eap sim authorization problem
Rodney Machado
rodmachado at yahoo.com
Tue Jun 11 16:32:56 CEST 2013
Hi Iliya,
I'm been trying my self EAP-SIM auth for a while, with nothing but odd results. I'm using FreeRADIUS Version 3.0.0 (git #25b6fdd), in wich the support for sim_files module have been dropped. I tryied setting the vectors vía the users file for my IMSI but its not working, I was just about to start a fresh thread for this, but since it seem that raptor and I are struggling with the same situation I'm popping in here.
>Equivalent users entry should look like:
>
>1510019760806391 EAP-Type:=SIM
>EAP-Sim-Rand1:=0xAAC0FAFDC47D4524AC9E2A3D51BDBA39,
>EAP-Sim-SRES1:=0x2A71bac3,
>EAP-Sim-KC1:=0x7868589a75fdc000,
>EAP-Sim-Rans2:=0xBF9A9F6EEB36422895D010927D76972C,
>EAP-Sim-SRES2:=0xF49dd880,
>EAP-Sim-KC2:=0x3Afbcf2fA9b0a000,
>EAP-Sim-Rand3:=0xC63837CFECD348deB119C35CFECD4898,
>EAP-Sim-SRES3:=0x49312999,
>EAP-Sim-KC3:=0xFD488938B6f2a000
The vectors are right, I extracted them directly from our VLR, here is the portion of my users file:
<fragment users_file>
1714020096302050 Auth-Type :=EAP, EAP-Type :=SIM, EAP-Sim-Rand1 :=0x9FDDE3536228C010B2CD21081166DE48, EAP-Sim-SRES1 := 0xEF4ED51A, EAP-Sim-KC1 :=0x2F35C251A5CE3C00, EAP-Sim-Rand2 :=0xBA20E6E8BB359BD0843EBF34673D1541, EAP-Sim-SRES2 :=0xBDC5490D, EAP-Sim-KC2 :=0x8FE8D4E09E5BFC00, EAP-Sim-Rand3 :=0xB4C3D755C3C359E3EF6E928641CA59F1, EAP-Sim-SRES3 :=0x404A3DAA, EAP-Sim-KC3 :=0x83EF559E1B33A000
</fragment users_file>
In my proxy.conf I added this entry for stripping the domain/realm from the username.
<fragment proxy.conf_file>
realm wlan.mnc002.mcc714.3gppnetwork.org {
}
</fragment proxy.conf_file>
in the eap file i added this entry
<fragment eap_file>
sim {
}
</fragment eap_file>
from the logs i got this:
<fragment logs_output>
Tue Jun 11 09:09:01 2013 : Debug: (1) suffix : Looking up realm "wlan.mnc002.mcc714.3gppnetwork.org" for User-Name = "1714020096302050 at wlan.mnc002.mcc714.3gppnetwork.org"
Tue Jun 11 09:09:01 2013 : Debug: (1) suffix : Found realm "wlan.mnc002.mcc714.3gppnetwork.org"
Tue Jun 11 09:09:01 2013 : Debug: (1) suffix : Adding Stripped-User-Name = "1714020096302050"
Tue Jun 11 09:09:01 2013 : Debug: (1) suffix : Adding Realm = "wlan.mnc002.mcc714.3gppnetwork.org"
Tue Jun 11 09:09:01 2013 : Debug: (1) suffix : Authentication realm is LOCAL.
Tue Jun 11 09:09:01 2013 : Debug: (1) modsingle[authorize]: returned from suffix (rlm_realm) for request 1
Tue Jun 11 09:09:01 2013 : Debug: (1) [suffix] = ok
Tue Jun 11 09:09:01 2013 : Debug: (1) modsingle[authorize]: calling eap (rlm_eap) for request 1
Tue Jun 11 09:09:01 2013 : Debug: (1) eap : EAP packet type response id 1 length 6
Tue Jun 11 09:09:01 2013 : Debug: (1) eap : No EAP Start, assuming it's an on-going EAP conversation
Tue Jun 11 09:09:01 2013 : Debug: (1) modsingle[authorize]: returned from eap (rlm_eap) for request 1
Tue Jun 11 09:09:01 2013 : Debug: (1) [eap] = updated
Tue Jun 11 09:09:01 2013 : Debug: (1) modsingle[authorize]: calling files (rlm_files) for request 1
Tue Jun 11 09:09:01 2013 : Debug: (1) files : users: Matched entry 1714020096302050 at line 208
Tue Jun 11 09:09:01 2013 : Debug: (1) modsingle[authorize]: returned from files (rlm_files) for request 1
Tue Jun 11 09:09:01 2013 : Debug: (1) [files] = ok
Tue Jun 11 09:09:01 2013 : Debug: (1) modsingle[authorize]: calling expiration (rlm_expiration) for request 1
Tue Jun 11 09:09:01 2013 : Debug: (1) modsingle[authorize]: returned from expiration (rlm_expiration) for request 1
Tue Jun 11 09:09:01 2013 : Debug: (1) [expiration] = noop
Tue Jun 11 09:09:01 2013 : Debug: (1) modsingle[authorize]: calling logintime (rlm_logintime) for request 1
Tue Jun 11 09:09:01 2013 : Debug: (1) modsingle[authorize]: returned from logintime (rlm_logintime) for request 1
Tue Jun 11 09:09:01 2013 : Debug: (1) [logintime] = noop
Tue Jun 11 09:09:01 2013 : Debug: (1) modsingle[authorize]: calling pap (rlm_pap) for request 1
Tue Jun 11 09:09:01 2013 : WARNING: (1) WARNING: pap : No "known good" password found for the user. Not setting Auth-Type.
Tue Jun 11 09:09:01 2013 : WARNING: (1) WARNING: pap : Authentication will fail unless a "known good" password is available.
Tue Jun 11 09:09:01 2013 : Debug: (1) modsingle[authorize]: returned from pap (rlm_pap) for request 1
Tue Jun 11 09:09:01 2013 : Debug: (1) [pap] = noop
Tue Jun 11 09:09:01 2013 : Debug: (1) Found Auth-Type = EAP
Tue Jun 11 09:09:01 2013 : Debug: (1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
Tue Jun 11 09:09:01 2013 : Debug: (1) group authenticate {
Tue Jun 11 09:09:01 2013 : Debug: (1) - entering group authenticate {...}
Tue Jun 11 09:09:01 2013 : Debug: (1) modsingle[authenticate]: calling eap (rlm_eap) for request 1
Tue Jun 11 09:09:01 2013 : Debug: (1) eap : Expiring EAP session with state 0xf386ee4bf387ea0a
Tue Jun 11 09:09:01 2013 : Debug: (1) eap : Finished EAP session with state 0xf386ee4bf387ea0a
Tue Jun 11 09:09:01 2013 : Debug: (1) eap : Previous EAP request found for state 0xf386ee4bf387ea0a, released from the list
Tue Jun 11 09:09:01 2013 : Debug: (1) eap : Peer sent NAK (3)
Tue Jun 11 09:09:01 2013 : Debug: (1) eap : Found mutually acceptable type SIM (18)
Tue Jun 11 09:09:01 2013 : Debug: (1) eap : Calling eap_sim to process EAP data
Tue Jun 11 09:09:01 2013 : Debug: can not initiate sim, no RAND1 attribute
Tue Jun 11 09:09:01 2013 : ERROR: (1) ERROR: eap : Failed starting EAP SIM (18) session. EAP sub-module failed
Tue Jun 11 09:09:01 2013 : Debug: (1) eap : Failed in EAP select
Tue Jun 11 09:09:01 2013 : Debug: (1) modsingle[authenticate]: returned from eap (rlm_eap) for request 1
Tue Jun 11 09:09:01 2013 : Debug: (1) [eap] = invalid
Tue Jun 11 09:09:01 2013 : Debug: (1) Failed to authenticate the user.
Tue Jun 11 09:09:01 2013 : Debug: (1) Using Post-Auth-Type Reject
</fragment logs_output>
The message says that there is no RAND1 attibute, but I have set it in the users file.
I hope you could give me a hint of where the problem could be located.
Best regards,
--RM
More information about the Freeradius-Users
mailing list