Hi, sorry to reply after such a long time, since I have tried many methods to fix the bug.
Hi, I am new here and here is my problem: I am using FreeRADIUS version 3.0.4
You should probably upgrade.
I upgraded to 3.0.11 and still failed...sigh>_<
(8) authenticate { (8) eap: Expiring EAP session with state 0x14c723b2157231b1 (8) eap: Finished EAP session with state 0x14c723b2157231b1 (8) eap: Previous EAP request found for state 0x14c723b2157231b1, released from the list (8) eap: Peer sent packet with method EAP SIM (18) (8) eap: Calling submodule eap_sim to process data (8) eap: ERROR: Failed continuing EAP SIM (18) session. EAP sub-module failed (8) eap: Sending EAP Failure (code 4) ID 181 length 4
That's not good. It would be nice to get a message as to *why* it failed.
I've pushed some additional debug messages. Please try the v3.0.x branch from git:
https://github.com/FreeRADIUS/freeradius-server/archive/v3.0.x.zip
Alan DeKok.
Thank you so much , and I have downloaded the source and installed ,exactly the same bug appears and output log about the bug is the same, which includes only one line telling"Failed continuing EAP session". I didn't get more log about the bug in my test using a read sim card, BUT something goes wrong when I run radeapclient to test my radius server: when I use a radeapclient to perform an authentication, I will get Access-Accept, but there is an error in the log. After checking the MAC successfully, the Radius server failed to decode the EAP package, with the Error log:"(28) eap_sim: ERROR: Failed decoding EAP-SIM packet: ". But server still send the EAP Success. Maybe there is something related between the two bugs. Here is the full log: (26) Received Access-Request Id 147 from 127.0.0.1:59677 to 127.0.0.1:1812 length 161 (26) User-Name = "1208930000000001@wlan.mnc093.mcc208.3gppnetwork.org" (26) NAS-IP-Address = 127.0.0.1 (26) Message-Authenticator = 0xbefb520ad5d6083aeaa7d71c51b74237 (26) NAS-Port = 0 (26) EAP-Message = 0x022b0038013132303839333030303030303030303140776c616e2e6d6e633039332e6d63633230382e336770706e6574776f726b2e6f7267 (26) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (26) authorize { (26) policy filter_username { (26) if (&User-Name) { (26) if (&User-Name) -> TRUE (26) if (&User-Name) { (26) if (&User-Name =~ / /) { (26) if (&User-Name =~ / /) -> FALSE (26) if (&User-Name =~ /@[^@]*@/ ) { (26) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (26) if (&User-Name =~ /\.\./ ) { (26) if (&User-Name =~ /\.\./ ) -> FALSE (26) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (26) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (26) if (&User-Name =~ /\.$/) { (26) if (&User-Name =~ /\.$/) -> FALSE (26) if (&User-Name =~ /@\./) { (26) if (&User-Name =~ /@\./) -> FALSE (26) } # if (&User-Name) = notfound (26) } # policy filter_username = notfound (26) [preprocess] = ok (26) [chap] = noop (26) [mschap] = noop (26) [digest] = noop (26) suffix: Checking for suffix after "@" (26) suffix: Looking up realm "wlan.mnc093.mcc208.3gppnetwork.org" for User-Name = "1208930000000001@wlan.mnc093.mcc208.3gppnetwork.org" (26) suffix: No such realm "wlan.mnc093.mcc208.3gppnetwork.org" (26) [suffix] = noop (26) files: users: Matched entry 1208930000000001@wlan.mnc093.mcc208.3gppnetwork.org at line 4 (26) [files] = ok (26) eap: Peer sent EAP Response (code 2) ID 43 length 56 (26) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (26) [eap] = ok (26) } # authorize = ok (26) Found Auth-Type = eap (26) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (26) authenticate { (26) eap: Peer sent packet with method EAP Identity (1) (26) eap: Calling submodule eap_sim to process data (26) eap: Sending EAP Request (code 1) ID 1 length 20 (26) eap: EAP session adding &reply:State = 0x1140333a11412123 (26) [eap] = handled (26) } # authenticate = handled (26) Using Post-Auth-Type Challenge (26) Post-Auth-Type sub-section not found. Ignoring. (26) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (26) Sent Access-Challenge Id 147 from 127.0.0.1:1812 to 127.0.0.1:59677 length 0 (26) EAP-Message = 0x01010014120a00000f0200020001000011010171 (26) Message-Authenticator = 0x00000000000000000000000000000000 (26) State = 0x1140333a11412123fb61540a5217ec47 (26) Finished request Waking up in 4.9 seconds. (27) Received Access-Request Id 221 from 127.0.0.1:59677 to 127.0.0.1:1812 length 211 (27) User-Name = "1208930000000001@wlan.mnc093.mcc208.3gppnetwork.org" (27) NAS-IP-Address = 127.0.0.1 (27) Message-Authenticator = 0xa9602d366f22e9b1872f6bb0e8be92e3 (27) NAS-Port = 0 (27) EAP-Message = 0x02010058120a00001001000107050000be93130ac98c40bcaf65ba75d30c3e270e0e00333132303839333030303030303030303140776c616e2e6d6e633039332e6d63633230382e336770706e6574776f726b2e6f726700 (27) State = 0x1140333a11412123fb61540a5217ec47 (27) session-state: No cached attributes (27) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (27) authorize { (27) policy filter_username { (27) if (&User-Name) { (27) if (&User-Name) -> TRUE (27) if (&User-Name) { (27) if (&User-Name =~ / /) { (27) if (&User-Name =~ / /) -> FALSE (27) if (&User-Name =~ /@[^@]*@/ ) { (27) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (27) if (&User-Name =~ /\.\./ ) { (27) if (&User-Name =~ /\.\./ ) -> FALSE (27) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (27) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (27) if (&User-Name =~ /\.$/) { (27) if (&User-Name =~ /\.$/) -> FALSE (27) if (&User-Name =~ /@\./) { (27) if (&User-Name =~ /@\./) -> FALSE (27) } # if (&User-Name) = notfound (27) } # policy filter_username = notfound (27) [preprocess] = ok (27) [chap] = noop (27) [mschap] = noop (27) [digest] = noop (27) suffix: Checking for suffix after "@" (27) suffix: Looking up realm "wlan.mnc093.mcc208.3gppnetwork.org" for User-Name = "1208930000000001@wlan.mnc093.mcc208.3gppnetwork.org" (27) suffix: No such realm "wlan.mnc093.mcc208.3gppnetwork.org" (27) [suffix] = noop (27) files: users: Matched entry 1208930000000001@wlan.mnc093.mcc208.3gppnetwork.org at line 4 (27) [files] = ok (27) eap: Peer sent EAP Response (code 2) ID 1 length 88 (27) eap: No EAP Start, assuming it's an on-going EAP conversation (27) [eap] = updated (27) [expiration] = noop (27) [logintime] = noop (27) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (27) pap: WARNING: Authentication will fail unless a "known good" password is available (27) [pap] = noop (27) } # authorize = updated (27) Found Auth-Type = eap (27) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (27) authenticate { (27) eap: Expiring EAP session with state 0x1140333a11412123 (27) eap: Finished EAP session with state 0x1140333a11412123 (27) eap: Previous EAP request found for state 0x1140333a11412123, released from the list (27) eap: Peer sent packet with method EAP SIM (18) (27) eap: Calling submodule eap_sim to process data (27) eap_sim: EAP-SIM decoded packet (27) eap_sim: User-Name = "1208930000000001@wlan.mnc093.mcc208.3gppnetwork.org" (27) eap_sim: NAS-IP-Address = 127.0.0.1 (27) eap_sim: Message-Authenticator = 0xa9602d366f22e9b1872f6bb0e8be92e3 (27) eap_sim: NAS-Port = 0 (27) eap_sim: EAP-Message = 0x02010058120a00001001000107050000be93130ac98c40bcaf65ba75d30c3e270e0e00333132303839333030303030303030303140776c616e2e6d6e633039332e6d63633230382e336770706e6574776f726b2e6f726700 (27) eap_sim: State = 0x1140333a11412123fb61540a5217ec47 (27) eap_sim: Event-Timestamp = "May 24 2016 14:56:01 CST" (27) eap_sim: EAP-Type = SIM (27) eap_sim: EAP-Sim-Subtype = Start (27) eap_sim: EAP-Sim-SELECTED_VERSION = 0x0001 (27) eap_sim: EAP-Sim-NONCE_MT = 0x0000be93130ac98c40bcaf65ba75d30c3e27 (27) eap_sim: EAP-Sim-IDENTITY = 0x00333132303839333030303030303030303140776c616e2e6d6e633039332e6d63633230382e336770706e6574776f726b2e6f726700 (27) eap: Sending EAP Request (code 1) ID 2 length 80 (27) eap: EAP session adding &reply:State = 0x1140333a10422123 (27) [eap] = handled (27) } # authenticate = handled (27) Using Post-Auth-Type Challenge (27) Post-Auth-Type sub-section not found. Ignoring. (27) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (27) Sent Access-Challenge Id 221 from 127.0.0.1:1812 to 127.0.0.1:59677 length 0 (27) EAP-Message = 0x01020050120b0000010d0000952f4f7ced3f2525a6f6feda2352d2a2c05f33c78f0f84dc8ed8ed6cf3b683af88e58d47a71cdaf83ad0427b150a6a930b0500004d181d7cdee6ce8198babe34a81d81ea (27) Message-Authenticator = 0x00000000000000000000000000000000 (27) State = 0x1140333a10422123fb61540a5217ec47 (27) Finished request Waking up in 4.9 seconds. (28) Received Access-Request Id 99 from 127.0.0.1:59677 to 127.0.0.1:1812 length 151 (28) User-Name = "1208930000000001@wlan.mnc093.mcc208.3gppnetwork.org" (28) NAS-IP-Address = 127.0.0.1 (28) Message-Authenticator = 0x8327774ed80c7e34c6b92cb44a1fdaad (28) NAS-Port = 0 (28) State = 0x1140333a10422123fb61540a5217ec47 (28) EAP-Message = 0x0202001c120b00000b050000e1bbad6ef008ebe1e2d4a489c7cb12a7 (28) session-state: No cached attributes (28) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (28) authorize { (28) policy filter_username { (28) if (&User-Name) { (28) if (&User-Name) -> TRUE (28) if (&User-Name) { (28) if (&User-Name =~ / /) { (28) if (&User-Name =~ / /) -> FALSE (28) if (&User-Name =~ /@[^@]*@/ ) { (28) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (28) if (&User-Name =~ /\.\./ ) { (28) if (&User-Name =~ /\.\./ ) -> FALSE (28) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (28) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (28) if (&User-Name =~ /\.$/) { (28) if (&User-Name =~ /\.$/) -> FALSE (28) if (&User-Name =~ /@\./) { (28) if (&User-Name =~ /@\./) -> FALSE (28) } # if (&User-Name) = notfound (28) } # policy filter_username = notfound (28) [preprocess] = ok (28) [chap] = noop (28) [mschap] = noop (28) [digest] = noop (28) suffix: Checking for suffix after "@" (28) suffix: Looking up realm "wlan.mnc093.mcc208.3gppnetwork.org" for User-Name = "1208930000000001@wlan.mnc093.mcc208.3gppnetwork.org" (28) suffix: No such realm "wlan.mnc093.mcc208.3gppnetwork.org" (28) [suffix] = noop (28) files: users: Matched entry 1208930000000001@wlan.mnc093.mcc208.3gppnetwork.org at line 4 (28) [files] = ok (28) eap: Peer sent EAP Response (code 2) ID 2 length 28 (28) eap: No EAP Start, assuming it's an on-going EAP conversation (28) [eap] = updated (28) [expiration] = noop (28) [logintime] = noop (28) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (28) pap: WARNING: Authentication will fail unless a "known good" password is available (28) [pap] = noop (28) } # authorize = updated (28) Found Auth-Type = eap (28) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (28) authenticate { (28) eap: Expiring EAP session with state 0x1140333a10422123 (28) eap: Finished EAP session with state 0x1140333a10422123 (28) eap: Previous EAP request found for state 0x1140333a10422123, released from the list (28) eap: Peer sent packet with method EAP SIM (18) (28) eap: Calling submodule eap_sim to process data (28) eap_sim: MAC check succeed (28) eap_sim: ERROR: Failed decoding EAP-SIM packet: (28) eap: Sending EAP Success (code 3) ID 3 length 4 (28) eap: Freeing handler (28) [eap] = ok (28) } # authenticate = ok (28) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default (28) post-auth { (28) update { (28) No attributes updated (28) } # update = noop (28) [exec] = noop (28) policy remove_reply_message_if_eap { (28) if (&reply:EAP-Message && &reply:Reply-Message) { (28) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (28) else { (28) [noop] = noop (28) } # else = noop (28) } # policy remove_reply_message_if_eap = noop (28) } # post-auth = noop (28) Sent Access-Accept Id 99 from 127.0.0.1:1812 to 127.0.0.1:59677 length 0 (28) MS-MPPE-Recv-Key = 0x3e595d1f242073e0ca72dcc4ab8330d8412dab890100d75f2c07bd9d108a8907 (28) MS-MPPE-Send-Key = 0xbb480dc076472f57534eec21ac7d3e8acbcab8d687acc1e9ca743e333d6053e2 (28) EAP-Message = 0x03030004 (28) Message-Authenticator = 0x00000000000000000000000000000000 (28) User-Name = "1208930000000001@wlan.mnc093.mcc208.3gppnetwork.org" (28) Finished request Waking up in 4.9 seconds. (26) Cleaning up request packet ID 147 with timestamp +529 (27) Cleaning up request packet ID 221 with timestamp +529 (28) Cleaning up request packet ID 99 with timestamp +529 Ready to process requests and my radeapclient get access-accept: lzx@lzx-ThinkPad-Edge-E440:~/Documents/eapsim-03$ radeapclient -x 127.0.0.1:1812 auth testing123 <eapsim-realin.txt Loading input data... Read 1 element(s) from input: stdin Loaded: 1 input element(s). Adding new socket: src: 0.0.0.0:0, dst: 127.0.0.1:1812 Added new socket: 5 (num sockets: 1) Transaction: 0, sending packet: 0 (id: 147)... Sent Access-Request Id 147 from 0.0.0.0:59677 to 127.0.0.1:1812 length 161 User-Name = "1208930000000001@wlan.mnc093.mcc208.3gppnetwork.org" NAS-IP-Address = 127.0.0.1 EAP-Code = Response EAP-Type-Identity = 0x3132303839333030303030303030303140776c616e2e6d6e633039332e6d63633230382e336770706e6574776f726b2e6f7267 Message-Authenticator = 0x30 NAS-Port = 0 EAP-Sim-Rand1 = 0x952f4f7ced3f2525a6f6feda2352d2a2 EAP-Sim-SRES1 = 0x0bce7fec EAP-Sim-KC1 = 0xc54c5eddc4daa000 EAP-Sim-Rand2 = 0xc05f33c78f0f84dc8ed8ed6cf3b683af EAP-Sim-SRES2 = 0x54045fe1 EAP-Sim-KC2 = 0x347fd8b31c52c000 EAP-Sim-Rand3 = 0x88e58d47a71cdaf83ad0427b150a6a93 EAP-Sim-SRES3 = 0x3cc3655a EAP-Sim-KC3 = 0x1ceac0d78b418c00 EAP-Message = 0x022b0038013132303839333030303030303030303140776c616e2e6d6e633039332e6d63633230382e336770706e6574776f726b2e6f7267 Transaction: 0, received packet (id: 147). Received Access-Challenge Id 147 from 127.0.0.1:1812 to 0.0.0.0:59677 length 78 EAP-Message = 0x01010014120a00000f0200020001000011010171 Message-Authenticator = 0xf5738cc29c0afea9df93645c8ea1845d State = 0x1140333a11412123fb61540a5217ec47 EAP-Id = 1 EAP-Code = Request EAP-Type-SIM = 0x0a00000f0200020001000011010171 Transaction: 0, sending packet: 1 (id: 221)... Sent Access-Request Id 221 from 0.0.0.0:59677 to 127.0.0.1:1812 length 211 User-Name = "1208930000000001@wlan.mnc093.mcc208.3gppnetwork.org" NAS-IP-Address = 127.0.0.1 EAP-Code = Response Message-Authenticator = 0x30 NAS-Port = 0 EAP-Sim-Rand1 = 0x952f4f7ced3f2525a6f6feda2352d2a2 EAP-Sim-SRES1 = 0x0bce7fec EAP-Sim-KC1 = 0xc54c5eddc4daa000 EAP-Sim-Rand2 = 0xc05f33c78f0f84dc8ed8ed6cf3b683af EAP-Sim-SRES2 = 0x54045fe1 EAP-Sim-KC2 = 0x347fd8b31c52c000 EAP-Sim-Rand3 = 0x88e58d47a71cdaf83ad0427b150a6a93 EAP-Sim-SRES3 = 0x3cc3655a EAP-Sim-KC3 = 0x1ceac0d78b418c00 EAP-Sim-State = 1 EAP-Sim-Subtype = Start EAP-Sim-SELECTED_VERSION = 0x0001 EAP-Sim-NONCE_MT = 0x0000be93130ac98c40bcaf65ba75d30c3e27 EAP-Sim-IDENTITY = 0x00333132303839333030303030303030303140776c616e2e6d6e633039332e6d63633230382e336770706e6574776f726b2e6f7267 EAP-Id = 1 EAP-Message = 0x02010058120a00001001000107050000be93130ac98c40bcaf65ba75d30c3e270e0e00333132303839333030303030303030303140776c616e2e6d6e633039332e6d63633230382e336770706e6574776f726b2e6f726700 State = 0x1140333a11412123fb61540a5217ec47 Transaction: 0, received packet (id: 221). Received Access-Challenge Id 221 from 127.0.0.1:1812 to 0.0.0.0:59677 length 138 EAP-Message = 0x01020050120b0000010d0000952f4f7ced3f2525a6f6feda2352d2a2c05f33c78f0f84dc8ed8ed6cf3b683af88e58d47a71cdaf83ad0427b150a6a930b0500004d181d7cdee6ce8198babe34a81d81ea Message-Authenticator = 0x92805d7b3830f49e9ea3e4aed09b0019 State = 0x1140333a10422123fb61540a5217ec47 EAP-Id = 2 EAP-Code = Request EAP-Type-SIM = 0x0b0000010d0000952f4f7ced3f2525a6f6feda2352d2a2c05f33c78f0f84dc8ed8ed6cf3b683af88e58d47a71cdaf83ad0427b150a6a930b0500004d181d7cdee6ce8198babe34a81d81ea Input was: identity: (len=51)3132303839333030303030303030303140776c616e2e6d6e633039332e6d63633230382e336770706e6574776f726b2e6f7267 nonce_mt: be93130ac98c40bcaf65ba75d30c3e27 rand0: 00000000000000000000000000000000 rand1: 00000000000000000000000000000000 rand2: 00000000000000000000000000000000 sres0: 0bce7fec sres1: 54045fe1 sres2: 3cc3655a Kc0: c54c5eddc4daa000 Kc1: 347fd8b31c52c000 Kc2: 1ceac0d78b418c00 versionlist[2]: 0001 select 00 01 Output mk: 6650dc9d_bb45dfb6_874073da_f1f0d096_5814acf9 K_aut: 826899db_b5f04b65_99b7dd0b_4be31da5 K_encr: 21545ec5_64dea6e6_b2fda708_653dc4a7 msk: 3e595d1f_242073e0_ca72dcc4_ab8330d8_412dab89 0100d75f_2c07bd9d_108a8907_bb480dc0_76472f57 534eec21_ac7d3e8a_cbcab8d6_87acc1e9_ca743e33 3d6053e2 emsk: 2a5800e2_61055f79_a31e2f46_7387892a_7e8c5ff8 c53c490f_05fa1c2b_2a09de83_992cfdd3_cfce6fad f7079c8a_b5d52cd9_1dee6702_8f5cfc76_86f6101b 4ac5d3a3 MAC check succeed Transaction: 0, sending packet: 2 (id: 99)... Sent Access-Request Id 99 from 0.0.0.0:59677 to 127.0.0.1:1812 length 151 User-Name = "1208930000000001@wlan.mnc093.mcc208.3gppnetwork.org" NAS-IP-Address = 127.0.0.1 EAP-Code = Response Message-Authenticator = 0x30 NAS-Port = 0 EAP-Sim-Rand1 = 0x952f4f7ced3f2525a6f6feda2352d2a2 EAP-Sim-SRES1 = 0x0bce7fec EAP-Sim-KC1 = 0xc54c5eddc4daa000 EAP-Sim-Rand2 = 0xc05f33c78f0f84dc8ed8ed6cf3b683af EAP-Sim-SRES2 = 0x54045fe1 EAP-Sim-KC2 = 0x347fd8b31c52c000 EAP-Sim-Rand3 = 0x88e58d47a71cdaf83ad0427b150a6a93 EAP-Sim-SRES3 = 0x3cc3655a EAP-Sim-KC3 = 0x1ceac0d78b418c00 EAP-Sim-State = 1 EAP-Sim-Subtype = Challenge EAP-Id = 2 State = 0x1140333a10422123fb61540a5217ec47 EAP-Sim-MAC = 0x0bce7fec54045fe13cc3655a EAP-Sim-KEY = 0x826899dbb5f04b6599b7dd0b4be31da5 EAP-Message = 0x0202001c120b00000b050000e1bbad6ef008ebe1e2d4a489c7cb12a7 Transaction: 0, received packet (id: 99). Received Access-Accept Id 99 from 127.0.0.1:1812 to 0.0.0.0:59677 length 213 MS-MPPE-Recv-Key = 0x3e595d1f242073e0ca72dcc4ab8330d8412dab890100d75f2c07bd9d108a8907 MS-MPPE-Send-Key = 0xbb480dc076472f57534eec21ac7d3e8acbcab8d687acc1e9ca743e333d6053e2 EAP-Message = 0x03030004 Message-Authenticator = 0xe7d68322630318e6c791574cd504bfda User-Name = "1208930000000001@wlan.mnc093.mcc208.3gppnetwork.org" EAP-Id = 3 EAP-Code = Success Main loop: done. Is there any posibility that my read sim card or my mobile device get something wrong with EAP-SIM? But I have tested in two different devices with EAP-SIM capability and get the same result as told above. Or Is there anything I can do to locate the bug? Thank you so much and hoping for your reply~