EAP-SIM authentication problem at 2nd stage
johan firdianto
johanfirdi at gmail.com
Tue Jul 30 09:09:37 CEST 2013
dear guest, i have problem in eap-sim authentication.
I'm using freeradius 2.2.0, blackberry 9220
here my simtripletsdat. file
1510012660372465,AF6876E748BD46bf853A99DC2032F0A7,95762655,449177635B92bc00
1510012660372465,A1A9AC744E8D49819D27A79B067BCA69,257b31c6,64ff9467DEa1e400
1510012660372465,603906BFD8DC404197BAC35FF1274EB3,4F41eb06,F3ce89b4FCbc0000
1510080332618369,23A95DB79B644a4299463F0342069A11,7775d266,B10f3eba2Bc5ed2b
1510080332618369,FDCE8E4F2B0B4b3086BEF230076EAD58,D9e080d9,E2aad63f711e1324
1510080332618369,238100571AD1495fBCE2AD5505634E41,A40e1656,66a098a750d9cd13
here content of users file
1510080332618369 Auth-Type := EAP, EAP-Type := SIM
EAP-Sim-Rand1 := 0x23A95DB79B644a4299463F0342069A11,
EAP-Sim-SRES1 := 0x7775d266,
EAP-Sim-KC1 := 0xB10f3eba2Bc5ed2b,
EAP-Sim-Rand2 := 0xFDCE8E4F2B0B4b3086BEF230076EAD58,
EAP-Sim-SRES2 := 0xD9e080d9,
EAP-Sim-KC2 := 0xE2aad63f711e1324,
EAP-Sim-Rand3 := 0x238100571AD1495fBCE2AD5505634E41,
EAP-Sim-SRES3 := 0xA40e1656,
EAP-Sim-KC3 := 0x66a098a750d9cd13,
1510012660372465 Auth-Type := EAP, EAP-Type := sim
EAP-Sim-Rand1 := 0xAF6876E748BD46bf853A99DC2032F0A7,
EAP-Sim-SRES1 := 0x95762655,
EAP-Sim-KC1 := 0x449177635B92bc00,
EAP-Sim-Rand2 := 0xA1A9AC744E8D49819D27A79B067BCA69,
EAP-Sim-SRES2 := 0x257b31c6,
EAP-Sim-KC2 := 0x64ff9467DEa1e400,
EAP-Sim-Rand3 := 0x603906BFD8DC404197BAC35FF1274EB3,
EAP-Sim-SRES3 := 0x4F41eb06,
EAP-Sim-KC3 := 0xF3ce89b4FCbc0000,
1510080332618369 at wlan.mnc080.mcc510.3gppnetwork.org Auth-Type :=
EAP, EAP-Type := SIM
EAP-Sim-Rand1 := 0x23A95DB79B644a4299463F0342069A11,
EAP-Sim-SRES1 := 0x7775d266,
EAP-Sim-KC1 := 0xB10f3eba2Bc5ed2b,
EAP-Sim-Rand2 := 0xFDCE8E4F2B0B4b3086BEF230076EAD58,
EAP-Sim-SRES2 := 0xD9e080d9,
EAP-Sim-KC2 := 0xE2aad63f711e1324,
EAP-Sim-Rand3 := 0x238100571AD1495fBCE2AD5505634E41,
EAP-Sim-SRES3 := 0xA40e1656,
EAP-Sim-KC3 := 0x66a098a750d9cd13
Already included sim_files in modules
and sim { } in eap.conf.
I analyze in debug , the firsth authorization success (sim_files return ok
status) , the first authenticating success , the second authorization
success also,
but the problem the second authenticating is failed.
Already read in the past list archive, but no clue .
Here debug of radius
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.111.72 port 34647,
id=129, length=250
User-Name = "1510080332618369 at wlan.mnc080.mcc510.3gppnetwork.org"
NAS-IP-Address = 192.168.88.52
Called-Station-Id = "FA-1A-67-9F-E4-68:NOLSPOT-Secure"
NAS-Port-Type = Wireless-802.11
NAS-Port = 1
Calling-Station-Id = "70-AA-B2-EF-8E-9D"
Connect-Info = "CONNECT 54Mbps 802.11g"
Framed-MTU = 1400
EAP-Message =
0x02100038013135313030383033333236313833363940776c616e2e6d6e633038302e6d63633531302e336770706e6574776f726b2e6f7267
Message-Authenticator = 0xf0b7f7c3d39dd64797e1ffa08c3c078e
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] Looking up realm "wlan.mnc080.mcc510.3gppnetwork.org" for
User-Name = "1510080332618369 at wlan.mnc080.mcc510.3gppnetwork.org"
[suffix] Found realm "wlan.mnc080.mcc510.3gppnetwork.org"
[suffix] Adding Stripped-User-Name = "1510080332618369"
[suffix] Adding Realm = "wlan.mnc080.mcc510.3gppnetwork.org"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[files] users: Matched entry 1510080332618369 at line 206
++[files] returns ok
rlm_sim_files: authorized user/imsi 1510080332618369
rlm_sim_files: Adding EAP-Type: eap-sim
++[sim_files] returns ok
[eap] EAP packet type response id 16 length 56
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[sql] expand: %{User-Name} ->
1510080332618369 at wlan.mnc080.mcc510.3gppnetwork.org
[sql] sql_set_user escaped user --> '
1510080332618369 at wlan.mnc080.mcc510.3gppnetwork.org'
rlm_sql (sql): Reserving sql socket id: 4
[sql] expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY
id -> SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '
1510080332618369 at wlan.mnc080.mcc510.3gppnetwork.org' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup
WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT
groupname FROM radusergroup WHERE username = '
1510080332618369 at wlan.mnc080.mcc510.3gppnetwork.org' ORDER BY
priority
rlm_sql (sql): Released sql socket id: 4
[sql] User 1510080332618369 at wlan.mnc080.mcc510.3gppnetwork.org not found
++[sql] returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication
may fail because of this.
++[pap] returns noop
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[noresetcounter] returns noop
Found Auth-Type = EAP
Found Auth-Type = EAP
Warning: Found 2 auth-types on request for user '1510080332618369'
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type sim
[eap] Underlying EAP-Type set EAP ID to 182
++[eap] returns handled
Sending Access-Challenge of id 129 to 192.168.111.72 port 34647
EAP-Message = 0x01b60014120a00000f0200020001000011010100
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x876b64d687dd7613c1482e3b4d19abaa
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.111.72 port 34647,
id=130, length=300
User-Name = "1510080332618369 at wlan.mnc080.mcc510.3gppnetwork.org"
NAS-IP-Address = 192.168.88.52
Called-Station-Id = "FA-1A-67-9F-E4-68:NOLSPOT-Secure"
NAS-Port-Type = Wireless-802.11
NAS-Port = 1
Calling-Station-Id = "70-AA-B2-EF-8E-9D"
Connect-Info = "CONNECT 54Mbps 802.11g"
Framed-MTU = 1400
EAP-Message =
0x02b60058120a000007050000c6fb9b6adcacba2f73e0dec777302196100100010e0e00333135313030383033333236313833363940776c616e2e6d6e633038302e6d63633531302e336770706e6574776f726b2e6f726700
State = 0x876b64d687dd7613c1482e3b4d19abaa
Message-Authenticator = 0xf06c219eca5af618cf61099f2f79f3a4
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] Looking up realm "wlan.mnc080.mcc510.3gppnetwork.org" for
User-Name = "1510080332618369 at wlan.mnc080.mcc510.3gppnetwork.org"
[suffix] Found realm "wlan.mnc080.mcc510.3gppnetwork.org"
[suffix] Adding Stripped-User-Name = "1510080332618369"
[suffix] Adding Realm = "wlan.mnc080.mcc510.3gppnetwork.org"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[files] users: Matched entry 1510080332618369 at line 206
++[files] returns ok
rlm_sim_files: authorized user/imsi 1510080332618369
rlm_sim_files: Adding EAP-Type: eap-sim
++[sim_files] returns ok
[eap] EAP packet type response id 182 length 88
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[sql] expand: %{User-Name} ->
1510080332618369 at wlan.mnc080.mcc510.3gppnetwork.org
[sql] sql_set_user escaped user --> '
1510080332618369 at wlan.mnc080.mcc510.3gppnetwork.org'
rlm_sql (sql): Reserving sql socket id: 3
[sql] expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY
id -> SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '
1510080332618369 at wlan.mnc080.mcc510.3gppnetwork.org' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup
WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT
groupname FROM radusergroup WHERE username = '
1510080332618369 at wlan.mnc080.mcc510.3gppnetwork.org' ORDER BY
priority
rlm_sql (sql): Released sql socket id: 3
[sql] User 1510080332618369 at wlan.mnc080.mcc510.3gppnetwork.org not found
++[sql] returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication
may fail because of this.
++[pap] returns noop
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[noresetcounter] returns noop
Found Auth-Type = EAP
Found Auth-Type = EAP
Warning: Found 2 auth-types on request for user '1510080332618369'
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/sim
[eap] processing type sim
+++> EAP-sim decoded packet:
User-Name = "1510080332618369 at wlan.mnc080.mcc510.3gppnetwork.org"
NAS-IP-Address = 192.168.88.52
Called-Station-Id = "FA-1A-67-9F-E4-68:NOLSPOT-Secure"
NAS-Port-Type = Wireless-802.11
NAS-Port = 1
Calling-Station-Id = "70-AA-B2-EF-8E-9D"
Connect-Info = "CONNECT 54Mbps 802.11g"
Framed-MTU = 1400
EAP-Message =
0x02b60058120a000007050000c6fb9b6adcacba2f73e0dec777302196100100010e0e00333135313030383033333236313833363940776c616e2e6d6e633038302e6d63633531302e336770706e6574776f726b2e6f726700
State = 0x876b64d687dd7613c1482e3b4d19abaa
Message-Authenticator = 0xf06c219eca5af618cf61099f2f79f3a4
Stripped-User-Name = "1510080332618369"
Realm = "wlan.mnc080.mcc510.3gppnetwork.org"
EAP-Type = SIM
EAP-Sim-Subtype = Start
EAP-Sim-NONCE_MT = 0x0000c6fb9b6adcacba2f73e0dec777302196
EAP-Sim-SELECTED_VERSION = 0x0001
EAP-Sim-IDENTITY =
0x00333135313030383033333236313833363940776c616e2e6d6e633038302e6d63633531302e336770706e6574776f726b2e6f726700
[eap] Underlying EAP-Type set EAP ID to 183
++[eap] returns handled
Sending Access-Challenge of id 130 to 192.168.111.72 port 34647
EAP-Message =
0x01b70050120b0000010d000023a95db79b644a4299463f0342069a11fdce8e4f2b0b4b3086bef230076ead58238100571ad1495fbce2ad5505634e410b0500002fe3b8c33af56aa2dc9e873f71c4b691
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x876b64d686dc7613c1482e3b4d19abaa
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.111.72 port 34647,
id=131, length=224
User-Name = "1510080332618369 at wlan.mnc080.mcc510.3gppnetwork.org"
NAS-IP-Address = 192.168.88.52
Called-Station-Id = "FA-1A-67-9F-E4-68:NOLSPOT-Secure"
NAS-Port-Type = Wireless-802.11
NAS-Port = 1
Calling-Station-Id = "70-AA-B2-EF-8E-9D"
Connect-Info = "CONNECT 54Mbps 802.11g"
Framed-MTU = 1400
EAP-Message = 0x02b7000c120e000016010000
State = 0x876b64d686dc7613c1482e3b4d19abaa
Message-Authenticator = 0xeb64a094fea2ddbf458b0cac3e47686d
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] Looking up realm "wlan.mnc080.mcc510.3gppnetwork.org" for
User-Name = "1510080332618369 at wlan.mnc080.mcc510.3gppnetwork.org"
[suffix] Found realm "wlan.mnc080.mcc510.3gppnetwork.org"
[suffix] Adding Stripped-User-Name = "1510080332618369"
[suffix] Adding Realm = "wlan.mnc080.mcc510.3gppnetwork.org"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[files] users: Matched entry 1510080332618369 at line 206
++[files] returns ok
rlm_sim_files: authorized user/imsi 1510080332618369
rlm_sim_files: Adding EAP-Type: eap-sim
++[sim_files] returns ok
[eap] EAP packet type response id 183 length 12
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[sql] expand: %{User-Name} ->
1510080332618369 at wlan.mnc080.mcc510.3gppnetwork.org
[sql] sql_set_user escaped user --> '
1510080332618369 at wlan.mnc080.mcc510.3gppnetwork.org'
rlm_sql (sql): Reserving sql socket id: 2
[sql] expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY
id -> SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '
1510080332618369 at wlan.mnc080.mcc510.3gppnetwork.org' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup
WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT
groupname FROM radusergroup WHERE username = '
1510080332618369 at wlan.mnc080.mcc510.3gppnetwork.org' ORDER BY
priority
rlm_sql (sql): Released sql socket id: 2
[sql] User 1510080332618369 at wlan.mnc080.mcc510.3gppnetwork.org not found
++[sql] returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication
may fail because of this.
++[pap] returns noop
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[noresetcounter] returns noop
Found Auth-Type = EAP
Found Auth-Type = EAP
Warning: Found 2 auth-types on request for user '1510080332618369'
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/sim
[eap] processing type sim
[eap] Handler failed in EAP/sim
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type REJECT
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130730/9d1e7611/attachment-0001.html>
More information about the Freeradius-Users
mailing list