Problems with EAP-SIM in Freeradius 2.2.5

rizal.m.nur at arc.itb.ac.id rizal.m.nur at arc.itb.ac.id
Fri Oct 3 18:30:35 CEST 2014


Dear all,

I am using freeradius-server-2.2.5 and trying to authenticate via EAP-SIM.
I have been successed to authenticate radeapclient command, but i am
facing issue when authenticate directly through wireless AP. Also, i know
nothing about RAND, SRES, and KC come from (I just put from example).

Here my configs in general:
//=====================================================
$cat sites-enabled/default
authorize {
		...
        sim_files
        eap {
                ok = return
        }
		...
}

$cat modules/sim_files
sim_files {
	simtriplets = "/usr/local/etc/raddb/simtriplets.txt"
}

$cat eap.conf
eap {
	default_eap_type = md5
	...
	sim{
	}
	...
}

$cat users
eapsim         Auth-Type := EAP, EAP-Type := SIM
        EAP-Sim-Rand1 = 0x3bcd1234abcd1234abcd1234abcd1234,
        EAP-Sim-SRES1 = 0x1234abcd,
        EAP-Sim-KC1 = 0x0211223344556677,
        EAP-Sim-Rand2 = 0x1cd1234abcd1234abcd1234abcd1234a,
        EAP-Sim-SRES2 = 0x434abcd1,
        EAP-Sim-KC2 = 0x1051324354657687,
        EAP-Sim-Rand3 = 0x6d1234abcd1234abcd1234abcd1234ab,
        EAP-Sim-SRES3 = 0x74abcd12,
        EAP-Sim-KC3 = 0x30815263748596a7
1510891403414997 at wlan.mnc089.mcc510.3gppnetwork.org        Auth-Type :=
EAP, EAP-Type := SIM
        EAP-Sim-Rand1 = 0xabcd1234abcd1234abcd1234abcd1234,
        EAP-Sim-SRES1 = 0x1234abcd,
        EAP-Sim-KC1 = 0x0011223344556677,
        EAP-Sim-Rand2 = 0xbcd1234abcd1234abcd1234abcd1234a,
        EAP-Sim-SRES2 = 0x234abcd1,
        EAP-Sim-KC2 = 0x1021324354657687,
        EAP-Sim-Rand3 = 0xcd1234abcd1234abcd1234abcd1234ab,
        EAP-Sim-SRES3 = 0x34abcd12,
        EAP-Sim-KC3 = 0x30415263748596a7

$cat userTest.txt
User-Name = "eapsim"
NAS-IP-Address = 167.205.106.132
EAP-Code = Response
EAP-Type-Identity = "eapsim"
Message-Authenticator = 0
NAS-Port = 0
EAP-Sim-Rand1 = 0xabcd1234abcd1234abcd1234abcd1234
EAP-Sim-Rand2 = 0xbcd1234abcd1234abcd1234abcd1234a
EAP-Sim-Rand3 = 0xcd1234abcd1234abcd1234abcd1234ab
EAP-Sim-Sres1 = 0x1234abcd
EAP-Sim-Sres2 = 0x234abcd1
EAP-Sim-Sres3 = 0x34abcd12
EAP-Sim-KC1 = 0x0011223344556677
EAP-Sim-KC2 = 0x1021324354657687
EAP-Sim-KC3 = 0x30415263748596a7

//=====================================================

When i used radeapclient command with "eapsim" user , radius successed to
process authentication request as EAP-SIM type. The response look like
this:

//=====================================================
rad_recv: Access-Request packet from host 167.205.106.132 port 56442,
id=47, length=71
	User-Name = "eapsim"
	NAS-IP-Address = 167.205.106.132
	Message-Authenticator = 0xb0930a41b716e833198358390655050f
	NAS-Port = 0
	EAP-Message = 0x022e000b0165617073696d
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "eapsim", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
rlm_sim_files: insufficient number of challenges for imsi eapsim: 0
++[sim_files] = notfound
[eap] EAP packet type response id 46 length 11
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
[files] users: Matched entry eapsim at line 19
++[files] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No "known good" password found for the user. 
Authentication may fail because of this.
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+group authenticate {
[eap] EAP Identity
[eap] processing type sim
[eap] Underlying EAP-Type set EAP ID to 16
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 47 to 167.205.106.132 port 56442
	EAP-Message = 0x01100014120a00000f0200020001000011010100
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xc6547d30c6446f127cd7e08c493991e0
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 167.205.106.132 port 56442,
id=48, length=122
	User-Name = "eapsim"
	NAS-IP-Address = 167.205.106.132
	Message-Authenticator = 0x5e44f7a8af1436fc182dfe07d246066c
	NAS-Port = 0
	EAP-Message =
0x0210002c120a00001001000107050000ebc943da73322d4543182bc6b26c42670e03000665617073696d0000
	State = 0xc6547d30c6446f127cd7e08c493991e0
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "eapsim", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
rlm_sim_files: insufficient number of challenges for imsi eapsim: 0
++[sim_files] = notfound
[eap] EAP packet type response id 16 length 44
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
[files] users: Matched entry eapsim at line 19
++[files] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No "known good" password found for the user. 
Authentication may fail because of this.
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/sim
[eap] processing type sim
+++> EAP-sim decoded packet:
	User-Name = "eapsim"
	NAS-IP-Address = 167.205.106.132
	Message-Authenticator = 0x5e44f7a8af1436fc182dfe07d246066c
	NAS-Port = 0
	EAP-Message =
0x0210002c120a00001001000107050000ebc943da73322d4543182bc6b26c42670e03000665617073696d0000
	State = 0xc6547d30c6446f127cd7e08c493991e0
	EAP-Type = SIM
	EAP-Sim-Subtype = Start
	EAP-Sim-SELECTED_VERSION = 0x0001
	EAP-Sim-NONCE_MT = 0x0000ebc943da73322d4543182bc6b26c4267
	EAP-Sim-IDENTITY = 0x65617073696d
[eap] Underlying EAP-Type set EAP ID to 17
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 48 to 167.205.106.132 port 56442
	EAP-Message =
0x01110050120b0000010d0000abcd1234abcd1234abcd1234abcd1234bcd1234abcd1234abcd1234abcd1234acd1234abcd1234abcd1234abcd1234ab0b0500002d7b51f8b367f40f16e8b89d57123ce0
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xc6547d30c7456f127cd7e08c493991e0
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 167.205.106.132 port 56442,
id=49, length=106
	User-Name = "eapsim"
	NAS-IP-Address = 167.205.106.132
	Message-Authenticator = 0x33d47bbba410cf01893cfd0c317909b3
	NAS-Port = 0
	State = 0xc6547d30c7456f127cd7e08c493991e0
	EAP-Message = 0x0211001c120b00000b050000bf27a73ac93ccba4f39579f5fed9512e
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "eapsim", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
rlm_sim_files: insufficient number of challenges for imsi eapsim: 0
++[sim_files] = notfound
[eap] EAP packet type response id 17 length 28
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
[files] users: Matched entry eapsim at line 19
++[files] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No "known good" password found for the user. 
Authentication may fail because of this.
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/sim
[eap] processing type sim
MAC check succeed
[eap] Underlying EAP-Type set EAP ID to 18
[eap] Freeing handler
++[eap] = ok
+} # group authenticate = ok
# Executing section post-auth from file
/usr/local/etc/raddb/sites-enabled/default
+group post-auth {
++[exec] = noop
+} # group post-auth = noop
Sending Access-Accept of id 49 to 167.205.106.132 port 56442
	MS-MPPE-Recv-Key =
0x5e7f230e35ec87f3f23b86766b439c56eb66d3a5e8906f47fe0ff862d0acf30b
	MS-MPPE-Send-Key =
0x75d58187e0a44e5c8486ddb077dc76e39b5dc2b85d717d7dbb2da179672da6fc
	EAP-Message = 0x03120004
	Message-Authenticator = 0x00000000000000000000000000000000
	User-Name = "eapsim"
Finished request 2.
//=====================================================

But, when I used my phone which connected to AP with EAP-SIM auth, radius
failed to process Access-Request packet as EAP-SIM type. The response like
this:

//=====================================================
rad_recv: Access-Request packet from host 167.205.9.194 port 1074, id=11,
length=254
        User-Name = "1510891403414997 at wlan.mnc089.mcc510.3gppnetwork.org"
        Calling-Station-Id = "00-08-22-18-2D-32"
        NAS-IP-Address = 167.205.9.194
        NAS-Port = 1
        Called-Station-Id = "54-3D-37-BF-57-A8:testBYOD"
        Service-Type = Framed-User
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        NAS-Identifier = "54-3D-37-BF-57-A8"
        Connect-Info = "CONNECT 802.11g/n"
        EAP-Message = 0x02bd000c120e000016010000
        State = 0x2c5813a42de50175b779b50df25ca388
        Vendor-25053-Attr-3 = 0x7465737442594f44
        Message-Authenticator = 0x2637ed577421a19f485bd3b88a7fa5ca
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] Looking up realm "wlan.mnc089.mcc510.3gppnetwork.org" for
User-Name = "1510891403414997 at wlan.mnc089.mcc510.3gppnetwork.org"
[suffix] No such realm "wlan.mnc089.mcc510.3gppnetwork.org"
++[suffix] = noop
rlm_sim_files: insufficient number of challenges for imsi
1510891403414997 at wlan.mnc089.mcc510.3gppnetwork.org: 0
++[sim_files] = notfound
[eap] EAP packet type response id 189 length 12
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
[files] users: Matched entry
1510891403414997 at wlan.mnc089.mcc510.3gppnetwork.org at line 52
++[files] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No "known good" password found for the user. 
Authentication may fail because of this.
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/sim
[eap] processing type sim
Client says error.  Stopping!
[eap] Handler failed in EAP/sim
[eap] Failed in EAP select
++[eap] = invalid
+} # group authenticate = invalid
Failed to authenticate the user.
Using Post-Auth-Type REJECT
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+group REJECT {
[attr_filter.access_reject]     expand: %{User-Name} ->
1510891403414997 at wlan.mnc089.mcc510.3gppnetwork.org
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
Delaying reject of request 9 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 9
Sending Access-Reject of id 11 to 167.205.9.194 port 1074
        EAP-Message = 0x04bd0004
        Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.5 seconds.
//=====================================================

It seem radius not recognize this packet as EAP-SIM (even it not try to
decode packet). I dont know if there something missing in my config.
Anyone can help, please?

Regards,

Rizal Muhammad Nur



More information about the Freeradius-Users mailing list