eap sim authorization problem

[Iliya Peregoudov]

On 09.06.2013 5:34, raptor raptor wrote:
> simtriplets.dat format that i wite:
>
> 1<imsi>,<RAND>,<SRES>,<Kc>
> 1510019760806391,AAC0FAFDC47D4524AC9E2A3D51BDBA39,2A71bac3,7868589a75fdc000
> 1510019760806391,BF9A9F6EEB36422895D010927D76972C,F49dd880,3Afbcf2fA9b0a000
> 1510019760806391,C63837CFECD348deB119C35CFECD4898,49312999,FD488938B6f2a000

Your simtriplets.dat format is ok.

> i add in users file:
>
> DEFAULTAuth-Type := EAP,  EAP-Type := SIM
> EAP-Sim-Rand1 = 0x101112131415161718191a1b1c1d1e1f,
> EAP-Sim-SRES1 = 0xd1d2d3d4,
> EAP-Sim-Rand2 = 0x202122232425262728292a2b2c2d2e2f,
> EAP-Sim-SRES2 = 0xe1e2e3e4,
> EAP-Sim-Rand3 = 0x303132333435363738393a3b3c3d3e3f,
> EAP-Sim-SRES3 = 0xf1f2f3f4,
> EAP-Sim-KC1 = 0xa0a1a2a3a4a5a6a7,
> EAP-Sim-KC2 = 0xb0b1b2b3b4b5b6b7,
> EAP-Sim-KC3 = 0xc0c1c2c3c4c5c6c7,

Your users format is ok: 16-octet RAND, 4-octet SRES, 8-octet Kc.

Auth vectors in users file differ from those in simtriplets.dat. You 
cannot use arbitrary auth vectors. EAP-SIM is mutual authentication 
protocol. UE checks that AAA knows correct auth vectors when 
Request/SIM/Challenge received before sending Response/SIM/Challenge.

> rlm_sim_files: insufficient number of challenges for imsi
> 1510019760806391: 0
> ++[sim_files] returns notfound

It's strange that rlm_sim_files was unable to find auth vectors.
Ensure that simtriplets.dat has UNIX line endings (LF, not CRLF).

> Sending Access-Challenge of id 0 to 192.168.1.1 port 2048
> EAP-Message = 0x011a0014120a00000f0200020001000011010100
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x019a1a23018008ce78acd4b07bc4c4ac

Here radiusd generates EAP Request/SIM/Start. There is no cryptography 
yet so UE will respond with Response/SIM/Start.

> +++> EAP-sim decoded packet:
> User-Name = "1510019760806391 at wlan.mnc001.mcc510.3gppnetwork.org"
> NAS-IP-Address = 192.168.1.1
> Called-Station-Id = "48f8b315461a"
> Calling-Station-Id = "1814563e5189"
> NAS-Identifier = "48f8b315461a"
> NAS-Port = 38
> Framed-MTU = 1400
> State = 0x019a1a23018008ce78acd4b07bc4c4ac
> NAS-Port-Type = Wireless-802.11
> EAP-Message =
> 0x021a0058120a00000705000043837c0b63fd6c4dc3fccbebc8439b04100100010e0e00333135313030313937363038303633393140776c616e2e6d6e633030312e6d63633531302e336770706e6574776f726b2e6f726700
> Message-Authenticator = 0x441da87c8c81ad6b22b7596fba8b9098
> Stripped-User-Name = "1510019760806391"
> Realm = "wlan.mnc001.mcc510.3gppnetwork.org"
> EAP-Type = SIM
> EAP-Sim-Subtype = Start
> EAP-Sim-NONCE_MT = 0x000043837c0b63fd6c4dc3fccbebc8439b04
> EAP-Sim-SELECTED_VERSION = 0x0001
> EAP-Sim-IDENTITY =
> 0x00333135313030313937363038303633393140776c616e2e6d6e633030312e6d63633531302e336770706e6574776f726b2e6f726700

This is Response/SIM/Start from UE.

> Sending Access-Challenge of id 0 to 192.168.1.1 port 2048
> EAP-Message =
> 0x011b0050120b0000010d0000101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f0b050000fb675502a3304188312931054f33cd1f
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x019a1a23008108ce78acd4b07bc4c4ac

Here radiusd generates EAP Request/SIM/Challenge using auth vectors from 
users file and NONCE_MT from Response/EAP/Start. UE will reject this EAP 
request (because AAA does not know correct auth vectors) and will 
restart EAP authentication.