Hi,
No idea; I'm not familiar with EAP-SIM. But the EAP-Message seemed obviously too short for that stage of a challenge/response auth, so I glanced at the RFC for the encoding.
Maybe you've got a permissions problem on whatever datastore the SIM secrets are in? Nope, I even tried with 777 just in case, but it was 644 which should be enough.
Here is the trace with the same client as 2.1.12, but on 2.2.0. The last trace we had was indeed with another SIM. rad_recv: Access-Request packet from host 10.0.0.24 port 1051, id=105, length=298 User-Name = "IMSI@wlan.mnc720.mcc302.3gppnetwork.org" Calling-Station-Id = "5C-59-48-ED-C4-96" NAS-IP-Address = 10.0.0.24 NAS-Port = 1 Called-Station-Id = "50-A7-33-31-CF-B8:PacketFence-Ruckus" Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = "50-A7-33-31-CF-B8" Connect-Info = "CONNECT 802.11g" EAP-Message = 0x02000038013133303237323033303539333439353340776c616e2e6d6e633732302e6d63633330322e336770706e6574776f726b2e6f7267 Vendor-25053-Attr-3 = 0x5061636b657446656e63652d5275636b7573 Message-Authenticator = 0x3254b54e86799aa4dbfd92f4eac2bbab server packetfence { # Executing section authorize from file /usr/local/pf/raddb/sites-enabled/packetfence +- entering group authorize {...} [suffix] Looking up realm "wlan.mnc720.mcc302.3gppnetwork.org" for User-Name = "IMSI@wlan.mnc720.mcc302.3gppnetwork.org" [suffix] No such realm "wlan.mnc720.mcc302.3gppnetwork.org" ++[suffix] returns noop ++[preprocess] returns ok rlm_sim_files: authorized user/imsi IMSI@wlan.mnc720.mcc302.3gppnetwork.org rlm_sim_files: Adding EAP-Type: eap-sim ++[sim_files] returns ok [eap] EAP packet type response id 0 length 56 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop rlm_perl: Added pair NAS-Port-Type = Wireless-802.11 rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair Called-Station-Id = 50-A7-33-31-CF-B8:PacketFence-Ruckus rlm_perl: Added pair Calling-Station-Id = 5C-59-48-ED-C4-96 rlm_perl: Added pair Message-Authenticator = 0x3254b54e86799aa4dbfd92f4eac2bbab rlm_perl: Added pair Vendor-25053-Attr-3 = 0x5061636b657446656e63652d5275636b7573 rlm_perl: Added pair User-Name = IMSI@wlan.mnc720.mcc302.3gppnetwork.org rlm_perl: Added pair NAS-Identifier = 50-A7-33-31-CF-B8 rlm_perl: Added pair EAP-Message = 0x02000038013133303237323033303539333439353340776c616e2e6d6e633732302e6d63633330322e336770706e6574776f726b2e6f7267 rlm_perl: Added pair Connect-Info = CONNECT 802.11g rlm_perl: Added pair EAP-Type = Identity rlm_perl: Added pair NAS-IP-Address = 10.0.0.24 rlm_perl: Added pair NAS-Port = 1 rlm_perl: Added pair Framed-MTU = 1400 rlm_perl: Added pair EAP-Sim-Rand3 = 0x658719018376aab4d2a5ccde7a21b651 rlm_perl: Added pair EAP-Sim-Rand2 = 0x12314312514145bbdede1d3a5d7d8d81 rlm_perl: Added pair EAP-Sim-SRES1 = 0x4b0bd392 rlm_perl: Added pair EAP-Sim-SRES2 = 0x3fde44f1 rlm_perl: Added pair EAP-Sim-KC1 = 0x838482d6086d5505 rlm_perl: Added pair EAP-Sim-Rand1 = 0x512317ac521bade521831aa3a3a51231 rlm_perl: Added pair EAP-Sim-KC3 = 0x9f62a11a186fb409 rlm_perl: Added pair EAP-Sim-KC2 = 0xb9ea43fb85bca1a1 rlm_perl: Added pair EAP-Sim-SRES3 = 0x1ed3946d rlm_perl: Added pair Auth-Type = EAP rlm_perl: Added pair EAP-Type = SIM ++[packetfence] returns noop Found Auth-Type = EAP # Executing group from file /usr/local/pf/raddb/sites-enabled/packetfence +- entering group authenticate {...} [eap] EAP Identity [eap] processing type sim [eap] Underlying EAP-Type set EAP ID to 216 ++[eap] returns handled } # server packetfence Sending Access-Challenge of id 105 to 10.0.0.24 port 1051 EAP-Message = 0x01d80014120a00000f0200020001000011010100 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x031a0cc303c21e1dddf19e8563de7dbd Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.0.0.24 port 1051, id=106, length=348 User-Name = "IMSI@wlan.mnc720.mcc302.3gppnetwork.org" Calling-Station-Id = "5C-59-48-ED-C4-96" NAS-IP-Address = 10.0.0.24 NAS-Port = 1 Called-Station-Id = "50-A7-33-31-CF-B8:PacketFence-Ruckus" Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = "50-A7-33-31-CF-B8" Connect-Info = "CONNECT 802.11g" EAP-Message = 0x02d80058120a00000e0e00333133303237323033303539333439353340776c616e2e6d6e633732302e6d63633330322e336770706e6574776f726b2e6f72670010010001070500008e1f8f320c33aee4baf5b36f1a9a5ef6 State = 0x031a0cc303c21e1dddf19e8563de7dbd Vendor-25053-Attr-3 = 0x5061636b657446656e63652d5275636b7573 Message-Authenticator = 0xa6f31db6bfe9f1ae785521d4d8a9b63b server packetfence { # Executing section authorize from file /usr/local/pf/raddb/sites-enabled/packetfence +- entering group authorize {...} [suffix] Looking up realm "wlan.mnc720.mcc302.3gppnetwork.org" for User-Name = "IMSI@wlan.mnc720.mcc302.3gppnetwork.org" [suffix] No such realm "wlan.mnc720.mcc302.3gppnetwork.org" ++[suffix] returns noop ++[preprocess] returns ok rlm_sim_files: authorized user/imsi IMSI@wlan.mnc720.mcc302.3gppnetwork.org rlm_sim_files: Adding EAP-Type: eap-sim ++[sim_files] returns ok [eap] EAP packet type response id 216 length 88 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop rlm_perl: Added pair NAS-Port-Type = Wireless-802.11 rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair State = 0x031a0cc303c21e1dddf19e8563de7dbd rlm_perl: Added pair Called-Station-Id = 50-A7-33-31-CF-B8:PacketFence-Ruckus rlm_perl: Added pair Calling-Station-Id = 5C-59-48-ED-C4-96 rlm_perl: Added pair Message-Authenticator = 0xa6f31db6bfe9f1ae785521d4d8a9b63b rlm_perl: Added pair Vendor-25053-Attr-3 = 0x5061636b657446656e63652d5275636b7573 rlm_perl: Added pair User-Name = IMSI@wlan.mnc720.mcc302.3gppnetwork.org rlm_perl: Added pair NAS-Identifier = 50-A7-33-31-CF-B8 rlm_perl: Added pair EAP-Message = 0x02d80058120a00000e0e00333133303237323033303539333439353340776c616e2e6d6e633732302e6d63633330322e336770706e6574776f726b2e6f72670010010001070500008e1f8f320c33aee4baf5b36f1a9a5ef6 rlm_perl: Added pair Connect-Info = CONNECT 802.11g rlm_perl: Added pair EAP-Type = SIM rlm_perl: Added pair NAS-IP-Address = 10.0.0.24 rlm_perl: Added pair NAS-Port = 1 rlm_perl: Added pair Framed-MTU = 1400 rlm_perl: Added pair EAP-Sim-Rand3 = 0x658719018376aab4d2a5ccde7a21b651 rlm_perl: Added pair EAP-Sim-Rand2 = 0x12314312514145bbdede1d3a5d7d8d81 rlm_perl: Added pair EAP-Sim-SRES1 = 0x4b0bd392 rlm_perl: Added pair EAP-Sim-SRES2 = 0x3fde44f1 rlm_perl: Added pair EAP-Sim-KC1 = 0x838482d6086d5505 rlm_perl: Added pair EAP-Sim-Rand1 = 0x512317ac521bade521831aa3a3a51231 rlm_perl: Added pair EAP-Sim-KC3 = 0x9f62a11a186fb409 rlm_perl: Added pair EAP-Sim-KC2 = 0xb9ea43fb85bca1a1 rlm_perl: Added pair EAP-Sim-SRES3 = 0x1ed3946d rlm_perl: Added pair Auth-Type = EAP rlm_perl: Added pair EAP-Type = SIM ++[packetfence] returns noop Found Auth-Type = EAP # Executing group from file /usr/local/pf/raddb/sites-enabled/packetfence +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/sim [eap] processing type sim +++> EAP-sim decoded packet: NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User State = 0x031a0cc303c21e1dddf19e8563de7dbd Called-Station-Id = "50-A7-33-31-CF-B8:PacketFence-Ruckus" Calling-Station-Id = "5C-59-48-ED-C4-96" Message-Authenticator = 0xa6f31db6bfe9f1ae785521d4d8a9b63b Vendor-25053-Attr-3 = 0x5061636b657446656e63652d5275636b7573 User-Name = "IMSI@wlan.mnc720.mcc302.3gppnetwork.org" NAS-Identifier = "50-A7-33-31-CF-B8" EAP-Message = 0x02d80058120a00000e0e00333133303237323033303539333439353340776c616e2e6d6e633732302e6d63633330322e336770706e6574776f726b2e6f72670010010001070500008e1f8f320c33aee4baf5b36f1a9a5ef6 Connect-Info = "CONNECT 802.11g" EAP-Type = SIM NAS-IP-Address = 10.0.0.24 NAS-Port = 1 Framed-MTU = 1400 EAP-Sim-Subtype = Start EAP-Sim-IDENTITY = 0x00333133303237323033303539333439353340776c616e2e6d6e633732302e6d63633330322e336770706e6574776f726b2e6f726700 EAP-Sim-SELECTED_VERSION = 0x0001 EAP-Sim-NONCE_MT = 0x00008e1f8f320c33aee4baf5b36f1a9a5ef6 [eap] Underlying EAP-Type set EAP ID to 217 ++[eap] returns handled } # server packetfence Sending Access-Challenge of id 106 to 10.0.0.24 port 1051 EAP-Message = 0x01d90050120b0000010d0000512317ac521bade521831aa3a3a5123112314312514145bbdede1d3a5d7d8d81658719018376aab4d2a5ccde7a21b6510b050000a95a21b1166856cd87afaafbc3e27593 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x031a0cc302c31e1dddf19e8563de7dbd Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.0.0.24 port 1051, id=107, length=272 User-Name = "IMSI@wlan.mnc720.mcc302.3gppnetwork.org" Calling-Station-Id = "5C-59-48-ED-C4-96" NAS-IP-Address = 10.0.0.24 NAS-Port = 1 Called-Station-Id = "50-A7-33-31-CF-B8:PacketFence-Ruckus" Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = "50-A7-33-31-CF-B8" Connect-Info = "CONNECT 802.11g" EAP-Message = 0x02d9000c120e000016010000 State = 0x031a0cc302c31e1dddf19e8563de7dbd Vendor-25053-Attr-3 = 0x5061636b657446656e63652d5275636b7573 Message-Authenticator = 0x9d4a9f0d542a77b968ea642f201db204 server packetfence { # Executing section authorize from file /usr/local/pf/raddb/sites-enabled/packetfence +- entering group authorize {...} [suffix] Looking up realm "wlan.mnc720.mcc302.3gppnetwork.org" for User-Name = "IMSI@wlan.mnc720.mcc302.3gppnetwork.org" [suffix] No such realm "wlan.mnc720.mcc302.3gppnetwork.org" ++[suffix] returns noop ++[preprocess] returns ok rlm_sim_files: authorized user/imsi IMSI@wlan.mnc720.mcc302.3gppnetwork.org rlm_sim_files: Adding EAP-Type: eap-sim ++[sim_files] returns ok [eap] EAP packet type response id 217 length 12 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop rlm_perl: Added pair NAS-Port-Type = Wireless-802.11 rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair State = 0x031a0cc302c31e1dddf19e8563de7dbd rlm_perl: Added pair Called-Station-Id = 50-A7-33-31-CF-B8:PacketFence-Ruckus rlm_perl: Added pair Calling-Station-Id = 5C-59-48-ED-C4-96 rlm_perl: Added pair Message-Authenticator = 0x9d4a9f0d542a77b968ea642f201db204 rlm_perl: Added pair Vendor-25053-Attr-3 = 0x5061636b657446656e63652d5275636b7573 rlm_perl: Added pair User-Name = IMSI@wlan.mnc720.mcc302.3gppnetwork.org rlm_perl: Added pair NAS-Identifier = 50-A7-33-31-CF-B8 rlm_perl: Added pair EAP-Message = 0x02d9000c120e000016010000 rlm_perl: Added pair Connect-Info = CONNECT 802.11g rlm_perl: Added pair EAP-Type = SIM rlm_perl: Added pair NAS-IP-Address = 10.0.0.24 rlm_perl: Added pair NAS-Port = 1 rlm_perl: Added pair Framed-MTU = 1400 rlm_perl: Added pair EAP-Sim-Rand3 = 0x658719018376aab4d2a5ccde7a21b651 rlm_perl: Added pair EAP-Sim-Rand2 = 0x12314312514145bbdede1d3a5d7d8d81 rlm_perl: Added pair EAP-Sim-SRES1 = 0x4b0bd392 rlm_perl: Added pair EAP-Sim-SRES2 = 0x3fde44f1 rlm_perl: Added pair EAP-Sim-KC1 = 0x838482d6086d5505 rlm_perl: Added pair EAP-Sim-Rand1 = 0x512317ac521bade521831aa3a3a51231 rlm_perl: Added pair EAP-Sim-KC3 = 0x9f62a11a186fb409 rlm_perl: Added pair EAP-Sim-KC2 = 0xb9ea43fb85bca1a1 rlm_perl: Added pair EAP-Sim-SRES3 = 0x1ed3946d rlm_perl: Added pair Auth-Type = EAP rlm_perl: Added pair EAP-Type = SIM ++[packetfence] returns noop Found Auth-Type = EAP # Executing group from file /usr/local/pf/raddb/sites-enabled/packetfence +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/sim [eap] processing type sim [eap] Handler failed in EAP/sim [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. } # server packetfence Using Post-Auth-Type REJECT # Executing group from file /usr/local/pf/raddb/sites-enabled/packetfence +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> IMSI@wlan.mnc720.mcc302.3gppnetwork.org attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 3 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 3 Sending Access-Reject of id 107 to 10.0.0.24 port 1051 EAP-Message = 0x04d90004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.4 seconds. Thanks! -- Francois Gaudreault, ing. jr fgaudreault@inverse.ca :: +1.514.447.4918 (x130) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org)