rizal.m.nur@arc.itb.ac.id wrote:
I am using freeradius-server-2.2.5 and trying to authenticate via EAP-SIM. I have been successed to authenticate radeapclient command, but i am facing issue when authenticate directly through wireless AP. Also, i know nothing about RAND, SRES, and KC come from (I just put from example).
That's a problem. Those fields are the SIM credentials. They're used to authenticate the user.
If you don't have the correct values, the user will be rejected.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thanks for your reply, I curious why EAP-Message from phone was detected as EAP-SIM type but can't be handled/decoded
... [eap] Request found, released from the list [eap] EAP/sim [eap] processing type sim Client says error. Stopping! [eap] Handler failed in EAP/sim [eap] Failed in EAP select ++[eap] = invalid +} # group authenticate = invalid ...
meanwhile from radeapclient command it run smoothly
... [eap] Request found, released from the list [eap] EAP/sim [eap] processing type sim +++> EAP-sim decoded packet: User-Name = "eapsim" NAS-IP-Address = 167.205.106.132 ...
I dont think its because value of RAND, SRES, and KC. I tried to test using false RAND, SRES, and KC before with radeapclient command, and then server still be able to process it as EAP-SIM, although it just end with Access-Challenge reply (not Access-Accept). //===================================================== $cat userTest.txt User-Name = "eapsim" NAS-IP-Address = 167.205.106.132 EAP-Code = Response EAP-Type-Identity = "eapsim" Message-Authenticator = 0 NAS-Port = 0 EAP-Sim-Rand1 = 0x1111111111111111abcd1234abcd1234 EAP-Sim-Rand2 = 0x2222222222222222bcd1234abcd1234a EAP-Sim-Rand3 = 0x3333333333333333cd1234abcd1234ab EAP-Sim-Sres1 = 0x44444444 EAP-Sim-Sres2 = 0x55555555 EAP-Sim-Sres3 = 0x66666666 EAP-Sim-KC1 = 0x7777777777777777 EAP-Sim-KC2 = 0x8888888888888888 EAP-Sim-KC3 = 0x9999999999999999 $cat users eapsim Auth-Type := EAP, EAP-Type := SIM EAP-Sim-Rand1 = 0xabcd1234abcd1234abcd1234abcd1234, EAP-Sim-SRES1 = 0x1234abcd, EAP-Sim-KC1 = 0x0011223344556677, EAP-Sim-Rand2 = 0xbcd1234abcd1234abcd1234abcd1234a, EAP-Sim-SRES2 = 0x234abcd1, EAP-Sim-KC2 = 0x1021324354657687, EAP-Sim-Rand3 = 0xcd1234abcd1234abcd1234abcd1234ab, EAP-Sim-SRES3 = 0x34abcd12, EAP-Sim-KC3 = 0x30415263748596a7 //===================================================== Here, server response with false RAND, SRES, and KC //===================================================== rad_recv: Access-Request packet from host 167.205.106.132 port 38499, id=95, length=71 User-Name = "eapsim" NAS-IP-Address = 167.205.106.132 Message-Authenticator = 0xdb74750282296eb039bc4867d0e64c78 NAS-Port = 0 EAP-Message = 0x025e000b0165617073696d # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "eapsim", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop rlm_sim_files: insufficient number of challenges for imsi eapsim: 0 ++[sim_files] = notfound [eap] EAP packet type response id 94 length 11 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [files] users: Matched entry eapsim at line 27 ++[files] = ok ++[expiration] = noop ++[logintime] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group authenticate { [eap] EAP Identity [eap] processing type sim [eap] Underlying EAP-Type set EAP ID to 101 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 95 to 167.205.106.132 port 38499 EAP-Message = 0x01650014120a00000f0200020001000011010100 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x8aac07b98ac915e45f9495fd3c62bc18 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 167.205.106.132 port 38499, id=96, length=122 User-Name = "eapsim" NAS-IP-Address = 167.205.106.132 Message-Authenticator = 0x900599aa3a6c928959ba7fdc549e8c34 NAS-Port = 0 EAP-Message = 0x0265002c120a00001001000107050000e9c6e0e9aff6855077e6a86e85ad77770e03000665617073696d0000 State = 0x8aac07b98ac915e45f9495fd3c62bc18 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "eapsim", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop rlm_sim_files: insufficient number of challenges for imsi eapsim: 0 ++[sim_files] = notfound [eap] EAP packet type response id 101 length 44 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [files] users: Matched entry eapsim at line 27 ++[files] = ok ++[expiration] = noop ++[logintime] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/sim [eap] processing type sim +++> EAP-sim decoded packet: User-Name = "eapsim" NAS-IP-Address = 167.205.106.132 Message-Authenticator = 0x900599aa3a6c928959ba7fdc549e8c34 NAS-Port = 0 EAP-Message = 0x0265002c120a00001001000107050000e9c6e0e9aff6855077e6a86e85ad77770e03000665617073696d0000 State = 0x8aac07b98ac915e45f9495fd3c62bc18 EAP-Type = SIM EAP-Sim-Subtype = Start EAP-Sim-SELECTED_VERSION = 0x0001 EAP-Sim-NONCE_MT = 0x0000e9c6e0e9aff6855077e6a86e85ad7777 EAP-Sim-IDENTITY = 0x65617073696d [eap] Underlying EAP-Type set EAP ID to 102 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 96 to 167.205.106.132 port 38499 EAP-Message = 0x01660050120b0000010d0000abcd1234abcd1234abcd1234abcd1234bcd1234abcd1234abcd1234abcd1234acd1234abcd1234abcd1234abcd1234ab0b050000cd268139f462060bea6f15dc5801cb36 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x8aac07b98bca15e45f9495fd3c62bc18 //===================================================== -- Rizal Muhammad Nur