Hi guys, i'm still trying to authenticate a EAP SIM Client with the Freeraduis 3.0.0. By Using the Nokia E51 and E52, the eap-sim authentication process just stops after the raduis has sent the " EAP-REQUEST, SIM-CHALLENGE" (containing AT_RAND and AT_MAC) message (see log info.). I did some changes in the in the " eapsimlib.c" regarding the AT_IDENTITY by using the patch 'commit cfd61d24b99022eb613054bbf7e0da4fa3af1bde' but the result didn't change. I decided to change the Client. I downloaded and installed Xsupplicant 2.2.3.553 on my windows XP. This is a software capable to be used as EAP-SIM Client. I didn't change anything on the server side. This time Xsupplicant replys with a " EAP-RESPONSE, SIM-CHALLENGE" (containing AT_MAC) after recieving the " EAP-REQUEST, SIM-CHALLENGE" (containing AT_RAND and AT_MAC). The Freeradius Server recieves the " EAP-RESPONSE, SIM-CHALLENGE" (containing AT_MAC), says that the received MAC doesn't match and breaks the authentication process with a "access reject" Here the log messages with Nokia: Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /var/run/radiusd/radiusd.sock Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Opening new proxy address * port 1814 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 192.168.10.212 port 48077, id=19, length=308 Service-Type = Framed-User Framed-MTU = 1400 User-Name = "1901700000000653@wlan.mnc070.mcc901.3gppnetwork.org" NAS-Port-Id = "ap_hotspot" NAS-Port-Type = Wireless-802.11 Acct-Session-Id = "82500003" Acct-Multi-Session-Id = "00-0C-42-64-41-9D-A8-7E-33-3E-9C-5B-82-50-00-00-00-00-00-03" Calling-Station-Id = "A8-7E-33-3E-9C-5B" Called-Station-Id = "00-0C-42-64-41-9D:YANN" EAP-Message = 0x02010038013139303137303030303030303036353340776c616e2e6d6e633037302e6d63633930312e336770706e6574776f726b2e6f7267 Message-Authenticator = 0x429b263e5293fadbae0a13f28dad2775 NAS-Identifier = "MT_Yann" NAS-IP-Address = 192.168.10.212 (0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (0) group authorize { (0) - entering group authorize {...} (0) [preprocess] = ok (0) [chap] = noop (0) auth_log : expand: %{Packet-Src-IP-Address} -> 192.168.10.212 (0) auth_log : expand: /var/log/radiusd/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/radiusd/radacct/192.168.10.212/auth-detail-20121108 (0) auth_log : /var/log/radiusd/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radiusd/radacct/192.168.10.212/auth-detail-20121108 (0) auth_log : expand: %t -> Thu Nov 8 14:20:05 2012 (0) [auth_log] = ok (0) [mschap] = noop (0) [digest] = noop (0) suffix : Looking up realm "wlan.mnc070.mcc901.3gppnetwork.org" for User-Name = "1901700000000653@wlan.mnc070.mcc901.3gppnetwork.org" (0) suffix : Found realm "~.*.3gppnetwork.org$" (0) suffix : Adding Stripped-User-Name = "1901700000000653" (0) suffix : Adding Realm = "wlan.mnc070.mcc901.3gppnetwork.org" (0) suffix : Authentication realm is LOCAL. (0) [suffix] = ok rlm_sim_files: authorized user/imsi 1901700000000653 rlm_sim_files: Adding EAP-Type: eap-sim (0) [sim_files] = ok (0) eap : EAP packet type response id 1 length 56 (0) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) Found Auth-Type = EAP (0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (0) group authenticate { (0) - entering group authenticate {...} (0) eap : EAP Identity (0) eap : processing type sim (0) eap : Underlying EAP-Type set EAP ID to 133 (0) [eap] = handled Sending Access-Challenge of id 19 to 192.168.10.212 port 48077 EAP-Message = 0x01850014120a00000f0200020001000011010100 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x077b668807fe746db0e5f555c7ca40d2 (0) Finished request 0. Waking up in 0.3 seconds. rad_recv: Access-Request packet from host 192.168.10.212 port 41383, id=20, length=358 Service-Type = Framed-User Framed-MTU = 1400 User-Name = "1901700000000653@wlan.mnc070.mcc901.3gppnetwork.org" State = 0x077b668807fe746db0e5f555c7ca40d2 NAS-Port-Id = "ap_hotspot" NAS-Port-Type = Wireless-802.11 Acct-Session-Id = "82500003" Acct-Multi-Session-Id = "00-0C-42-64-41-9D-A8-7E-33-3E-9C-5B-82-50-00-00-00-00-00-03" Calling-Station-Id = "A8-7E-33-3E-9C-5B" Called-Station-Id = "00-0C-42-64-41-9D:YANN" EAP-Message = 0x02850058120a000007050000be65a474dc99300354fdd97e5176bbc5100100010e0e00333139303137303030303030303036353340776c616e2e6d6e633037302e6d63633930312e336770706e6574776f726b2e6f726700 Message-Authenticator = 0x07c87b76cd6232ca08dc4529913d5cac NAS-Identifier = "MT_Yann" NAS-IP-Address = 192.168.10.212 (1) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (1) group authorize { (1) - entering group authorize {...} (1) [preprocess] = ok (1) [chap] = noop (1) auth_log : expand: %{Packet-Src-IP-Address} -> 192.168.10.212 (1) auth_log : expand: /var/log/radiusd/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/radiusd/radacct/192.168.10.212/auth-detail-20121108 (1) auth_log : /var/log/radiusd/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radiusd/radacct/192.168.10.212/auth-detail-20121108 (1) auth_log : expand: %t -> Thu Nov 8 14:20:05 2012 (1) [auth_log] = ok (1) [mschap] = noop (1) [digest] = noop (1) suffix : Looking up realm "wlan.mnc070.mcc901.3gppnetwork.org" for User-Name = "1901700000000653@wlan.mnc070.mcc901.3gppnetwork.org" (1) suffix : Found realm "~.*.3gppnetwork.org$" (1) suffix : Adding Stripped-User-Name = "1901700000000653" (1) suffix : Adding Realm = "wlan.mnc070.mcc901.3gppnetwork.org" (1) suffix : Authentication realm is LOCAL. (1) [suffix] = ok rlm_sim_files: authorized user/imsi 1901700000000653 rlm_sim_files: Adding EAP-Type: eap-sim (1) [sim_files] = ok (1) eap : EAP packet type response id 133 length 88 (1) eap : No EAP Start, assuming it's an on-going EAP conversation (1) [eap] = updated (1) [files] = noop (1) [expiration] = noop (1) [logintime] = noop (1) pap : WARNING! No "known good" password found for the user. Authentication may fail because of this. (1) [pap] = noop (1) Found Auth-Type = EAP (1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (1) group authenticate { (1) - entering group authenticate {...} (1) eap : Request found, released from the list (1) eap : EAP/sim (1) eap : processing type sim +++> EAP-sim decoded packet: Service-Type = Framed-User Framed-MTU = 1400 User-Name = "1901700000000653@wlan.mnc070.mcc901.3gppnetwork.org" State = 0x077b668807fe746db0e5f555c7ca40d2 NAS-Port-Id = "ap_hotspot" NAS-Port-Type = Wireless-802.11 Acct-Session-Id = "82500003" Acct-Multi-Session-Id = "00-0C-42-64-41-9D-A8-7E-33-3E-9C-5B-82-50-00-00-00-00-00-03" Calling-Station-Id = "A8-7E-33-3E-9C-5B" Called-Station-Id = "00-0C-42-64-41-9D:YANN" EAP-Message = 0x02850058120a000007050000be65a474dc99300354fdd97e5176bbc5100100010e0e00333139303137303030303030303036353340776c616e2e6d6e633037302e6d63633930312e336770706e6574776f726b2e6f726700 Message-Authenticator = 0x07c87b76cd6232ca08dc4529913d5cac NAS-Identifier = "MT_Yann" NAS-IP-Address = 192.168.10.212 Stripped-User-Name = "1901700000000653" Realm = "wlan.mnc070.mcc901.3gppnetwork.org" EAP-Type = SIM EAP-Sim-Subtype = Start EAP-Sim-NONCE_MT = 0x0000be65a474dc99300354fdd97e5176bbc5 EAP-Sim-SELECTED_VERSION = 0x0001 EAP-Sim-IDENTITY = 0x3139303137303030303030303036353340776c616e2e6d6e633037302e6d63633930312e336770706e6574776f726b2e6f7267 (1) eap : Underlying EAP-Type set EAP ID to 134 (1) [eap] = handled Sending Access-Challenge of id 20 to 192.168.10.212 port 41383 EAP-Message = 0x01860050120b0000010d00000123456789abcdef0123456789abcdef658719018376aab4d2a5ccde7a21b6510123456789abcdef0123456789abcdff0b050000217a0ab3b008a413f570885bca13bbe8 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x077b668806fd746db0e5f555c7ca40d2 (1) Finished request 1. Going to the next request Waking up in 0.3 seconds. Waking up in 4.6 seconds. (0) Cleaning up request packet ID 19 with timestamp +14 (1) Cleaning up request packet ID 20 with timestamp +14 Ready to process requests. <----------------------> Here the log messages by using Xsupplicant: Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /var/run/radiusd.sock Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Opening new proxy address * port 1814 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 192.168.10.212 port 34456, id=63, length=238 Service-Type = Framed-User Framed-MTU = 1400 User-Name = "1901700000000653" NAS-Port-Id = "ap_hotspot" NAS-Port-Type = Wireless-802.11 Acct-Session-Id = "82900026" Acct-Multi-Session-Id = "00-0C-42-64-41-9D-00-16-6F-BB-2D-CE-82-90-00-00-00-00-00-26" Calling-Station-Id = "00-16-6F-BB-2D-CE" Called-Station-Id = "00-0C-42-64-41-9D:YANN" EAP-Message = 0x020100150131393031373030303030303030363533 Message-Authenticator = 0x653921257bd23ec322ee3b4924d32751 NAS-Identifier = "MT_Yann" NAS-IP-Address = 192.168.10.212 (0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (0) group authorize { (0) - entering group authorize {...} (0) [preprocess] = ok (0) [chap] = noop (0) auth_log : expand: %{Packet-Src-IP-Address} -> 192.168.10.212 (0) auth_log : expand: /var/log/radiusd/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/radiusd/radacct/192.168.10.212/auth-detail-20121114 (0) auth_log : /var/log/radiusd/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radiusd/radacct/192.168.10.212/auth-detail-20121114 (0) auth_log : expand: %t -> Wed Nov 14 17:30:30 2012 (0) [auth_log] = ok (0) [mschap] = noop (0) [digest] = noop (0) suffix : No '@' in User-Name = "1901700000000653", looking up realm NULL (0) suffix : No such realm "NULL" (0) [suffix] = noop rlm_sim_files: authorized user/imsi 1901700000000653 rlm_sim_files: Adding EAP-Type: eap-sim (0) [sim_files] = ok (0) eap : EAP packet type response id 1 length 21 (0) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) Found Auth-Type = EAP (0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (0) group authenticate { (0) - entering group authenticate {...} (0) eap : EAP Identity (0) eap : processing type sim (0) eap : Underlying EAP-Type set EAP ID to 38 (0) [eap] = handled Sending Access-Challenge of id 63 to 192.168.10.212 port 34456 EAP-Message = 0x01260014120a00000f0200020001000011010100 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5b17c53a5b31d7c6686a4d2738ee4ab7 (0) Finished request 0. Waking up in 0.3 seconds. rad_recv: Access-Request packet from host 192.168.10.212 port 57441, id=64, length=267 Service-Type = Framed-User Framed-MTU = 1400 User-Name = "1901700000000653" State = 0x5b17c53a5b31d7c6686a4d2738ee4ab7 NAS-Port-Id = "ap_hotspot" NAS-Port-Type = Wireless-802.11 Acct-Session-Id = "82900026" Acct-Multi-Session-Id = "00-0C-42-64-41-9D-00-16-6F-BB-2D-CE-82-90-00-00-00-00-00-26" Calling-Station-Id = "00-16-6F-BB-2D-CE" Called-Station-Id = "00-0C-42-64-41-9D:YANN" EAP-Message = 0x02260020120a001b07050000a8605e360593e63583c864b6051046f410010001 Message-Authenticator = 0x0133a5fba265cea77256e0b429f11c02 NAS-Identifier = "MT_Yann" NAS-IP-Address = 192.168.10.212 (1) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (1) group authorize { (1) - entering group authorize {...} (1) [preprocess] = ok (1) [chap] = noop (1) auth_log : expand: %{Packet-Src-IP-Address} -> 192.168.10.212 (1) auth_log : expand: /var/log/radiusd/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/radiusd/radacct/192.168.10.212/auth-detail-20121114 (1) auth_log : /var/log/radiusd/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radiusd/radacct/192.168.10.212/auth-detail-20121114 (1) auth_log : expand: %t -> Wed Nov 14 17:30:30 2012 (1) [auth_log] = ok (1) [mschap] = noop (1) [digest] = noop (1) suffix : No '@' in User-Name = "1901700000000653", looking up realm NULL (1) suffix : No such realm "NULL" (1) [suffix] = noop rlm_sim_files: authorized user/imsi 1901700000000653 rlm_sim_files: Adding EAP-Type: eap-sim (1) [sim_files] = ok (1) eap : EAP packet type response id 38 length 32 (1) eap : No EAP Start, assuming it's an on-going EAP conversation (1) [eap] = updated (1) [files] = noop (1) [expiration] = noop (1) [logintime] = noop (1) pap : WARNING! No "known good" password found for the user. Authentication may fail because of this. (1) [pap] = noop (1) Found Auth-Type = EAP (1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (1) group authenticate { (1) - entering group authenticate {...} (1) eap : Request found, released from the list (1) eap : EAP/sim (1) eap : processing type sim +++> EAP-sim decoded packet: Service-Type = Framed-User Framed-MTU = 1400 User-Name = "1901700000000653" State = 0x5b17c53a5b31d7c6686a4d2738ee4ab7 NAS-Port-Id = "ap_hotspot" NAS-Port-Type = Wireless-802.11 Acct-Session-Id = "82900026" Acct-Multi-Session-Id = "00-0C-42-64-41-9D-00-16-6F-BB-2D-CE-82-90-00-00-00-00-00-26" Calling-Station-Id = "00-16-6F-BB-2D-CE" Called-Station-Id = "00-0C-42-64-41-9D:YANN" EAP-Message = 0x02260020120a001b07050000a8605e360593e63583c864b6051046f410010001 Message-Authenticator = 0x0133a5fba265cea77256e0b429f11c02 NAS-Identifier = "MT_Yann" NAS-IP-Address = 192.168.10.212 EAP-Type = SIM EAP-Sim-Subtype = Start EAP-Sim-NONCE_MT = 0x0000a8605e360593e63583c864b6051046f4 EAP-Sim-SELECTED_VERSION = 0x0001 (1) eap : Underlying EAP-Type set EAP ID to 39 (1) [eap] = handled Sending Access-Challenge of id 64 to 192.168.10.212 port 57441 EAP-Message = 0x01270050120b0000010d0000db1f1a922a6044b1ac9193596d34b701a20fd51626bd4f24b91755d927101729eeb85a0437da4ea4ab99cfbc1c439ce40b05000016397dc340ea5e69ab39925507ad8438 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5b17c53a5a30d7c6686a4d2738ee4ab7 (1) Finished request 1. Waking up in 0.2 seconds. rad_recv: Access-Request packet from host 192.168.10.212 port 36917, id=65, length=263 Service-Type = Framed-User Framed-MTU = 1400 User-Name = "1901700000000653" State = 0x5b17c53a5a30d7c6686a4d2738ee4ab7 NAS-Port-Id = "ap_hotspot" NAS-Port-Type = Wireless-802.11 Acct-Session-Id = "82900026" Acct-Multi-Session-Id = "00-0C-42-64-41-9D-00-16-6F-BB-2D-CE-82-90-00-00-00-00-00-26" Calling-Station-Id = "00-16-6F-BB-2D-CE" Called-Station-Id = "00-0C-42-64-41-9D:YANN" EAP-Message = 0x0227001c120b00170b0500007f86aeaeded71ccd418687567f8f8eb3 Message-Authenticator = 0xf263cce3cc9890197ca080b7f4629af2 NAS-Identifier = "MT_Yann" NAS-IP-Address = 192.168.10.212 (2) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (2) group authorize { (2) - entering group authorize {...} (2) [preprocess] = ok (2) [chap] = noop (2) auth_log : expand: %{Packet-Src-IP-Address} -> 192.168.10.212 (2) auth_log : expand: /var/log/radiusd/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/radiusd/radacct/192.168.10.212/auth-detail-20121114 (2) auth_log : /var/log/radiusd/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radiusd/radacct/192.168.10.212/auth-detail-20121114 (2) auth_log : expand: %t -> Wed Nov 14 17:30:30 2012 (2) [auth_log] = ok (2) [mschap] = noop (2) [digest] = noop (2) suffix : No '@' in User-Name = "1901700000000653", looking up realm NULL (2) suffix : No such realm "NULL" (2) [suffix] = noop rlm_sim_files: authorized user/imsi 1901700000000653 rlm_sim_files: Adding EAP-Type: eap-sim (2) [sim_files] = ok (2) eap : EAP packet type response id 39 length 28 (2) eap : No EAP Start, assuming it's an on-going EAP conversation (2) [eap] = updated (2) [files] = noop (2) [expiration] = noop (2) [logintime] = noop (2) pap : WARNING! No "known good" password found for the user. Authentication may fail because of this. (2) [pap] = noop (2) Found Auth-Type = EAP (2) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (2) group authenticate { (2) - entering group authenticate {...} (2) eap : Request found, released from the list (2) eap : EAP/sim (2) eap : processing type sim calculated MAC (05248e0d_917db8e0_55e8b312_b489d982_20c54ef4) did not match (2) eap : Handler failed in EAP/sim (2) eap : Failed in EAP select (2) [eap] = invalid (2) Failed to authenticate the user. (2) Using Post-Auth-Type Reject (2) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (2) group REJECT { (2) - entering group REJECT {...} (2) attr_filter.access_reject : expand: %{User-Name} -> 1901700000000653 (2) attr_filter.access_reject : Matched entry DEFAULT at line 11 (2) [attr_filter.access_reject] = updated (2) Finished request 2. Waking up in 0.2 seconds. rad_recv: Access-Request packet from host 192.168.10.212 port 36917, id=65, length=263 Discarding duplicate request from client bipsbk port 36917 - ID: 65 due to unfinished request 2 Waking up in 0.6 seconds. rad_recv: Access-Request packet from host 192.168.10.212 port 36917, id=65, length=263 Discarding duplicate request from client bipsbk port 36917 - ID: 65 due to delayed reject 2 Waking up in 0.4 seconds. (2) Sending delayed reject Sending Access-Reject of id 65 to 192.168.10.212 port 36917 EAP-Message = 0x04270004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.9 seconds. Has anyone an idea why the MAC not matches although Client and Server are using the same algorithm version (Version 1 mentioned in AT_VERSION_LIST from Server and in AT_SELECTED_VERSION from client) ? Best regards Yann