Dear all, I am using freeradius-server-2.2.5 and trying to authenticate via EAP-SIM. I have been successed to authenticate radeapclient command, but i am facing issue when authenticate directly through wireless AP. Also, i know nothing about RAND, SRES, and KC come from (I just put from example). Here my configs in general: //===================================================== $cat sites-enabled/default authorize { ... sim_files eap { ok = return } ... } $cat modules/sim_files sim_files { simtriplets = "/usr/local/etc/raddb/simtriplets.txt" } $cat eap.conf eap { default_eap_type = md5 ... sim{ } ... } $cat users eapsim Auth-Type := EAP, EAP-Type := SIM EAP-Sim-Rand1 = 0x3bcd1234abcd1234abcd1234abcd1234, EAP-Sim-SRES1 = 0x1234abcd, EAP-Sim-KC1 = 0x0211223344556677, EAP-Sim-Rand2 = 0x1cd1234abcd1234abcd1234abcd1234a, EAP-Sim-SRES2 = 0x434abcd1, EAP-Sim-KC2 = 0x1051324354657687, EAP-Sim-Rand3 = 0x6d1234abcd1234abcd1234abcd1234ab, EAP-Sim-SRES3 = 0x74abcd12, EAP-Sim-KC3 = 0x30815263748596a7 1510891403414997@wlan.mnc089.mcc510.3gppnetwork.org Auth-Type := EAP, EAP-Type := SIM EAP-Sim-Rand1 = 0xabcd1234abcd1234abcd1234abcd1234, EAP-Sim-SRES1 = 0x1234abcd, EAP-Sim-KC1 = 0x0011223344556677, EAP-Sim-Rand2 = 0xbcd1234abcd1234abcd1234abcd1234a, EAP-Sim-SRES2 = 0x234abcd1, EAP-Sim-KC2 = 0x1021324354657687, EAP-Sim-Rand3 = 0xcd1234abcd1234abcd1234abcd1234ab, EAP-Sim-SRES3 = 0x34abcd12, EAP-Sim-KC3 = 0x30415263748596a7 $cat userTest.txt User-Name = "eapsim" NAS-IP-Address = 167.205.106.132 EAP-Code = Response EAP-Type-Identity = "eapsim" Message-Authenticator = 0 NAS-Port = 0 EAP-Sim-Rand1 = 0xabcd1234abcd1234abcd1234abcd1234 EAP-Sim-Rand2 = 0xbcd1234abcd1234abcd1234abcd1234a EAP-Sim-Rand3 = 0xcd1234abcd1234abcd1234abcd1234ab EAP-Sim-Sres1 = 0x1234abcd EAP-Sim-Sres2 = 0x234abcd1 EAP-Sim-Sres3 = 0x34abcd12 EAP-Sim-KC1 = 0x0011223344556677 EAP-Sim-KC2 = 0x1021324354657687 EAP-Sim-KC3 = 0x30415263748596a7 //===================================================== When i used radeapclient command with "eapsim" user , radius successed to process authentication request as EAP-SIM type. The response look like this: //===================================================== rad_recv: Access-Request packet from host 167.205.106.132 port 56442, id=47, length=71 User-Name = "eapsim" NAS-IP-Address = 167.205.106.132 Message-Authenticator = 0xb0930a41b716e833198358390655050f NAS-Port = 0 EAP-Message = 0x022e000b0165617073696d # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "eapsim", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop rlm_sim_files: insufficient number of challenges for imsi eapsim: 0 ++[sim_files] = notfound [eap] EAP packet type response id 46 length 11 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [files] users: Matched entry eapsim at line 19 ++[files] = ok ++[expiration] = noop ++[logintime] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group authenticate { [eap] EAP Identity [eap] processing type sim [eap] Underlying EAP-Type set EAP ID to 16 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 47 to 167.205.106.132 port 56442 EAP-Message = 0x01100014120a00000f0200020001000011010100 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc6547d30c6446f127cd7e08c493991e0 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 167.205.106.132 port 56442, id=48, length=122 User-Name = "eapsim" NAS-IP-Address = 167.205.106.132 Message-Authenticator = 0x5e44f7a8af1436fc182dfe07d246066c NAS-Port = 0 EAP-Message = 0x0210002c120a00001001000107050000ebc943da73322d4543182bc6b26c42670e03000665617073696d0000 State = 0xc6547d30c6446f127cd7e08c493991e0 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "eapsim", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop rlm_sim_files: insufficient number of challenges for imsi eapsim: 0 ++[sim_files] = notfound [eap] EAP packet type response id 16 length 44 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [files] users: Matched entry eapsim at line 19 ++[files] = ok ++[expiration] = noop ++[logintime] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/sim [eap] processing type sim +++> EAP-sim decoded packet: User-Name = "eapsim" NAS-IP-Address = 167.205.106.132 Message-Authenticator = 0x5e44f7a8af1436fc182dfe07d246066c NAS-Port = 0 EAP-Message = 0x0210002c120a00001001000107050000ebc943da73322d4543182bc6b26c42670e03000665617073696d0000 State = 0xc6547d30c6446f127cd7e08c493991e0 EAP-Type = SIM EAP-Sim-Subtype = Start EAP-Sim-SELECTED_VERSION = 0x0001 EAP-Sim-NONCE_MT = 0x0000ebc943da73322d4543182bc6b26c4267 EAP-Sim-IDENTITY = 0x65617073696d [eap] Underlying EAP-Type set EAP ID to 17 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 48 to 167.205.106.132 port 56442 EAP-Message = 0x01110050120b0000010d0000abcd1234abcd1234abcd1234abcd1234bcd1234abcd1234abcd1234abcd1234acd1234abcd1234abcd1234abcd1234ab0b0500002d7b51f8b367f40f16e8b89d57123ce0 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc6547d30c7456f127cd7e08c493991e0 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 167.205.106.132 port 56442, id=49, length=106 User-Name = "eapsim" NAS-IP-Address = 167.205.106.132 Message-Authenticator = 0x33d47bbba410cf01893cfd0c317909b3 NAS-Port = 0 State = 0xc6547d30c7456f127cd7e08c493991e0 EAP-Message = 0x0211001c120b00000b050000bf27a73ac93ccba4f39579f5fed9512e # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "eapsim", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop rlm_sim_files: insufficient number of challenges for imsi eapsim: 0 ++[sim_files] = notfound [eap] EAP packet type response id 17 length 28 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [files] users: Matched entry eapsim at line 19 ++[files] = ok ++[expiration] = noop ++[logintime] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/sim [eap] processing type sim MAC check succeed [eap] Underlying EAP-Type set EAP ID to 18 [eap] Freeing handler ++[eap] = ok +} # group authenticate = ok # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default +group post-auth { ++[exec] = noop +} # group post-auth = noop Sending Access-Accept of id 49 to 167.205.106.132 port 56442 MS-MPPE-Recv-Key = 0x5e7f230e35ec87f3f23b86766b439c56eb66d3a5e8906f47fe0ff862d0acf30b MS-MPPE-Send-Key = 0x75d58187e0a44e5c8486ddb077dc76e39b5dc2b85d717d7dbb2da179672da6fc EAP-Message = 0x03120004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "eapsim" Finished request 2. //===================================================== But, when I used my phone which connected to AP with EAP-SIM auth, radius failed to process Access-Request packet as EAP-SIM type. The response like this: //===================================================== rad_recv: Access-Request packet from host 167.205.9.194 port 1074, id=11, length=254 User-Name = "1510891403414997@wlan.mnc089.mcc510.3gppnetwork.org" Calling-Station-Id = "00-08-22-18-2D-32" NAS-IP-Address = 167.205.9.194 NAS-Port = 1 Called-Station-Id = "54-3D-37-BF-57-A8:testBYOD" Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = "54-3D-37-BF-57-A8" Connect-Info = "CONNECT 802.11g/n" EAP-Message = 0x02bd000c120e000016010000 State = 0x2c5813a42de50175b779b50df25ca388 Vendor-25053-Attr-3 = 0x7465737442594f44 Message-Authenticator = 0x2637ed577421a19f485bd3b88a7fa5ca # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] Looking up realm "wlan.mnc089.mcc510.3gppnetwork.org" for User-Name = "1510891403414997@wlan.mnc089.mcc510.3gppnetwork.org" [suffix] No such realm "wlan.mnc089.mcc510.3gppnetwork.org" ++[suffix] = noop rlm_sim_files: insufficient number of challenges for imsi 1510891403414997@wlan.mnc089.mcc510.3gppnetwork.org: 0 ++[sim_files] = notfound [eap] EAP packet type response id 189 length 12 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [files] users: Matched entry 1510891403414997@wlan.mnc089.mcc510.3gppnetwork.org at line 52 ++[files] = ok ++[expiration] = noop ++[logintime] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/sim [eap] processing type sim Client says error. Stopping! [eap] Handler failed in EAP/sim [eap] Failed in EAP select ++[eap] = invalid +} # group authenticate = invalid Failed to authenticate the user. Using Post-Auth-Type REJECT # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group REJECT { [attr_filter.access_reject] expand: %{User-Name} -> 1510891403414997@wlan.mnc089.mcc510.3gppnetwork.org attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated Delaying reject of request 9 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 9 Sending Access-Reject of id 11 to 167.205.9.194 port 1074 EAP-Message = 0x04bd0004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.5 seconds. //===================================================== It seem radius not recognize this packet as EAP-SIM (even it not try to decode packet). I dont know if there something missing in my config. Anyone can help, please? Regards, Rizal Muhammad Nur