 0x0066414e52eb81de434cb323e73182dc
        NAS-Port = 0
        State = 0x9a9ec8169b6ada46839134a50c8e1d5d
        EAP-Message =
0x02f4002c120a00001001000107050000c9615ec963ada36f11bd4e81093a72710e03000665617073696d0000
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "eapsim", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
can not open /usr/local/etc/raddb/simtriplets.dat: No such file or directory
++[sim_files] returns notfound
[eap] EAP packet type response id 244 length 44
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry eapsim at line 24
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication
may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/sim
[eap] processing type sim
+++> EAP-sim decoded packet:
        User-Name = "eapsim"
        NAS-IP-Address = 209.87.252.247
        Message-Authenticator = 0x0066414e52eb81de434cb323e73182dc
        NAS-Port = 0
        State = 0x9a9ec8169b6ada46839134a50c8e1d5d
        EAP-Message =
0x02f4002c120a00001001000107050000c9615ec963ada36f11bd4e81093a72710e03000665617073696d0000
        EAP-Type = SIM
        EAP-Sim-Subtype = Start
        EAP-Sim-SELECTED_VERSION = 0x0001
        EAP-Sim-NONCE_MT = 0x0000c9615ec963ada36f11bd4e81093a7271
        EAP-Sim-IDENTITY = 0x000665617073696d0000
[eap] Underlying EAP-Type set EAP ID to 245
++[eap] returns handled
Sending Access-Challenge of id 66 to 127.0.0.1 port 29859
        EAP-Message =
0x01f50050120b0000010d0000abcd1234abcd1234abcd1234abcd1234bcd1234abcd1234abcd1234abcd1234acd1234abcd1234abcd1234abcd1234ab0b0500006a93d1ff0e02e0b507f2940ce8e59251
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x9a9ec816986bda46839134a50c8e1d5d
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 64 with timestamp +9
Cleaning up request 1 ID 65 with timestamp +9
Cleaning up request 2 ID 66 with timestamp +9
Ready to process requests.

Can anybody help me to identify where i am going wrong, and what are the
missing steps here.

Thanks in Advance.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130106/4b3e8cfb/attachment-0001.html>