Problems with EAP-SIM in Freeradius 2.2.5

rizal.m.nur at arc.itb.ac.id rizal.m.nur at arc.itb.ac.id
Sat Oct 4 10:51:44 CEST 2014 

> rizal.m.nur at arc.itb.ac.id wrote:
>> I am using freeradius-server-2.2.5 and trying to authenticate via
>> EAP-SIM.
>> I have been successed to authenticate radeapclient command, but i am
>> facing issue when authenticate directly through wireless AP. Also, i
>> know
>> nothing about RAND, SRES, and KC come from (I just put from example).
>
>   That's a problem.  Those fields are the SIM credentials.  They're used
> to authenticate the user.
>
>   If you don't have the correct values, the user will be rejected.
>
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>

Thanks for your reply,

I curious why EAP-Message from phone was detected as EAP-SIM type but
can't be handled/decoded
> ...
> [eap] Request found, released from the list
> [eap] EAP/sim
> [eap] processing type sim
> Client says error.  Stopping!
> [eap] Handler failed in EAP/sim
> [eap] Failed in EAP select
> ++[eap] = invalid
> +} # group authenticate = invalid
> ...

meanwhile from radeapclient command it run smoothly
> ...
> [eap] Request found, released from the list
> [eap] EAP/sim
> [eap] processing type sim
> +++> EAP-sim decoded packet:
> 	User-Name = "eapsim"
> 	NAS-IP-Address = 167.205.106.132
> ...

I dont think its because value of RAND, SRES, and KC. I tried to test
using false RAND, SRES, and KC before with radeapclient command, and then
server still be able to process it as EAP-SIM, although it just end with
Access-Challenge reply (not Access-Accept).

//=====================================================
$cat userTest.txt
User-Name = "eapsim"
NAS-IP-Address = 167.205.106.132
EAP-Code = Response
EAP-Type-Identity = "eapsim"
Message-Authenticator = 0
NAS-Port = 0
EAP-Sim-Rand1 = 0x1111111111111111abcd1234abcd1234
EAP-Sim-Rand2 = 0x2222222222222222bcd1234abcd1234a
EAP-Sim-Rand3 = 0x3333333333333333cd1234abcd1234ab
EAP-Sim-Sres1 = 0x44444444
EAP-Sim-Sres2 = 0x55555555
EAP-Sim-Sres3 = 0x66666666
EAP-Sim-KC1 = 0x7777777777777777
EAP-Sim-KC2 = 0x8888888888888888
EAP-Sim-KC3 = 0x9999999999999999

$cat users
eapsim         Auth-Type := EAP, EAP-Type := SIM
        EAP-Sim-Rand1 = 0xabcd1234abcd1234abcd1234abcd1234,
        EAP-Sim-SRES1 = 0x1234abcd,
        EAP-Sim-KC1 = 0x0011223344556677,
        EAP-Sim-Rand2 = 0xbcd1234abcd1234abcd1234abcd1234a,
        EAP-Sim-SRES2 = 0x234abcd1,
        EAP-Sim-KC2 = 0x1021324354657687,
        EAP-Sim-Rand3 = 0xcd1234abcd1234abcd1234abcd1234ab,
        EAP-Sim-SRES3 = 0x34abcd12,
        EAP-Sim-KC3 = 0x30415263748596a7
//=====================================================

Here, server response with false RAND, SRES, and KC
//=====================================================
rad_recv: Access-Request packet from host 167.205.106.132 port 38499,
id=95, length=71
	User-Name = "eapsim"
	NAS-IP-Address = 167.205.106.132
	Message-Authenticator = 0xdb74750282296eb039bc4867d0e64c78
	NAS-Port = 0
	EAP-Message = 0x025e000b0165617073696d
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "eapsim", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
rlm_sim_files: insufficient number of challenges for imsi eapsim: 0
++[sim_files] = notfound
[eap] EAP packet type response id 94 length 11
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
[files] users: Matched entry eapsim at line 27
++[files] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No "known good" password found for the user. 
Authentication may fail because of this.
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+group authenticate {
[eap] EAP Identity
[eap] processing type sim
[eap] Underlying EAP-Type set EAP ID to 101
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 95 to 167.205.106.132 port 38499
	EAP-Message = 0x01650014120a00000f0200020001000011010100
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x8aac07b98ac915e45f9495fd3c62bc18
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 167.205.106.132 port 38499,
id=96, length=122
	User-Name = "eapsim"
	NAS-IP-Address = 167.205.106.132
	Message-Authenticator = 0x900599aa3a6c928959ba7fdc549e8c34
	NAS-Port = 0
	EAP-Message =
0x0265002c120a00001001000107050000e9c6e0e9aff6855077e6a86e85ad77770e03000665617073696d0000
	State = 0x8aac07b98ac915e45f9495fd3c62bc18
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "eapsim", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
rlm_sim_files: insufficient number of challenges for imsi eapsim: 0
++[sim_files] = notfound
[eap] EAP packet type response id 101 length 44
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
[files] users: Matched entry eapsim at line 27
++[files] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No "known good" password found for the user. 
Authentication may fail because of this.
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/sim
[eap] processing type sim
+++> EAP-sim decoded packet:
	User-Name = "eapsim"
	NAS-IP-Address = 167.205.106.132
	Message-Authenticator = 0x900599aa3a6c928959ba7fdc549e8c34
	NAS-Port = 0
	EAP-Message =
0x0265002c120a00001001000107050000e9c6e0e9aff6855077e6a86e85ad77770e03000665617073696d0000
	State = 0x8aac07b98ac915e45f9495fd3c62bc18
	EAP-Type = SIM
	EAP-Sim-Subtype = Start
	EAP-Sim-SELECTED_VERSION = 0x0001
	EAP-Sim-NONCE_MT = 0x0000e9c6e0e9aff6855077e6a86e85ad7777
	EAP-Sim-IDENTITY = 0x65617073696d
[eap] Underlying EAP-Type set EAP ID to 102
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 96 to 167.205.106.132 port 38499
	EAP-Message =
0x01660050120b0000010d0000abcd1234abcd1234abcd1234abcd1234bcd1234abcd1234abcd1234abcd1234acd1234abcd1234abcd1234abcd1234ab0b050000cd268139f462060bea6f15dc5801cb36
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x8aac07b98bca15e45f9495fd3c62bc18
//=====================================================

--
Rizal Muhammad Nur

More information about the Freeradius-Users mailing list