EAP-SIM configuration on FreeRadius
Muhammad Usman
muhd.usman87 at gmail.com
Mon Jan 7 11:10:17 CET 2013
Dear All, Any thoughts on this??
On Sun, Jan 6, 2013 at 5:05 PM, Muhammad Usman <muhd.usman87 at gmail.com>wrote:
> Dear All,
> I am trying to configure freeradius for EAP-SIM authentication, for that i
> compiled FreeRadius with "./configure --with-modules="rlm_sim"
> --with-modules="rlm_sim_files"". Freeradius is installed successfully as i
> have tested it using radtest, as suggested on Freeradius wikis.
> i have installed freeradius version 2.2.0
> Now in order to test EAP-SIM, i have added the below block in eap.conf
> file after mschapv2 block,
> sim {
> }
>
> I am trying to successfully run /src/tests/eapsim-03 example, i have
> copied the the below in users file,
>
> 1244070100000001 at eapsim.foo Auth-Type := EAP, EAP-Type := SIM
> EAP-Sim-Rand1 = 0x101112131415161718191a1b1c1d1e1f,
> EAP-Sim-SRES1 = 0xd1d2d3d4,
> EAP-Sim-Rand2 = 0x202122232425262728292a2b2c2d2e2f,
> EAP-Sim-SRES2 = 0xe1e2e3e4,
> EAP-Sim-Rand3 = 0x303132333435363738393a3b3c3d3e3f,
> EAP-Sim-SRES3 = 0xf1f2f3f4,
> EAP-Sim-KC1 = 0xa0a1a2a3a4a5a6a7,
> EAP-Sim-KC2 = 0xb0b1b2b3b4b5b6b7,
> EAP-Sim-KC3 = 0xc0c1c2c3c4c5c6c7,
>
> 1232420100000015 Auth-Type := EAP, EAP-Type := SIM
> EAP-Sim-Rand1 = 0x30000000000000000000000000000000,
> EAP-Sim-SRES1 = 0x30112233,
> EAP-Sim-KC1 = 0x445566778899AABB,
> EAP-Sim-Rand2 = 0x31000000000000000000000000000000,
> EAP-Sim-SRES2 = 0x31112233,
> EAP-Sim-KC2 = 0x445566778899AABB,
> EAP-Sim-Rand3 = 0x32000000000000000000000000000000,
> EAP-Sim-SRES3 = 0x32112233,
> EAP-Sim-KC3 = 0x445566778899AABB,
>
> eapsim Auth-Type := EAP, EAP-Type := SIM
> EAP-Sim-Rand1 = 0xabcd1234abcd1234abcd1234abcd1234,
> EAP-Sim-SRES1 = 0x1234abcd,
> EAP-Sim-KC1 = 0x0011223344556677,
> EAP-Sim-Rand2 = 0xbcd1234abcd1234abcd1234abcd1234a,
> EAP-Sim-SRES2 = 0x234abcd1,
> EAP-Sim-KC2 = 0x1021324354657687,
> EAP-Sim-Rand3 = 0xcd1234abcd1234abcd1234abcd1234ab,
> EAP-Sim-SRES3 = 0x34abcd12,
> EAP-Sim-KC3 = 0x30415263748596a7
>
> but when i try to run client.sh, it gets the following logs,
>
> Sending Access-Request packet to host 127.0.0.1 port 1812, id=64, length=0
> User-Name = "eapsim"
> NAS-IP-Address = 209.87.252.247
> EAP-Code = Response
> EAP-Type-Identity = 0x65617073696d
> Message-Authenticator = 0x30
> NAS-Port = 0
> EAP-Sim-Rand1 = 0xabcd1234abcd1234abcd1234abcd1234
> EAP-Sim-Rand2 = 0xbcd1234abcd1234abcd1234abcd1234a
> EAP-Sim-Rand3 = 0xcd1234abcd1234abcd1234abcd1234ab
> EAP-Sim-SRES1 = 0x1234abcd
> EAP-Sim-SRES2 = 0x234abcd1
> EAP-Sim-SRES3 = 0x34abcd12
> EAP-Sim-KC1 = 0x0011223344556677
> EAP-Sim-KC2 = 0x1021324354657687
> EAP-Sim-KC3 = 0x30415263748596a7
> EAP-Message = 0x023f000b0165617073696d
> Received Access-Challenge packet from host 127.0.0.1 port 1812, id=64,
> length=78
> EAP-Message = 0x01f30014120a00000f0200020001000011010100
> Message-Authenticator = 0x81ffe249ace5353152e1476e8f7f890b
> State = 0x9a9ec8169a6dda46839134a50c8e1d5d
> EAP-Id = 243
> EAP-Code = Request
> EAP-Type-SIM = 0x0a00000f0200020001000011010100
> Sending Access-Request packet to host 127.0.0.1 port 1812, id=65, length=71
> User-Name = "eapsim"
> NAS-IP-Address = 209.87.252.247
> EAP-Code = Response
> Message-Authenticator = 0x00000000000000000000000000000000
> NAS-Port = 0
> EAP-Sim-Rand1 = 0xabcd1234abcd1234abcd1234abcd1234
> EAP-Sim-Rand2 = 0xbcd1234abcd1234abcd1234abcd1234a
> EAP-Sim-Rand3 = 0xcd1234abcd1234abcd1234abcd1234ab
> EAP-Sim-SRES1 = 0x1234abcd
> EAP-Sim-SRES2 = 0x234abcd1
> EAP-Sim-SRES3 = 0x34abcd12
> EAP-Sim-KC1 = 0x0011223344556677
> EAP-Sim-KC2 = 0x1021324354657687
> EAP-Sim-KC3 = 0x30415263748596a7
> EAP-Sim-State = 1
> EAP-Sim-Subtype = Start
> EAP-Sim-SELECTED_VERSION = 0x0001
> EAP-Sim-NONCE_MT = 0x0000c9615ec963ada36f11bd4e81093a7271
> EAP-Sim-IDENTITY = 0x000665617073696d
> EAP-Id = 243
> EAP-Message =
> 0x02f3002c120a00001001000107050000c9615ec963ada36f11bd4e81093a72710e03000665617073696d0000
> State = 0x9a9ec8169a6dda46839134a50c8e1d5d
> Received Access-Challenge packet from host 127.0.0.1 port 1812, id=65,
> length=138
> EAP-Message =
> 0x01f40050120b0000010d0000abcd1234abcd1234abcd1234abcd1234bcd1234abcd1234abcd1234abcd1234acd1234abcd1234abcd1234abcd1234ab0b050000cd1494bcf2173b38d26c31c3872b60f9
> Message-Authenticator = 0x11986571b4665594edefbf3d811efbae
> State = 0x9a9ec8169b6ada46839134a50c8e1d5d
> EAP-Id = 244
> EAP-Code = Request
> EAP-Type-SIM =
> 0x0b0000010d0000abcd1234abcd1234abcd1234abcd1234bcd1234abcd1234abcd1234abcd1234acd1234abcd1234abcd1234abcd1234ab0b050000cd1494bcf2173b38d26c31c3872b60f9
> Input was:
> identity: (len=6)65617073696d
> nonce_mt: c9615ec963ada36f11bd4e81093a7271
> rand0: 00000000000000000000000000000000
> rand1: 00000000000000000000000000000000
> rand2: 00000000000000000000000000000000
> sres0: 1234abcd
> sres1: 234abcd1
> sres2: 34abcd12
> Kc0: 0011223344556677
> Kc1: 1021324354657687
> Kc2: 30415263748596a7
> versionlist[2]: 0001
> select 00 01
>
>
> Output
> mk: 8502e062_35537770_2c0a7c2c_9cfc9fc4_dc4d21d6
> K_aut: b89dafa5_99422bee_db010d3a_6dcded9c
> K_encr: d8a6df78_25d9ad9d_2535083c_33a5c1c6
> msk: f5feb9c1_9dbea4dd_cd94b140_17892e4b_f96327cc
> 84b16260_f0e6447b_b201018f_102b2217_bb6717c8
> 351115b9_a8248f46_aa33c120_f6e5979f_b27f1c98
> 69da98ed
> emsk: 8c1c04ef_4b345a29_50980817_563fc216_844d8e0d
> c2e4bc15_886523be_2e149835_ef850c3e_076722dc
> e27926e8_d01d1929_3da147a1_62833433_391b8a9a
> 20711dd2
> calculated MAC (c412722f_ab82c18d_f5404f45_da872e93_cd950d07 did not match
> Sending Access-Request packet to host 127.0.0.1 port 1812, id=66,
> length=122
> User-Name = "eapsim"
> NAS-IP-Address = 209.87.252.247
> EAP-Code = Response
> Message-Authenticator = 0x00000000000000000000000000000000
> NAS-Port = 0
> EAP-Sim-Rand1 = 0xabcd1234abcd1234abcd1234abcd1234
> EAP-Sim-Rand2 = 0xbcd1234abcd1234abcd1234abcd1234a
> EAP-Sim-Rand3 = 0xcd1234abcd1234abcd1234abcd1234ab
> EAP-Sim-SRES1 = 0x1234abcd
> EAP-Sim-SRES2 = 0x234abcd1
> EAP-Sim-SRES3 = 0x34abcd12
> EAP-Sim-KC1 = 0x0011223344556677
> EAP-Sim-KC2 = 0x1021324354657687
> EAP-Sim-KC3 = 0x30415263748596a7
> EAP-Sim-State = 0
> EAP-Sim-Subtype = Start
> EAP-Sim-SELECTED_VERSION = 0x0001
> EAP-Sim-NONCE_MT = 0x0000c9615ec963ada36f11bd4e81093a7271
> EAP-Sim-IDENTITY = 0x000665617073696d
> EAP-Id = 244
> State = 0x9a9ec8169b6ada46839134a50c8e1d5d
> EAP-Message =
> 0x02f4002c120a00001001000107050000c9615ec963ada36f11bd4e81093a72710e03000665617073696d0000
> Received Access-Challenge packet from host 127.0.0.1 port 1812, id=66,
> length=138
> EAP-Message =
> 0x01f50050120b0000010d0000abcd1234abcd1234abcd1234abcd1234bcd1234abcd1234abcd1234abcd1234acd1234abcd1234abcd1234abcd1234ab0b0500006a93d1ff0e02e0b507f2940ce8e59251
> Message-Authenticator = 0x6c9b33feb4d0851ed9d2c72e94640cc2
> State = 0x9a9ec816986bda46839134a50c8e1d5d
> EAP-Id = 245
> EAP-Code = Request
> EAP-Type-SIM =
> 0x0b0000010d0000abcd1234abcd1234abcd1234abcd1234bcd1234abcd1234abcd1234abcd1234acd1234abcd1234abcd1234abcd1234ab0b0500006a93d1ff0e02e0b507f2940ce8e59251
> radeapclient: sim in state init message challenge is illegal. Reply
> dropped.
>
>
> ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> This is the eapsim-in.txt file used in client.sh script
>
>
> User-Name = "eapsim"
> NAS-IP-Address = marajade.sandelman.ottawa.on.ca
> EAP-Code = Response
> EAP-Type-Identity = "eapsim"
> Message-Authenticator = 0
> NAS-Port = 0
> EAP-Sim-Rand1 = 0xabcd1234abcd1234abcd1234abcd1234
> EAP-Sim-Rand2 = 0xbcd1234abcd1234abcd1234abcd1234a
> EAP-Sim-Rand3 = 0xcd1234abcd1234abcd1234abcd1234ab
> EAP-Sim-Sres1 = 0x1234abcd
> EAP-Sim-Sres2 = 0x234abcd1
> EAP-Sim-Sres3 = 0x34abcd12
> EAP-Sim-KC1 = 0x0011223344556677
> EAP-Sim-KC2 = 0x1021324354657687
> EAP-Sim-KC3 = 0x30415263748596a7
>
>
> --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
>
> while on radius debugging console, it says
>
>
> rad_recv: Access-Request packet from host 127.0.0.1 port 29859, id=64,
> length=71
> User-Name = "eapsim"
> NAS-IP-Address = 209.87.252.247
> Message-Authenticator = 0xcdbcb987fbfe7846c70edb63de2af9bb
> NAS-Port = 0
> EAP-Message = 0x023f000b0165617073696d
> # Executing section authorize from file
> /usr/local/etc/raddb/sites-enabled/default
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> ++[digest] returns noop
> [suffix] No '@' in User-Name = "eapsim", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> can not open /usr/local/etc/raddb/simtriplets.dat: No such file or
> directory
> ++[sim_files] returns notfound
> [eap] EAP packet type response id 63 length 11
> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] returns updated
> [files] users: Matched entry eapsim at line 24
> ++[files] returns ok
> ++[expiration] returns noop
> ++[logintime] returns noop
> [pap] WARNING! No "known good" password found for the user.
> Authentication may fail because of this.
> ++[pap] returns noop
> Found Auth-Type = EAP
> # Executing group from file /usr/local/etc/raddb/sites-enabled/default
> +- entering group authenticate {...}
> [eap] EAP Identity
> [eap] processing type sim
> [eap] Underlying EAP-Type set EAP ID to 243
> ++[eap] returns handled
> Sending Access-Challenge of id 64 to 127.0.0.1 port 29859
> EAP-Message = 0x01f30014120a00000f0200020001000011010100
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x9a9ec8169a6dda46839134a50c8e1d5d
> Finished request 0.
> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Access-Request packet from host 127.0.0.1 port 29859, id=65,
> length=122
> User-Name = "eapsim"
> NAS-IP-Address = 209.87.252.247
> Message-Authenticator = 0xa62ac94a97d1f99105aef11ea7f7f802
> NAS-Port = 0
> EAP-Message =
> 0x02f3002c120a00001001000107050000c9615ec963ada36f11bd4e81093a72710e03000665617073696d0000
> State = 0x9a9ec8169a6dda46839134a50c8e1d5d
> # Executing section authorize from file
> /usr/local/etc/raddb/sites-enabled/default
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> ++[digest] returns noop
> [suffix] No '@' in User-Name = "eapsim", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> can not open /usr/local/etc/raddb/simtriplets.dat: No such file or
> directory
> ++[sim_files] returns notfound
> [eap] EAP packet type response id 243 length 44
> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] returns updated
> [files] users: Matched entry eapsim at line 24
> ++[files] returns ok
> ++[expiration] returns noop
> ++[logintime] returns noop
> [pap] WARNING! No "known good" password found for the user.
> Authentication may fail because of this.
> ++[pap] returns noop
> Found Auth-Type = EAP
> # Executing group from file /usr/local/etc/raddb/sites-enabled/default
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/sim
> [eap] processing type sim
> +++> EAP-sim decoded packet:
> User-Name = "eapsim"
> NAS-IP-Address = 209.87.252.247
> Message-Authenticator = 0xa62ac94a97d1f99105aef11ea7f7f802
> NAS-Port = 0
> EAP-Message =
> 0x02f3002c120a00001001000107050000c9615ec963ada36f11bd4e81093a72710e03000665617073696d0000
> State = 0x9a9ec8169a6dda46839134a50c8e1d5d
> EAP-Type = SIM
> EAP-Sim-Subtype = Start
> EAP-Sim-SELECTED_VERSION = 0x0001
> EAP-Sim-NONCE_MT = 0x0000c9615ec963ada36f11bd4e81093a7271
> EAP-Sim-IDENTITY = 0x000665617073696d0000
> [eap] Underlying EAP-Type set EAP ID to 244
> ++[eap] returns handled
> Sending Access-Challenge of id 65 to 127.0.0.1 port 29859
> EAP-Message =
> 0x01f40050120b0000010d0000abcd1234abcd1234abcd1234abcd1234bcd1234abcd1234abcd1234abcd1234acd1234abcd1234abcd1234abcd1234ab0b050000cd1494bcf2173b38d26c31c3872b60f9
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x9a9ec8169b6ada46839134a50c8e1d5d
> Finished request 1.
> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Access-Request packet from host 127.0.0.1 port 29859, id=66,
> length=122
> User-Name = "eapsim"
> NAS-IP-Address = 209.87.252.247
> Message-Authenticator = 0x0066414e52eb81de434cb323e73182dc
> NAS-Port = 0
> State = 0x9a9ec8169b6ada46839134a50c8e1d5d
> EAP-Message =
> 0x02f4002c120a00001001000107050000c9615ec963ada36f11bd4e81093a72710e03000665617073696d0000
> # Executing section authorize from file
> /usr/local/etc/raddb/sites-enabled/default
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> ++[digest] returns noop
> [suffix] No '@' in User-Name = "eapsim", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> can not open /usr/local/etc/raddb/simtriplets.dat: No such file or
> directory
> ++[sim_files] returns notfound
> [eap] EAP packet type response id 244 length 44
> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] returns updated
> [files] users: Matched entry eapsim at line 24
> ++[files] returns ok
> ++[expiration] returns noop
> ++[logintime] returns noop
> [pap] WARNING! No "known good" password found for the user.
> Authentication may fail because of this.
> ++[pap] returns noop
> Found Auth-Type = EAP
> # Executing group from file /usr/local/etc/raddb/sites-enabled/default
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/sim
> [eap] processing type sim
> +++> EAP-sim decoded packet:
> User-Name = "eapsim"
> NAS-IP-Address = 209.87.252.247
> Message-Authenticator = 0x0066414e52eb81de434cb323e73182dc
> NAS-Port = 0
> State = 0x9a9ec8169b6ada46839134a50c8e1d5d
> EAP-Message =
> 0x02f4002c120a00001001000107050000c9615ec963ada36f11bd4e81093a72710e03000665617073696d0000
> EAP-Type = SIM
> EAP-Sim-Subtype = Start
> EAP-Sim-SELECTED_VERSION = 0x0001
> EAP-Sim-NONCE_MT = 0x0000c9615ec963ada36f11bd4e81093a7271
> EAP-Sim-IDENTITY = 0x000665617073696d0000
> [eap] Underlying EAP-Type set EAP ID to 245
> ++[eap] returns handled
> Sending Access-Challenge of id 66 to 127.0.0.1 port 29859
> EAP-Message =
> 0x01f50050120b0000010d0000abcd1234abcd1234abcd1234abcd1234bcd1234abcd1234abcd1234abcd1234acd1234abcd1234abcd1234abcd1234ab0b0500006a93d1ff0e02e0b507f2940ce8e59251
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x9a9ec816986bda46839134a50c8e1d5d
> Finished request 2.
> Going to the next request
> Waking up in 4.9 seconds.
> Cleaning up request 0 ID 64 with timestamp +9
> Cleaning up request 1 ID 65 with timestamp +9
> Cleaning up request 2 ID 66 with timestamp +9
> Ready to process requests.
>
>
>
>
>
> Can anybody help me to identify where i am going wrong, and what are the
> missing steps here.
>
> Thanks in Advance.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130107/1a65c6ff/attachment-0001.html>
More information about the Freeradius-Users
mailing list