Thank you Arran and thank you Alan for the quick responses. I was able to install 3.0.16 and test it tonight as I don't have a smart card reader on hand at the moment. The installation worked and I edited the users file as follow: 1901700000020240@wlan.mnc070.mcc901.3gppnetwork.org EAP-SIM-Ki := 0xCA0B.........B, EAP-Sim-Algo-Version := 1 I had to add the "EAP-Sim-Algo-Version" attribute according to what the logs were telling me. I tested from the Android phone after that and was able to connect if the EAP-Sim-Algo-Version attribute was equal to 1. Is this attribute the version of EAP-SIM or the version of COMP128? The android phone connected but I can still see the following error in the logs (see full logs below): (3) eap_sim: ERROR: Failed decoding EAP-SIM packet: Do you have an idea why? Thank you again for your help. Here are the full logs: (0) Received Access-Request Id 166 from 192.168.20.19:54927 to 192.168.20.17:1812 length 291 (0) User-Name = "1901700000020240@wlan.mnc070.mcc901.3gppnetwork.org" (0) NAS-IP-Address = 192.168.20.19 (0) NAS-Port = 0 (0) NAS-Identifier = "192.168.20.19" (0) NAS-Port-Type = Wireless-802.11 (0) Calling-Station-Id = "c0eefb5acc11" (0) Called-Station-Id = "000b86ee0268" (0) Service-Type = Login-User (0) Framed-MTU = 1100 (0) EAP-Message = 0x02010038013139303137303030303030323032343040776c616e2e6d6e633037302e6d63633930312e336770706e6574776f726b2e6f7267 (0) Aruba-Essid-Name = "Test EAP-SIM" (0) Aruba-Location-Id = "00:0b:86:ee:02:68" (0) Aruba-AP-Group = "instant-EE:02:68" (0) Message-Authenticator = 0xa7d1d164a9fed5e7816fba1c9cdbf270 (0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: Looking up realm "wlan.mnc070.mcc901.3gppnetwork.org" for User-Name = "1901700000020240@wlan.mnc070.mcc901.3gppnetwork.org" (0) suffix: No such realm "wlan.mnc070.mcc901.3gppnetwork.org" (0) [suffix] = noop (0) eap: Peer sent EAP Response (code 2) ID 1 length 56 (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = eap (0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (0) authenticate { (0) eap: Peer sent packet with method EAP Identity (1) (0) eap: Calling submodule eap_md5 to process data (0) eap_md5: Issuing MD5 Challenge (0) eap: Sending EAP Request (code 1) ID 2 length 22 (0) eap: EAP session adding &reply:State = 0x73d0173773d21381 (0) [eap] = handled (0) } # authenticate = handled (0) Using Post-Auth-Type Challenge (0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (0) Challenge { ... } # empty sub-section is ignored (0) Sent Access-Challenge Id 166 from 192.168.20.17:1812 to 192.168.20.19:54927 length 0 (0) EAP-Message = 0x010200160410b76b7cfc5c8795d66b2cc27e9ef326cc (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0x73d0173773d213813979a7a15dbcab87 (0) Finished request Waking up in 4.9 seconds. (1) Received Access-Request Id 167 from 192.168.20.19:54927 to 192.168.20.17:1812 length 259 (1) User-Name = "1901700000020240@wlan.mnc070.mcc901.3gppnetwork.org" (1) NAS-IP-Address = 192.168.20.19 (1) NAS-Port = 0 (1) NAS-Identifier = "192.168.20.19" (1) NAS-Port-Type = Wireless-802.11 (1) Calling-Station-Id = "c0eefb5acc11" (1) Called-Station-Id = "000b86ee0268" (1) Service-Type = Login-User (1) Framed-MTU = 1100 (1) EAP-Message = 0x020200060312 (1) State = 0x73d0173773d213813979a7a15dbcab87 (1) Aruba-Essid-Name = "Test EAP-SIM" (1) Aruba-Location-Id = "00:0b:86:ee:02:68" (1) Aruba-AP-Group = "instant-EE:02:68" (1) Message-Authenticator = 0x88355e717976da933abc319d0bc4504d (1) session-state: No cached attributes (1) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (1) authorize { (1) policy filter_username { (1) if (&User-Name) { (1) if (&User-Name) -> TRUE (1) if (&User-Name) { (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@[^@]*@/ ) { (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # if (&User-Name) = notfound (1) } # policy filter_username = notfound (1) [preprocess] = ok (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix: Checking for suffix after "@" (1) suffix: Looking up realm "wlan.mnc070.mcc901.3gppnetwork.org" for User-Name = "1901700000020240@wlan.mnc070.mcc901.3gppnetwork.org" (1) suffix: No such realm "wlan.mnc070.mcc901.3gppnetwork.org" (1) [suffix] = noop (1) eap: Peer sent EAP Response (code 2) ID 2 length 6 (1) eap: No EAP Start, assuming it's an on-going EAP conversation (1) [eap] = updated (1) files: users: Matched entry 1901700000020240@wlan.mnc070.mcc901.3gppnetwork.org at line 3 (1) [files] = ok (1) if (User-Name =~ /^[0-9]+/) { (1) if (User-Name =~ /^[0-9]+/) -> TRUE (1) if (User-Name =~ /^[0-9]+/) { (1) update reply { (1) EXPAND %{control:EAP-Sim-Ki} (1) --> 0xca0b8d177406d08cbfbed48b832f72db (1) &EAP-Sim-Ki := 0xca0b8d177406d08cbfbed48b832f72db (1) EXPAND %{control:EAP-Sim-Algo-Version} (1) --> 1 (1) &EAP-Sim-Algo-Version := 1 (1) } # update reply = noop (1) } # if (User-Name =~ /^[0-9]+/) = noop (1) [expiration] = noop (1) [logintime] = noop (1) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (1) pap: WARNING: Authentication will fail unless a "known good" password is available (1) [pap] = noop (1) } # authorize = updated (1) Found Auth-Type = eap (1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (1) authenticate { (1) eap: Expiring EAP session with state 0x73d0173773d21381 (1) eap: Finished EAP session with state 0x73d0173773d21381 (1) eap: Previous EAP request found for state 0x73d0173773d21381, released from the list (1) eap: Peer sent packet with method EAP NAK (3) (1) eap: Found mutually acceptable type SIM (18) (1) eap: Calling submodule eap_sim to process data (1) eap_sim: Generated following triplets for round 0: (1) eap_sim: RAND : 0x5d61f008d4ac1c144f1dddc8a931c907 (1) eap_sim: SRES : 0xdedf6955 (1) eap_sim: Kc : 0x0b4525c2f63d1000 (1) eap_sim: Generated following triplets for round 1: (1) eap_sim: RAND : 0x7890541386f3cf2d14f3adfd2626ae11 (1) eap_sim: SRES : 0xfc1d1efa (1) eap_sim: Kc : 0x0ab936f3b77bc400 (1) eap_sim: Generated following triplets for round 2: (1) eap_sim: RAND : 0x4073342dbfe58bc6129a7cb2341c599f (1) eap_sim: SRES : 0xc24d23f8 (1) eap_sim: Kc : 0x90c7b3cfbb6f5400 (1) eap: Sending EAP Request (code 1) ID 52 length 20 (1) eap: EAP session adding &reply:State = 0x73d0173772e40581 (1) [eap] = handled (1) } # authenticate = handled (1) Using Post-Auth-Type Challenge (1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (1) Challenge { ... } # empty sub-section is ignored (1) Sent Access-Challenge Id 167 from 192.168.20.17:1812 to 192.168.20.19:54927 length 0 (1) EAP-Message = 0x01340014120a00000f0200020001000011010100 (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0x73d0173772e405813979a7a15dbcab87 (1) Finished request Waking up in 4.9 seconds. (2) Received Access-Request Id 168 from 192.168.20.19:54927 to 192.168.20.17:1812 length 341 (2) User-Name = "1901700000020240@wlan.mnc070.mcc901.3gppnetwork.org" (2) NAS-IP-Address = 192.168.20.19 (2) NAS-Port = 0 (2) NAS-Identifier = "192.168.20.19" (2) NAS-Port-Type = Wireless-802.11 (2) Calling-Station-Id = "c0eefb5acc11" (2) Called-Station-Id = "000b86ee0268" (2) Service-Type = Login-User (2) Framed-MTU = 1100 (2) EAP-Message = 0x02340058120a00001001000107050000c3a7a7644e1d2568557e2ba3629074d40e0e00333139303137303030303030323032343040776c616e2e6d6e633037302e6d63633930312e336770706e6574776f726b2e6f726700 (2) State = 0x73d0173772e405813979a7a15dbcab87 (2) Aruba-Essid-Name = "Test EAP-SIM" (2) Aruba-Location-Id = "00:0b:86:ee:02:68" (2) Aruba-AP-Group = "instant-EE:02:68" (2) Message-Authenticator = 0x81000bffb4c1c22f932980b64985a2ce (2) session-state: No cached attributes (2) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (2) authorize { (2) policy filter_username { (2) if (&User-Name) { (2) if (&User-Name) -> TRUE (2) if (&User-Name) { (2) if (&User-Name =~ / /) { (2) if (&User-Name =~ / /) -> FALSE (2) if (&User-Name =~ /@[^@]*@/ ) { (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (2) if (&User-Name =~ /\.\./ ) { (2) if (&User-Name =~ /\.\./ ) -> FALSE (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (2) if (&User-Name =~ /\.$/) { (2) if (&User-Name =~ /\.$/) -> FALSE (2) if (&User-Name =~ /@\./) { (2) if (&User-Name =~ /@\./) -> FALSE (2) } # if (&User-Name) = notfound (2) } # policy filter_username = notfound (2) [preprocess] = ok (2) [chap] = noop (2) [mschap] = noop (2) [digest] = noop (2) suffix: Checking for suffix after "@" (2) suffix: Looking up realm "wlan.mnc070.mcc901.3gppnetwork.org" for User-Name = "1901700000020240@wlan.mnc070.mcc901.3gppnetwork.org" (2) suffix: No such realm "wlan.mnc070.mcc901.3gppnetwork.org" (2) [suffix] = noop (2) eap: Peer sent EAP Response (code 2) ID 52 length 88 (2) eap: No EAP Start, assuming it's an on-going EAP conversation (2) [eap] = updated (2) files: users: Matched entry 1901700000020240@wlan.mnc070.mcc901.3gppnetwork.org at line 3 (2) [files] = ok (2) if (User-Name =~ /^[0-9]+/) { (2) if (User-Name =~ /^[0-9]+/) -> TRUE (2) if (User-Name =~ /^[0-9]+/) { (2) update reply { (2) EXPAND %{control:EAP-Sim-Ki} (2) --> 0xca0b8d177406d08cbfbed48b832f72db (2) &EAP-Sim-Ki := 0xca0b8d177406d08cbfbed48b832f72db (2) EXPAND %{control:EAP-Sim-Algo-Version} (2) --> 1 (2) &EAP-Sim-Algo-Version := 1 (2) } # update reply = noop (2) } # if (User-Name =~ /^[0-9]+/) = noop (2) [expiration] = noop (2) [logintime] = noop (2) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (2) pap: WARNING: Authentication will fail unless a "known good" password is available (2) [pap] = noop (2) } # authorize = updated (2) Found Auth-Type = eap (2) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (2) authenticate { (2) eap: Expiring EAP session with state 0x73d0173772e40581 (2) eap: Finished EAP session with state 0x73d0173772e40581 (2) eap: Previous EAP request found for state 0x73d0173772e40581, released from the list (2) eap: Peer sent packet with method EAP SIM (18) (2) eap: Calling submodule eap_sim to process data (2) eap_sim: EAP-SIM decoded packet (2) eap_sim: User-Name = " 1901700000020240@wlan.mnc070.mcc901.3gppnetwork.org" (2) eap_sim: NAS-IP-Address = 192.168.20.19 (2) eap_sim: NAS-Port = 0 (2) eap_sim: NAS-Identifier = "192.168.20.19" (2) eap_sim: NAS-Port-Type = Wireless-802.11 (2) eap_sim: Calling-Station-Id = "c0eefb5acc11" (2) eap_sim: Called-Station-Id = "000b86ee0268" (2) eap_sim: Service-Type = Login-User (2) eap_sim: Framed-MTU = 1100 (2) eap_sim: EAP-Message = 0x02340058120a00001001000107050000c3a7a7644e1d2568557e2ba3629074d40e0e00333139303137303030303030323032343040776c616e2e6d6e633037302e6d63633930312e336770706e6574776f726b2e6f726700 (2) eap_sim: State = 0x73d0173772e405813979a7a15dbcab87 (2) eap_sim: Aruba-Essid-Name = "Test EAP-SIM" (2) eap_sim: Aruba-Location-Id = "00:0b:86:ee:02:68" (2) eap_sim: Aruba-AP-Group = "instant-EE:02:68" (2) eap_sim: Message-Authenticator = 0x81000bffb4c1c22f932980b64985a2ce (2) eap_sim: Event-Timestamp = "Mar 23 2018 02:15:16 UTC" (2) eap_sim: EAP-Type = SIM (2) eap_sim: EAP-Sim-Subtype = Start (2) eap_sim: EAP-Sim-SELECTED_VERSION = 0x0001 (2) eap_sim: EAP-Sim-NONCE_MT = 0x0000c3a7a7644e1d2568557e2ba3629074d4 (2) eap_sim: EAP-Sim-IDENTITY = 0x00333139303137303030303030323032343040776c616e2e6d6e633037302e6d63633930312e336770706e6574776f726b2e6f726700 (2) eap: Sending EAP Request (code 1) ID 53 length 80 (2) eap: EAP session adding &reply:State = 0x73d0173771e50581 (2) [eap] = handled (2) } # authenticate = handled (2) Using Post-Auth-Type Challenge (2) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (2) Challenge { ... } # empty sub-section is ignored (2) Sent Access-Challenge Id 168 from 192.168.20.17:1812 to 192.168.20.19:54927 length 0 (2) EAP-Message = 0x01350050120b0000010d00005d61f008d4ac1c144f1dddc8a931c9077890541386f3cf2d14f3adfd2626ae114073342dbfe58bc6129a7cb2341c599f0b0500003d75b1bccfe08bd6ebedbff57c97cc7b (2) Message-Authenticator = 0x00000000000000000000000000000000 (2) State = 0x73d0173771e505813979a7a15dbcab87 (2) Finished request Waking up in 4.9 seconds. (3) Received Access-Request Id 169 from 192.168.20.19:54927 to 192.168.20.17:1812 length 281 (3) User-Name = "1901700000020240@wlan.mnc070.mcc901.3gppnetwork.org" (3) NAS-IP-Address = 192.168.20.19 (3) NAS-Port = 0 (3) NAS-Identifier = "192.168.20.19" (3) NAS-Port-Type = Wireless-802.11 (3) Calling-Station-Id = "c0eefb5acc11" (3) Called-Station-Id = "000b86ee0268" (3) Service-Type = Login-User (3) Framed-MTU = 1100 (3) EAP-Message = 0x0235001c120b00000b050000135081247e24e3f87495a46f128a6e84 (3) State = 0x73d0173771e505813979a7a15dbcab87 (3) Aruba-Essid-Name = "Test EAP-SIM" (3) Aruba-Location-Id = "00:0b:86:ee:02:68" (3) Aruba-AP-Group = "instant-EE:02:68" (3) Message-Authenticator = 0x6018a954af3ed8f82d4a20ff64a5479a (3) session-state: No cached attributes (3) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (3) authorize { (3) policy filter_username { (3) if (&User-Name) { (3) if (&User-Name) -> TRUE (3) if (&User-Name) { (3) if (&User-Name =~ / /) { (3) if (&User-Name =~ / /) -> FALSE (3) if (&User-Name =~ /@[^@]*@/ ) { (3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (3) if (&User-Name =~ /\.\./ ) { (3) if (&User-Name =~ /\.\./ ) -> FALSE (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (3) if (&User-Name =~ /\.$/) { (3) if (&User-Name =~ /\.$/) -> FALSE (3) if (&User-Name =~ /@\./) { (3) if (&User-Name =~ /@\./) -> FALSE (3) } # if (&User-Name) = notfound (3) } # policy filter_username = notfound (3) [preprocess] = ok (3) [chap] = noop (3) [mschap] = noop (3) [digest] = noop (3) suffix: Checking for suffix after "@" (3) suffix: Looking up realm "wlan.mnc070.mcc901.3gppnetwork.org" for User-Name = "1901700000020240@wlan.mnc070.mcc901.3gppnetwork.org" (3) suffix: No such realm "wlan.mnc070.mcc901.3gppnetwork.org" (3) [suffix] = noop (3) eap: Peer sent EAP Response (code 2) ID 53 length 28 (3) eap: No EAP Start, assuming it's an on-going EAP conversation (3) [eap] = updated (3) files: users: Matched entry 1901700000020240@wlan.mnc070.mcc901.3gppnetwork.org at line 3 (3) [files] = ok (3) if (User-Name =~ /^[0-9]+/) { (3) if (User-Name =~ /^[0-9]+/) -> TRUE (3) if (User-Name =~ /^[0-9]+/) { (3) update reply { (3) EXPAND %{control:EAP-Sim-Ki} (3) --> 0xca0b8d177406d08cbfbed48b832f72db (3) &EAP-Sim-Ki := 0xca0b8d177406d08cbfbed48b832f72db (3) EXPAND %{control:EAP-Sim-Algo-Version} (3) --> 1 (3) &EAP-Sim-Algo-Version := 1 (3) } # update reply = noop (3) } # if (User-Name =~ /^[0-9]+/) = noop (3) [expiration] = noop (3) [logintime] = noop (3) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (3) pap: WARNING: Authentication will fail unless a "known good" password is available (3) [pap] = noop (3) } # authorize = updated (3) Found Auth-Type = eap (3) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (3) authenticate { (3) eap: Expiring EAP session with state 0x73d0173771e50581 (3) eap: Finished EAP session with state 0x73d0173771e50581 (3) eap: Previous EAP request found for state 0x73d0173771e50581, released from the list (3) eap: Peer sent packet with method EAP SIM (18) (3) eap: Calling submodule eap_sim to process data (3) eap_sim: MAC check succeed (3) eap_sim: ERROR: Failed decoding EAP-SIM packet: (3) eap: Sending EAP Success (code 3) ID 54 length 4 (3) eap: Freeing handler (3) [eap] = ok (3) } # authenticate = ok (3) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default (3) post-auth { (3) update { (3) No attributes updated (3) } # update = noop (3) [exec] = noop (3) policy remove_reply_message_if_eap { (3) if (&reply:EAP-Message && &reply:Reply-Message) { (3) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (3) else { (3) [noop] = noop (3) } # else = noop (3) } # policy remove_reply_message_if_eap = noop (3) } # post-auth = noop (3) Sent Access-Accept Id 169 from 192.168.20.17:1812 to 192.168.20.19:54927 length 0 (3) MS-MPPE-Recv-Key = 0x85ef573bb6603286724f0d6de5265eee5d0db5c58fc485b8a9100f64129facc3 (3) MS-MPPE-Send-Key = 0x2902f8530f324889e267b510c983ad40c9bed2c96ade0151830735299abcde9a (3) EAP-Message = 0x03360004 (3) Message-Authenticator = 0x00000000000000000000000000000000 (3) User-Name = "1901700000020240@wlan.mnc070.mcc901.3gppnetwork.org" (3) Finished request Waking up in 4.6 seconds. (0) Cleaning up request packet ID 166 with timestamp +18 (1) Cleaning up request packet ID 167 with timestamp +18 (2) Cleaning up request packet ID 168 with timestamp +18 Waking up in 0.2 seconds. (3) Cleaning up request packet ID 169 with timestamp +18 Ready to process requests On Thu, Mar 22, 2018 at 6:19 PM, Alan DeKok <aland@deployingradius.com> wrote:
On Mar 22, 2018, at 4:58 PM, François Vergès <misterpaco21@gmail.com> wrote:
I have setup freeradius in my lab environment to authenticate an Android cell phone using EAP-SIM and a SIM card.
Performing a packet capture over the Wi-Fi, I was able to realize that
the
phone receive the EAP-SIM challenge request but doesn't reply with a EAP-SIM Challenge response. Instead, it replies with a EAP-SIM Client-Error (0). I can also see the RAND values in the EAP-SIM Challenge Request packet.
I have used this script to generate the triplets (RAND, SRES and KC) using the Ki number of the SIM card: https://github.com/skelsec/COMP128/blob/master/COMP128.py
Hmm... use 3.0.16, and set EAP-SIM-Ki. The server will create the triplets automatically:
# 'users' file
1901700000020240@wlan.mnc070.mcc901.3gppnetwork.org EAP-SIM-Ki := 0xabcdef0123...
# 'users' file
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
-- *François Vergès* *Tel*: +1 514 475-5305 *Email*: francoisverges@gmail.com