Hi IIiya, thanx for your quick response here is my log debug rad_recv: Access-Request packet from host 192.168.2.1 port 2048, id=0, length=215 User-Name = "1510019760806391@wlan.mnc001.mcc510.3gppnetwork.org " NAS-IP-Address = 192.168.2.1 Called-Station-Id = "48f8b315461a" Calling-Station-Id = "1814563e5189" NAS-Identifier = "48f8b315461a" NAS-Port = 38 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x02000038013135313030313937363038303633393140776c616e2e6d6e633030312e6d63633531302e336770706e6574776f726b2e6f7267 Message-Authenticator = 0x1e692ae9b93631a0f54bda0997d713f2 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] Looking up realm "wlan.mnc001.mcc510.3gppnetwork.org" for User-Name = "1510019760806391@wlan.mnc001.mcc510.3gppnetwork.org" [suffix] No such realm "wlan.mnc001.mcc510.3gppnetwork.org" ++[suffix] returns noop rlm_sim_files: authorized user/imsi 1510019760806391@wlan.mnc001.mcc510.3gppnetwork.org rlm_sim_files: Adding EAP-Type: eap-sim ++[sim_files] returns ok [eap] EAP packet type response id 0 length 56 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry 1510019760806391@wlan.mnc001.mcc510.3gppnetwork.org at line 1 ++[files] returns ok ++[sql] returns notfound ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type sim [eap] Underlying EAP-Type set EAP ID to 116 ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.2.1 port 2048 EAP-Message = 0x01740014120a00000f0200020001000011010100 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2e42338f2e362191820b0799859172e9 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.2.1 port 2048, id=0, length=265 Cleaning up request 0 ID 0 with timestamp +10 User-Name = "1510019760806391@wlan.mnc001.mcc510.3gppnetwork.org " NAS-IP-Address = 192.168.2.1 Called-Station-Id = "48f8b315461a" Calling-Station-Id = "1814563e5189" NAS-Identifier = "48f8b315461a" NAS-Port = 38 Framed-MTU = 1400 State = 0x2e42338f2e362191820b0799859172e9 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x02740058120a000007050000c857b63e06e1bb7341a729ea36de8804100100010e0e00333135313030313937363038303633393140776c616e2e6d6e633030312e6d63633531302e336770706e6574776f726b2e6f726700 Message-Authenticator = 0x4228372d93c4496516a4c62a6b0d1f84 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] Looking up realm "wlan.mnc001.mcc510.3gppnetwork.org" for User-Name = "1510019760806391@wlan.mnc001.mcc510.3gppnetwork.org" [suffix] No such realm "wlan.mnc001.mcc510.3gppnetwork.org" ++[suffix] returns noop rlm_sim_files: authorized user/imsi 1510019760806391@wlan.mnc001.mcc510.3gppnetwork.org rlm_sim_files: Adding EAP-Type: eap-sim ++[sim_files] returns ok [eap] EAP packet type response id 116 length 88 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry 1510019760806391@wlan.mnc001.mcc510.3gppnetwork.org at line 1 ++[files] returns ok [sql] User 1510019760806391@wlan.mnc001.mcc510.3gppnetwork.org not found ++[sql] returns notfound ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/sim [eap] processing type sim +++> EAP-sim decoded packet: User-Name = "1510019760806391@wlan.mnc001.mcc510.3gppnetwork.org " NAS-IP-Address = 192.168.2.1 Called-Station-Id = "48f8b315461a" Calling-Station-Id = "1814563e5189" NAS-Identifier = "48f8b315461a" NAS-Port = 38 Framed-MTU = 1400 State = 0x2e42338f2e362191820b0799859172e9 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x02740058120a000007050000c857b63e06e1bb7341a729ea36de8804100100010e0e00333135313030313937363038303633393140776c616e2e6d6e633030312e6d63633531302e336770706e6574776f726b2e6f726700 Message-Authenticator = 0x4228372d93c4496516a4c62a6b0d1f84 EAP-Type = SIM EAP-Sim-Subtype = Start EAP-Sim-NONCE_MT = 0x0000c857b63e06e1bb7341a729ea36de8804 EAP-Sim-SELECTED_VERSION = 0x0001 EAP-Sim-IDENTITY = 0x3135313030313937363038303633393140776c616e2e6d6e633030312e6d63633531302e336770706e6574776f726b2e6f7267 [eap] Underlying EAP-Type set EAP ID to 117 ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.2.1 port 2048 EAP-Message = 0x01750050120b0000010d000033c0caad1ca74b91b8c4c597a497c951ec28a5ea58bf4f7d9a15fb267c80bc6cf51e6dc5eeb149028f5cba3779f2b9160b050000128bccbc8968ba6d16040402b139d839 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2e42338f2f372191820b0799859172e9 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.2.1 port 2048, id=0, length=205 Cleaning up request 1 ID 0 with timestamp +10 User-Name = "1510019760806391@wlan.mnc001.mcc510.3gppnetwork.org " NAS-IP-Address = 192.168.2.1 Called-Station-Id = "48f8b315461a" Calling-Station-Id = "1814563e5189" NAS-Identifier = "48f8b315461a" NAS-Port = 38 Framed-MTU = 1400 State = 0x2e42338f2f372191820b0799859172e9 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0275001c120b00000b050000fe0ad02adb05fa535c5e7beaa8810f69 Message-Authenticator = 0x17809a1e9fcb50736607e844ac964694 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] Looking up realm "wlan.mnc001.mcc510.3gppnetwork.org" for User-Name = "1510019760806391@wlan.mnc001.mcc510.3gppnetwork.org" [suffix] No such realm "wlan.mnc001.mcc510.3gppnetwork.org" ++[suffix] returns noop rlm_sim_files: authorized user/imsi 1510019760806391@wlan.mnc001.mcc510.3gppnetwork.org rlm_sim_files: Adding EAP-Type: eap-sim ++[sim_files] returns ok [eap] EAP packet type response id 117 length 28 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry 1510019760806391@wlan.mnc001.mcc510.3gppnetwork.org at line 1 ++[files] returns ok ++[sql] returns notfound ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/sim [eap] processing type sim MAC check succeed [eap] Underlying EAP-Type set EAP ID to 118 [eap] Freeing handler ++[eap] returns ok # Executing section post-auth from file /etc/freeradius/sites-enabled/default +- entering group post-auth {...} ++[sql] returns ok ++[exec] returns noop Sending Access-Accept of id 0 to 192.168.2.1 port 2048 MS-MPPE-Recv-Key = 0x9d0b6b0a9151822473399a9fed44e8f0d74df083532a7d437e436f60866252d8 MS-MPPE-Send-Key = 0xebf07da25ca3cd97267d1fc6a1ce18d68ad2737902f610284bdb45c6eed0cb7f EAP-Message = 0x03760004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "1510019760806391@wlan.mnc001.mcc510.3gppnetwork.org " Finished request 2. Going to the next request Waking up in 4.9 seconds. Cleaning up request 2 ID 0 with timestamp +11 Ready to process requests. this is my log with 1 client thanx very much for your help best regards On Thu, Jun 20, 2013 at 2:53 PM, Iliya Peregoudov <iperegudov@cboss.ru>wrote:
On 20.06.2013 8:38, raptor raptor wrote:
i just try one client and success but when i use another client and it fails
Post debug log if you want to diagnose authentication failure.
is it correct if i add other client in users and simtriplets.dat?
Yes, you should add auth vectors for all your SIM cards into users file, one stanza for every SIM card.
If you still get "insufficient number of challenges" message then your simtriplets.dat is not relevant. Just forget about it. Auth vectors from users file are sufficient.
Freeradius is very flexible. There is no one single way of correctly configure it. But there are indefinite number of ways to misconfigure it. If you prefer not to diagnose authentication failures but insert random stuff into randomly selected configuration files it's unlikely you accidentally configure it correctly.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html <http://www.freeradius.org/list/users.html>