Dear all, I'm trying to configure freeradius for eap-sim authenticatio. in my case my supplicant was success to connect the ap with eap-sim authentication, but in the freeradius log there's warnings on the users file. reading pairlist file /etc/freeradius/users [/etc/freeradius/users]:204 WARNING! Check item "EAP-Sim-Rand1" found in reply item list for user " 1510101425520064@wlan.mnc101.mcc510.3gppnetwork.org". This attribute MUST go on the first line with the other check items [/etc/freeradius/users]:204 WARNING! Check item "EAP-Sim-SRES1" found in reply item list for user " 1510101425520064@wlan.mnc101.mcc510.3gppnetwork.org". This attribute MUST go on the first line with the other check items [/etc/freeradius/users]:204 WARNING! Check item "EAP-Sim-KC1" found in reply item list for user " 1510101425520064@wlan.mnc101.mcc510.3gppnetwork.org". This attribute MUST go on the first line with the other check items i have read anything about this but still i can't get fix this problem. what makes me confuse is why the supplicant could connect to the ap however i still got warnings on the log? this is my users configuration <1510019463286168@wlan.mnc001.mcc510.3gppnetwork.org> 1510019463286168@wlan.mnc001.mcc510.3gppnetwork.org EAP-Type := SIM EAP-Sim-Rand1 = 0xBDA21CB60EF945da9A8BA56667B49027, EAP-Sim-SRES1 = 0x04d995bc, EAP-Sim-KC1 = 0xBBe0a7c68Aea1c00, EAP-Sim-Rand2 = 0x621F1DAC915B4dbf8A0842E88B97BBBE, EAP-Sim-SRES2 = 0xD9b5f235, EAP-Sim-KC2 = 0x33d1ae11914c4800, EAP-Sim-Rand3 = 0x6AD4284810DD42ca8A60A410F7746820, EAP-Sim-SRES3 = 0xB29eb39b, EAP-Sim-KC3 = 0x1E62ae2aA0a66400 if i have to follow the freeradius log, then i should do: 1510019463286168@wlan.mnc001.mcc510.3gppnetwork.org <http://lists.freeradius.org/mailman/listinfo/freeradius-users> EAP-Type := SIM EAP-Sim-Rand1 := <value>, EAP-Sim-SRES1 := <value>, EAP-Sim-KC1 := <value>, EAP-Sim-Rand2 := <value>, EAP-Sim-SRES2 := <value>, EAP-Sim-KC2 := <value>, EAP-Sim-Rand3 := <value>, EAP-Sim-SRES3 := <value>, EAP-Sim-KC3 := <value> but if i read the right format for the users file is like i did before, user check reply, reply, reply so, what i have to do for fix the warnings in users file? I'm using Ubuntu 10.04 desktop LTE, freeradius 2.2.5 for server, air-live for ap and blackberry 9320 for the supplicant. here's the log realm LOCAL { } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } client 192.168.1.0/24 { require_message_authenticator = no secret = "eap-sim" shortname = "eap-sim" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /etc/freeradius/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes timeout = 10 } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /etc/freeradius/modules/expr Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /etc/freeradius/modules/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /etc/freeradius/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server { # from file �Bw�?B modules { Module: Creating Auth-Type = digest Module: Creating Post-Auth-Type = REJECT Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /etc/freeradius/modules/pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating module "chap" from file /etc/freeradius/modules/chap Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /etc/freeradius/modules/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no allow_retry = yes } Module: Linked to module rlm_digest Module: Instantiating module "digest" from file /etc/freeradius/modules/digest Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /etc/freeradius/modules/unix unix { radwtmp = "/var/log/freeradius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /etc/freeradius/eap.conf eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 1024 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 CA_path = "/etc/freeradius/certs" pem_file_type = yes private_key_file = "/etc/freeradius/certs/server.key" certificate_file = "/etc/freeradius/certs/server.pem" CA_file = "/etc/freeradius/certs/ca.pem" private_key_password = "whatever" dh_file = "/etc/freeradius/certs/dh" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/etc/freeradius/certs/bootstrap" ecdh_curve = "prime256v1" cache { enable = no lifetime = 24 max_entries = 255 } verify { } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = no } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" soh = no } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } Module: Linked to sub-module rlm_eap_sim Module: Instantiating eap-sim Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /etc/freeradius/modules/preprocess preprocess { huntgroups = "/etc/freeradius/huntgroups" hints = "/etc/freeradius/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } reading pairlist file /etc/freeradius/huntgroups reading pairlist file /etc/freeradius/hints Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /etc/freeradius/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_sim_files Module: Instantiating module "sim_files" from file /etc/freeradius/modules/sim_files sim_files { simtriplets = "/etc/freeradius/simtriplets.dat" } Module: Linked to module rlm_files Module: Instantiating module "files" from file /etc/freeradius/modules/files files { usersfile = "/etc/freeradius/users" acctusersfile = "/etc/freeradius/acct_users" preproxy_usersfile = "/etc/freeradius/preproxy_users" compat = "no" } reading pairlist file /etc/freeradius/users [/etc/freeradius/users]:204 WARNING! Check item "EAP-Sim-Rand1" found in reply item list for user " 1510019463286168@wlan.mnc001.mcc510.3gppnetwork.org". This attribute MUST go on the first line with the other check items [/etc/freeradius/users]:204 WARNING! Check item "EAP-Sim-SRES1" found in reply item list for user " 1510019463286168@wlan.mnc001.mcc510.3gppnetwork.org". This attribute MUST go on the first line with the other check items [/etc/freeradius/users]:204 WARNING! Check item "EAP-Sim-KC1" found in reply item list for user " 1510019463286168@wlan.mnc001.mcc510.3gppnetwork.org". This attribute MUST go on the first line with the other check items [/etc/freeradius/users]:204 WARNING! Check item "EAP-Sim-Rand2" found in reply item list for user " 1510019463286168@wlan.mnc001.mcc510.3gppnetwork.org". This attribute MUST go on the first line with the other check items [/etc/freeradius/users]:204 WARNING! Check item "EAP-Sim-SRES2" found in reply item list for user " 1510019463286168@wlan.mnc001.mcc510.3gppnetwork.org". This attribute MUST go on the first line with the other check items [/etc/freeradius/users]:204 WARNING! Check item "EAP-Sim-KC2" found in reply item list for user " 1510019463286168@wlan.mnc001.mcc510.3gppnetwork.org". This attribute MUST go on the first line with the other check items [/etc/freeradius/users]:204 WARNING! Check item "EAP-Sim-Rand3" found in reply item list for user " 1510019463286168@wlan.mnc001.mcc510.3gppnetwork.org". This attribute MUST go on the first line with the other check items [/etc/freeradius/users]:204 WARNING! Check item "EAP-Sim-SRES3" found in reply item list for user " 1510019463286168@wlan.mnc001.mcc510.3gppnetwork.org". This attribute MUST go on the first line with the other check items [/etc/freeradius/users]:204 WARNING! Check item "EAP-Sim-KC3" found in reply item list for user " 1510019463286168@wlan.mnc001.mcc510.3gppnetwork.org". This attribute MUST go on the first line with the other check items reading pairlist file /etc/freeradius/acct_users reading pairlist file /etc/freeradius/preproxy_users Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /etc/freeradius/modules/acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Identifier, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating module "detail" from file /etc/freeradius/modules/detail detail { detailfile = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "/etc/freeradius/attrs.accounting_response" key = "%{User-Name}" relaxed = no } reading pairlist file /etc/freeradius/attrs.accounting_response Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /etc/freeradius/modules/radutmp radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Instantiating module "attr_filter.access_reject" from file /etc/freeradius/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "/etc/freeradius/attrs.access_reject" key = "%{User-Name}" relaxed = no } reading pairlist file /etc/freeradius/attrs.access_reject } # modules } # server server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } ... adding new socket proxy address * port 47457 Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 192.168.1.1 port 2049, id=146, length=259 User-Name = "1510019463286168@wlan.mnc001.mcc510.3gppnetwork.org" NAS-IP-Address = 192.168.1.1 NAS-Port = 0 Called-Station-Id = "004f62248f98" Calling-Station-Id = "70aab2eb15af" NAS-Identifier = "Realtek Access Point. 8186" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x02000038013135313030313934363332383631363840776c616e2e6d6e633030312e6d63633531302e336770706e6574776f726b2e6f7267 Message-Authenticator = 0x3b7cec016f9e7d837e6c6fd3b4eb20ef # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] Looking up realm "wlan.mnc001.mcc510.3gppnetwork.org" for User-Name = "1510019463286168@wlan.mnc001.mcc510.3gppnetwork.org" [suffix] No such realm "wlan.mnc001.mcc510.3gppnetwork.org" ++[suffix] = noop rlm_sim_files: insufficient number of challenges for imsi 1510019463286168@wlan.mnc001.mcc510.3gppnetwork.org: 0 ++[sim_files] = notfound [eap] EAP packet type response id 0 length 56 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [files] users: Matched entry 1510019463286168@wlan.mnc001.mcc510.3gppnetwork.org at line 204 ++[files] = ok ++[expiration] = noop ++[logintime] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] EAP Identity [eap] processing type sim [eap] Underlying EAP-Type set EAP ID to 226 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 146 to 192.168.1.1 port 2049 EAP-Message = 0x01e20014120a00000f0200020001000011010100 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa2868fcaa2649d86228f5cbe0864a028 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.1 port 2049, id=147, length=303 User-Name = "1510019463286168@wlan.mnc001.mcc510.3gppnetwork.org" NAS-IP-Address = 192.168.1.1 NAS-Port = 0 Called-Station-Id = "004f62248f98" Calling-Station-Id = "70aab2eb15af" NAS-Identifier = "Realtek Access Point. 8186" NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x02e20058120a000007050000e4e69b2af151f7b962b59341f135ec28100100010e0e00333135313030313934363332383631363840776c616e2e6d6e633030312e6d63633531302e336770706e6574776f726b2e6f726700 State = 0xa2868fcaa2649d86228f5cbe0864a028 Message-Authenticator = 0xdb930ab0a6fe572dc35ab89c7d62a32d # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] Looking up realm "wlan.mnc001.mcc510.3gppnetwork.org" for User-Name = "1510019463286168@wlan.mnc001.mcc510.3gppnetwork.org" [suffix] No such realm "wlan.mnc001.mcc510.3gppnetwork.org" ++[suffix] = noop rlm_sim_files: insufficient number of challenges for imsi 1510019463286168@wlan.mnc001.mcc510.3gppnetwork.org: 0 ++[sim_files] = notfound [eap] EAP packet type response id 226 length 88 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [files] users: Matched entry 1510019463286168@wlan.mnc001.mcc510.3gppnetwork.org at line 204 ++[files] = ok ++[expiration] = noop ++[logintime] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/sim [eap] processing type sim +++> EAP-sim decoded packet: User-Name = "1510019463286168@wlan.mnc001.mcc510.3gppnetwork.org" NAS-IP-Address = 192.168.1.1 NAS-Port = 0 Called-Station-Id = "004f62248f98" Calling-Station-Id = "70aab2eb15af" NAS-Identifier = "Realtek Access Point. 8186" NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x02e20058120a000007050000e4e69b2af151f7b962b59341f135ec28100100010e0e00333135313030313934363332383631363840776c616e2e6d6e633030312e6d63633531302e336770706e6574776f726b2e6f726700 State = 0xa2868fcaa2649d86228f5cbe0864a028 Message-Authenticator = 0xdb930ab0a6fe572dc35ab89c7d62a32d EAP-Type = SIM EAP-Sim-Subtype = Start EAP-Sim-NONCE_MT = 0x0000e4e69b2af151f7b962b59341f135ec28 EAP-Sim-SELECTED_VERSION = 0x0001 EAP-Sim-IDENTITY = 0x3135313030313934363332383631363840776c616e2e6d6e633030312e6d63633531302e336770706e6574776f726b2e6f7267 [eap] Underlying EAP-Type set EAP ID to 227 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 147 to 192.168.1.1 port 2049 EAP-Message = 0x01e30050120b0000010d0000bda21cb60ef945da9a8ba56667b49027621f1dac915b4dbf8a0842e88b97bbbe6ad4284810dd42ca8a60a410f77468200b05000054a12566dba5ea107876abb8ce63c51b Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa2868fcaa3659d86228f5cbe0864a028 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.1 port 2049, id=148, length=243 User-Name = "1510019463286168@wlan.mnc001.mcc510.3gppnetwork.org" NAS-IP-Address = 192.168.1.1 NAS-Port = 0 Called-Station-Id = "004f62248f98" Calling-Station-Id = "70aab2eb15af" NAS-Identifier = "Realtek Access Point. 8186" NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x02e3001c120b00000b050000972372a41c5202143e5d4624453ee9a4 State = 0xa2868fcaa3659d86228f5cbe0864a028 Message-Authenticator = 0x84e6bf6274f86ccbbcf74dd0fd0ccdbc # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] Looking up realm "wlan.mnc001.mcc510.3gppnetwork.org" for User-Name = "1510019463286168@wlan.mnc001.mcc510.3gppnetwork.org" [suffix] No such realm "wlan.mnc001.mcc510.3gppnetwork.org" ++[suffix] = noop rlm_sim_files: insufficient number of challenges for imsi 1510019463286168@wlan.mnc001.mcc510.3gppnetwork.org: 0 ++[sim_files] = notfound [eap] EAP packet type response id 227 length 28 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [files] users: Matched entry 1510019463286168@wlan.mnc001.mcc510.3gppnetwork.org at line 204 ++[files] = ok ++[expiration] = noop ++[logintime] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/sim [eap] processing type sim MAC check succeed [eap] Underlying EAP-Type set EAP ID to 228 [eap] Freeing handler ++[eap] = ok +} # group authenticate = ok # Executing section post-auth from file /etc/freeradius/sites-enabled/default +group post-auth { ++[exec] = noop +} # group post-auth = noop Sending Access-Accept of id 148 to 192.168.1.1 port 2049 MS-MPPE-Recv-Key = 0x4cf85cf91585ad5b0150cfcf0891da3c700186a1f529c33a77b858b7c2792425 MS-MPPE-Send-Key = 0x73cddffcb9182dcbdb08f9a1a75e96cfb11145d41b6a6734ddd8b2befa96c5c8 EAP-Message = 0x03e40004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "1510019463286168@wlan.mnc001.mcc510.3gppnetwork.org" Finished request 2. Going to the next request Waking up in 3.8 seconds. Cleaning up request 0 ID 146 with timestamp +22 Cleaning up request 1 ID 147 with timestamp +22 Waking up in 1.0 seconds. Cleaning up request 2 ID 148 with timestamp +23 Ready to process requests.