Hi guys, for my thesis i need to realize a EAP-SIM Authentication testbed. I'm using a Nokia E52 with EAP-SIM, a MIKROTIK router as access point and FreeRADIUS 2.1.10 as Radius server. I have added the necessary commands in the clients.conf, radiusd.conf, eap.conf and default files in order to enable EAP-SIM Authentication on the FreeRADIUS and I've created a flat file ' simtriplets.dat ' that is used from the Radius during the authentication process. By trying to access to the Wlan with the mobile phone (Nokia E52), i got the message that the authentication was unsuccessful. But by looking at the radius debug file, i cannot recognize any failure or messages like 'Access-Reject'. The debug file shows that radius got two ' Access-Request' packets from MIKROTIK router and it also sent two 'Access-Challenge' packets back to the router. It seems the radius is waiting for next requests and then the authentication process just ends up. so my questions are: -how many request packets are needed to complete the eap-sim authentication? -what should I configure to get more than 2 Access-Request here is the content of my debug file: . . . Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Ready to process requests. rad_recv: Access-Request packet from host 192.168.10.212 port 38803, id=29, length=238 Service-Type = Framed-User Framed-MTU = 1400 User-Name = "1901700000000653" NAS-Port-Id = "ap_hotspot" NAS-Port-Type = Wireless-802.11 Acct-Session-Id = "8220000e" Acct-Multi-Session-Id = "00-0C-42-64-41-9D-A8-7E-33-3E-9C-5B-82-20-00-00-00-00-00-0E" Calling-Station-Id = "A8-7E-33-3E-9C-5B" Called-Station-Id = "00-0C-42-64-41-9D:YANN" EAP-Message = 0x020100150131393031373030303030303030363533 Message-Authenticator = 0xcf4e5f6429686cc260b16bd23d82489f NAS-Identifier = "MT_Yann" NAS-IP-Address = 192.168.10.212 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} rlm_sim_files: authorized user/imsi 1901700000000653 rlm_sim_files: Adding EAP-Type: eap-sim ++[sim_files] returns ok ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "1901700000000653", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 21 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type sim [eap] Underlying EAP-Type set EAP ID to 108 ++[eap] returns handled Sending Access-Challenge of id 29 to 192.168.10.212 port 38803 EAP-Message = 0x016c0014120a00000f0200020001000011010100 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x870e2a6987623891aa6e49c2b1bcc9b6 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.10.212 port 50478, id=30, length=287 Service-Type = Framed-User Framed-MTU = 1400 User-Name = "1901700000000653" State = 0x870e2a6987623891aa6e49c2b1bcc9b6 NAS-Port-Id = "ap_hotspot" NAS-Port-Type = Wireless-802.11 Acct-Session-Id = "8220000e" Acct-Multi-Session-Id = "00-0C-42-64-41-9D-A8-7E-33-3E-9C-5B-82-20-00-00-00-00-00-0E" Calling-Station-Id = "A8-7E-33-3E-9C-5B" Called-Station-Id = "00-0C-42-64-41-9D:YANN" EAP-Message = 0x026c0034120a000007050000c27cfb1cfa7a257c9c89796e49bca230100100010e05001031393031373030303030303030363533 Message-Authenticator = 0xc691af8b618d9da88f9e289557530f6f NAS-Identifier = "MT_Yann" NAS-IP-Address = 192.168.10.212 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} rlm_sim_files: authorized user/imsi 1901700000000653 rlm_sim_files: Adding EAP-Type: eap-sim ++[sim_files] returns ok ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "1901700000000653", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 108 length 52 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/sim [eap] processing type sim +++> EAP-sim decoded packet: Service-Type = Framed-User Framed-MTU = 1400 User-Name = "1901700000000653" State = 0x870e2a6987623891aa6e49c2b1bcc9b6 NAS-Port-Id = "ap_hotspot" NAS-Port-Type = Wireless-802.11 Acct-Session-Id = "8220000e" Acct-Multi-Session-Id = "00-0C-42-64-41-9D-A8-7E-33-3E-9C-5B-82-20-00-00-00-00-00-0E" Calling-Station-Id = "A8-7E-33-3E-9C-5B" Called-Station-Id = "00-0C-42-64-41-9D:YANN" EAP-Message = 0x026c0034120a000007050000c27cfb1cfa7a257c9c89796e49bca230100100010e05001031393031373030303030303030363533 Message-Authenticator = 0xc691af8b618d9da88f9e289557530f6f NAS-Identifier = "MT_Yann" NAS-IP-Address = 192.168.10.212 EAP-Type = SIM EAP-Sim-Subtype = Start EAP-Sim-NONCE_MT = 0x0000c27cfb1cfa7a257c9c89796e49bca230 EAP-Sim-SELECTED_VERSION = 0x0001 EAP-Sim-IDENTITY = 0x31393031373030303030303030363533 [eap] Underlying EAP-Type set EAP ID to 109 ++[eap] returns handled Sending Access-Challenge of id 30 to 192.168.10.212 port 50478 EAP-Message = 0x016d0050120b0000010d00000123456789abcdef0123456789abcdef0123456789abcdef0123456789abcde00123456789abcdef0123456789abcd180b0500000bffb0f7777b066616d98519e625a531 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x870e2a6986633891aa6e49c2b1bcc9b6 Finished request 1. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 29 with timestamp +17 Cleaning up request 1 ID 30 with timestamp +17 Ready to process requests. Has anyone an idea why the authentication breaks up? Thank you in advance. Regards, Yann
On 06/11/12 10:55, Yann R. Moupinda wrote:
Hi guys,
for my thesis i need to realize a EAP-SIM Authentication testbed. I'm using a Nokia E52 with EAP-SIM, a MIKROTIK router as access point and FreeRADIUS 2.1.10 as Radius server. I have added the necessary commands
Upgrade. Some fixes for EAP-SIM went into more recent versions.
Access-Request' packets from MIKROTIK router and it also sent two 'Access-Challenge' packets back to the router. It seems the radius is waiting for next requests and then the authentication process just ends up.
Yes. The client stops responding, so you need to ask the client what the problem is - but the EAP-SIM fixed might be the cause.
so my questions are:
-how many request packets are needed to complete the eap-sim authentication?
3, I think.
-what should I configure to get more than 2 Access-Request
You don't. The client is stopping because it thinks something is wrong. Upgrade to 2.2.0 and try again - if the same thing happens, you need to debug on the client.
Hi,
-what should I configure to get more than 2 Access-Request
You don't. The client is stopping because it thinks something is wrong. Upgrade to 2.2.0 and try again - if the same thing happens, you need to debug on the client.
You need to also add a patch that has been committed in the 2.1.x branch (I think) post release regarding EAP-SIM. Without it, it will not work.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 06/11/12 13:34, Francois Gaudreault wrote:
Hi,
-what should I configure to get more than 2 Access-Request
You don't. The client is stopping because it thinks something is wrong. Upgrade to 2.2.0 and try again - if the same thing happens, you need to debug on the client.
You need to also add a patch that has been committed in the 2.1.x branch (I think) post release regarding EAP-SIM. Without it, it will not work.
Was that after 2.2.0 was released?
Didn't you make another fix afterward regarding AT_IDENTITY (commit cfd61d24b99022eb613054bbf7e0da4fa3af1bde)? Not the patch from Microsoft. I know I have to patch the 2.2.0 source in our RPMs with this commit otherwise it fails ;) On 2012-11-06, at 10:15 AM, Alan DeKok wrote:
Phil Mayers wrote:
Was that after 2.2.0 was released?
No, before.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi guys, i'm still looking for a solution for the eapsim authentication. Now i use the Freeradius 3.0.0 and i made some changes in the 'eapsimlib.c' regarding AT_IDENTITY (commit cfd61d24b99022eb613054bbf7e0da4fa3af1bde). I still have the same problem, the client is able to send two Acces-Request but unable to send the third Access-Request to close the authentication. I use a Nokia E52 as supplicant, did anybody realize the test successfully with another mobile phone (except android phones)? Does anyone know how i can debug the mobile phone? any helpfull ideas? here my debug radiusd: FreeRADIUS Version 3.0.0 (git #d3c7336), for host i586-pc-linux-gnu, built on Nov 7 2012 at 14:54:31 . . Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /var/run/radiusd/radiusd.sock Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Opening new proxy address * port 1814 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 192.168.10.212 port 48077, id=19, length=308 Service-Type = Framed-User Framed-MTU = 1400 User-Name = "1901700000000653@wlan.mnc070.mcc901.3gppnetwork.org" NAS-Port-Id = "ap_hotspot" NAS-Port-Type = Wireless-802.11 Acct-Session-Id = "82500003" Acct-Multi-Session-Id = "00-0C-42-64-41-9D-A8-7E-33-3E-9C-5B-82-50-00-00-00-00-00-03" Calling-Station-Id = "A8-7E-33-3E-9C-5B" Called-Station-Id = "00-0C-42-64-41-9D:YANN" EAP-Message = 0x02010038013139303137303030303030303036353340776c616e2e6d6e633037302e6d63633930312e336770706e6574776f726b2e6f7267 Message-Authenticator = 0x429b263e5293fadbae0a13f28dad2775 NAS-Identifier = "MT_Yann" NAS-IP-Address = 192.168.10.212 (0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (0) group authorize { (0) - entering group authorize {...} (0) [preprocess] = ok (0) [chap] = noop (0) auth_log : expand: %{Packet-Src-IP-Address} -> 192.168.10.212 (0) auth_log : expand: /var/log/radiusd/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/radiusd/radacct/192.168.10.212/auth-detail-20121108 (0) auth_log : /var/log/radiusd/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radiusd/radacct/192.168.10.212/auth-detail-20121108 (0) auth_log : expand: %t -> Thu Nov 8 14:20:05 2012 (0) [auth_log] = ok (0) [mschap] = noop (0) [digest] = noop (0) suffix : Looking up realm "wlan.mnc070.mcc901.3gppnetwork.org" for User-Name = "1901700000000653@wlan.mnc070.mcc901.3gppnetwork.org" (0) suffix : Found realm "~.*.3gppnetwork.org$" (0) suffix : Adding Stripped-User-Name = "1901700000000653" (0) suffix : Adding Realm = "wlan.mnc070.mcc901.3gppnetwork.org" (0) suffix : Authentication realm is LOCAL. (0) [suffix] = ok rlm_sim_files: authorized user/imsi 1901700000000653 rlm_sim_files: Adding EAP-Type: eap-sim (0) [sim_files] = ok (0) eap : EAP packet type response id 1 length 56 (0) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) Found Auth-Type = EAP (0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (0) group authenticate { (0) - entering group authenticate {...} (0) eap : EAP Identity (0) eap : processing type sim (0) eap : Underlying EAP-Type set EAP ID to 133 (0) [eap] = handled Sending Access-Challenge of id 19 to 192.168.10.212 port 48077 EAP-Message = 0x01850014120a00000f0200020001000011010100 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x077b668807fe746db0e5f555c7ca40d2 (0) Finished request 0. Waking up in 0.3 seconds. rad_recv: Access-Request packet from host 192.168.10.212 port 41383, id=20, length=358 Service-Type = Framed-User Framed-MTU = 1400 User-Name = "1901700000000653@wlan.mnc070.mcc901.3gppnetwork.org" State = 0x077b668807fe746db0e5f555c7ca40d2 NAS-Port-Id = "ap_hotspot" NAS-Port-Type = Wireless-802.11 Acct-Session-Id = "82500003" Acct-Multi-Session-Id = "00-0C-42-64-41-9D-A8-7E-33-3E-9C-5B-82-50-00-00-00-00-00-03" Calling-Station-Id = "A8-7E-33-3E-9C-5B" Called-Station-Id = "00-0C-42-64-41-9D:YANN" EAP-Message = 0x02850058120a000007050000be65a474dc99300354fdd97e5176bbc5100100010e0e00333139303137303030303030303036353340776c616e2e6d6e633037302e6d63633930312e336770706e6574776f726b2e6f726700 Message-Authenticator = 0x07c87b76cd6232ca08dc4529913d5cac NAS-Identifier = "MT_Yann" NAS-IP-Address = 192.168.10.212 (1) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (1) group authorize { (1) - entering group authorize {...} (1) [preprocess] = ok (1) [chap] = noop (1) auth_log : expand: %{Packet-Src-IP-Address} -> 192.168.10.212 (1) auth_log : expand: /var/log/radiusd/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/radiusd/radacct/192.168.10.212/auth-detail-20121108 (1) auth_log : /var/log/radiusd/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radiusd/radacct/192.168.10.212/auth-detail-20121108 (1) auth_log : expand: %t -> Thu Nov 8 14:20:05 2012 (1) [auth_log] = ok (1) [mschap] = noop (1) [digest] = noop (1) suffix : Looking up realm "wlan.mnc070.mcc901.3gppnetwork.org" for User-Name = "1901700000000653@wlan.mnc070.mcc901.3gppnetwork.org" (1) suffix : Found realm "~.*.3gppnetwork.org$" (1) suffix : Adding Stripped-User-Name = "1901700000000653" (1) suffix : Adding Realm = "wlan.mnc070.mcc901.3gppnetwork.org" (1) suffix : Authentication realm is LOCAL. (1) [suffix] = ok rlm_sim_files: authorized user/imsi 1901700000000653 rlm_sim_files: Adding EAP-Type: eap-sim (1) [sim_files] = ok (1) eap : EAP packet type response id 133 length 88 (1) eap : No EAP Start, assuming it's an on-going EAP conversation (1) [eap] = updated (1) [files] = noop (1) [expiration] = noop (1) [logintime] = noop (1) pap : WARNING! No "known good" password found for the user. Authentication may fail because of this. (1) [pap] = noop (1) Found Auth-Type = EAP (1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (1) group authenticate { (1) - entering group authenticate {...} (1) eap : Request found, released from the list (1) eap : EAP/sim (1) eap : processing type sim +++> EAP-sim decoded packet: Service-Type = Framed-User Framed-MTU = 1400 User-Name = "1901700000000653@wlan.mnc070.mcc901.3gppnetwork.org" State = 0x077b668807fe746db0e5f555c7ca40d2 NAS-Port-Id = "ap_hotspot" NAS-Port-Type = Wireless-802.11 Acct-Session-Id = "82500003" Acct-Multi-Session-Id = "00-0C-42-64-41-9D-A8-7E-33-3E-9C-5B-82-50-00-00-00-00-00-03" Calling-Station-Id = "A8-7E-33-3E-9C-5B" Called-Station-Id = "00-0C-42-64-41-9D:YANN" EAP-Message = 0x02850058120a000007050000be65a474dc99300354fdd97e5176bbc5100100010e0e00333139303137303030303030303036353340776c616e2e6d6e633037302e6d63633930312e336770706e6574776f726b2e6f726700 Message-Authenticator = 0x07c87b76cd6232ca08dc4529913d5cac NAS-Identifier = "MT_Yann" NAS-IP-Address = 192.168.10.212 Stripped-User-Name = "1901700000000653" Realm = "wlan.mnc070.mcc901.3gppnetwork.org" EAP-Type = SIM EAP-Sim-Subtype = Start EAP-Sim-NONCE_MT = 0x0000be65a474dc99300354fdd97e5176bbc5 EAP-Sim-SELECTED_VERSION = 0x0001 EAP-Sim-IDENTITY = 0x3139303137303030303030303036353340776c616e2e6d6e633037302e6d63633930312e336770706e6574776f726b2e6f7267 (1) eap : Underlying EAP-Type set EAP ID to 134 (1) [eap] = handled Sending Access-Challenge of id 20 to 192.168.10.212 port 41383 EAP-Message = 0x01860050120b0000010d00000123456789abcdef0123456789abcdef658719018376aab4d2a5ccde7a21b6510123456789abcdef0123456789abcdff0b050000217a0ab3b008a413f570885bca13bbe8 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x077b668806fd746db0e5f555c7ca40d2 (1) Finished request 1. Waking up in 0.3 seconds. Waking up in 4.6 seconds. (0) Cleaning up request packet ID 19 with timestamp +14 (1) Cleaning up request packet ID 20 with timestamp +14 Ready to process requests. Best regards Yann
Hi guys, i'm still trying to authenticate a EAP SIM Client with the Freeraduis 3.0.0. By Using the Nokia E51 and E52, the eap-sim authentication process just stops after the raduis has sent the " EAP-REQUEST, SIM-CHALLENGE" (containing AT_RAND and AT_MAC) message (see log info.). I did some changes in the in the " eapsimlib.c" regarding the AT_IDENTITY by using the patch 'commit cfd61d24b99022eb613054bbf7e0da4fa3af1bde' but the result didn't change. I decided to change the Client. I downloaded and installed Xsupplicant 2.2.3.553 on my windows XP. This is a software capable to be used as EAP-SIM Client. I didn't change anything on the server side. This time Xsupplicant replys with a " EAP-RESPONSE, SIM-CHALLENGE" (containing AT_MAC) after recieving the " EAP-REQUEST, SIM-CHALLENGE" (containing AT_RAND and AT_MAC). The Freeradius Server recieves the " EAP-RESPONSE, SIM-CHALLENGE" (containing AT_MAC), says that the received MAC doesn't match and breaks the authentication process with a "access reject" Here the log messages with Nokia: Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /var/run/radiusd/radiusd.sock Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Opening new proxy address * port 1814 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 192.168.10.212 port 48077, id=19, length=308 Service-Type = Framed-User Framed-MTU = 1400 User-Name = "1901700000000653@wlan.mnc070.mcc901.3gppnetwork.org" NAS-Port-Id = "ap_hotspot" NAS-Port-Type = Wireless-802.11 Acct-Session-Id = "82500003" Acct-Multi-Session-Id = "00-0C-42-64-41-9D-A8-7E-33-3E-9C-5B-82-50-00-00-00-00-00-03" Calling-Station-Id = "A8-7E-33-3E-9C-5B" Called-Station-Id = "00-0C-42-64-41-9D:YANN" EAP-Message = 0x02010038013139303137303030303030303036353340776c616e2e6d6e633037302e6d63633930312e336770706e6574776f726b2e6f7267 Message-Authenticator = 0x429b263e5293fadbae0a13f28dad2775 NAS-Identifier = "MT_Yann" NAS-IP-Address = 192.168.10.212 (0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (0) group authorize { (0) - entering group authorize {...} (0) [preprocess] = ok (0) [chap] = noop (0) auth_log : expand: %{Packet-Src-IP-Address} -> 192.168.10.212 (0) auth_log : expand: /var/log/radiusd/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/radiusd/radacct/192.168.10.212/auth-detail-20121108 (0) auth_log : /var/log/radiusd/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radiusd/radacct/192.168.10.212/auth-detail-20121108 (0) auth_log : expand: %t -> Thu Nov 8 14:20:05 2012 (0) [auth_log] = ok (0) [mschap] = noop (0) [digest] = noop (0) suffix : Looking up realm "wlan.mnc070.mcc901.3gppnetwork.org" for User-Name = "1901700000000653@wlan.mnc070.mcc901.3gppnetwork.org" (0) suffix : Found realm "~.*.3gppnetwork.org$" (0) suffix : Adding Stripped-User-Name = "1901700000000653" (0) suffix : Adding Realm = "wlan.mnc070.mcc901.3gppnetwork.org" (0) suffix : Authentication realm is LOCAL. (0) [suffix] = ok rlm_sim_files: authorized user/imsi 1901700000000653 rlm_sim_files: Adding EAP-Type: eap-sim (0) [sim_files] = ok (0) eap : EAP packet type response id 1 length 56 (0) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) Found Auth-Type = EAP (0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (0) group authenticate { (0) - entering group authenticate {...} (0) eap : EAP Identity (0) eap : processing type sim (0) eap : Underlying EAP-Type set EAP ID to 133 (0) [eap] = handled Sending Access-Challenge of id 19 to 192.168.10.212 port 48077 EAP-Message = 0x01850014120a00000f0200020001000011010100 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x077b668807fe746db0e5f555c7ca40d2 (0) Finished request 0. Waking up in 0.3 seconds. rad_recv: Access-Request packet from host 192.168.10.212 port 41383, id=20, length=358 Service-Type = Framed-User Framed-MTU = 1400 User-Name = "1901700000000653@wlan.mnc070.mcc901.3gppnetwork.org" State = 0x077b668807fe746db0e5f555c7ca40d2 NAS-Port-Id = "ap_hotspot" NAS-Port-Type = Wireless-802.11 Acct-Session-Id = "82500003" Acct-Multi-Session-Id = "00-0C-42-64-41-9D-A8-7E-33-3E-9C-5B-82-50-00-00-00-00-00-03" Calling-Station-Id = "A8-7E-33-3E-9C-5B" Called-Station-Id = "00-0C-42-64-41-9D:YANN" EAP-Message = 0x02850058120a000007050000be65a474dc99300354fdd97e5176bbc5100100010e0e00333139303137303030303030303036353340776c616e2e6d6e633037302e6d63633930312e336770706e6574776f726b2e6f726700 Message-Authenticator = 0x07c87b76cd6232ca08dc4529913d5cac NAS-Identifier = "MT_Yann" NAS-IP-Address = 192.168.10.212 (1) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (1) group authorize { (1) - entering group authorize {...} (1) [preprocess] = ok (1) [chap] = noop (1) auth_log : expand: %{Packet-Src-IP-Address} -> 192.168.10.212 (1) auth_log : expand: /var/log/radiusd/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/radiusd/radacct/192.168.10.212/auth-detail-20121108 (1) auth_log : /var/log/radiusd/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radiusd/radacct/192.168.10.212/auth-detail-20121108 (1) auth_log : expand: %t -> Thu Nov 8 14:20:05 2012 (1) [auth_log] = ok (1) [mschap] = noop (1) [digest] = noop (1) suffix : Looking up realm "wlan.mnc070.mcc901.3gppnetwork.org" for User-Name = "1901700000000653@wlan.mnc070.mcc901.3gppnetwork.org" (1) suffix : Found realm "~.*.3gppnetwork.org$" (1) suffix : Adding Stripped-User-Name = "1901700000000653" (1) suffix : Adding Realm = "wlan.mnc070.mcc901.3gppnetwork.org" (1) suffix : Authentication realm is LOCAL. (1) [suffix] = ok rlm_sim_files: authorized user/imsi 1901700000000653 rlm_sim_files: Adding EAP-Type: eap-sim (1) [sim_files] = ok (1) eap : EAP packet type response id 133 length 88 (1) eap : No EAP Start, assuming it's an on-going EAP conversation (1) [eap] = updated (1) [files] = noop (1) [expiration] = noop (1) [logintime] = noop (1) pap : WARNING! No "known good" password found for the user. Authentication may fail because of this. (1) [pap] = noop (1) Found Auth-Type = EAP (1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (1) group authenticate { (1) - entering group authenticate {...} (1) eap : Request found, released from the list (1) eap : EAP/sim (1) eap : processing type sim +++> EAP-sim decoded packet: Service-Type = Framed-User Framed-MTU = 1400 User-Name = "1901700000000653@wlan.mnc070.mcc901.3gppnetwork.org" State = 0x077b668807fe746db0e5f555c7ca40d2 NAS-Port-Id = "ap_hotspot" NAS-Port-Type = Wireless-802.11 Acct-Session-Id = "82500003" Acct-Multi-Session-Id = "00-0C-42-64-41-9D-A8-7E-33-3E-9C-5B-82-50-00-00-00-00-00-03" Calling-Station-Id = "A8-7E-33-3E-9C-5B" Called-Station-Id = "00-0C-42-64-41-9D:YANN" EAP-Message = 0x02850058120a000007050000be65a474dc99300354fdd97e5176bbc5100100010e0e00333139303137303030303030303036353340776c616e2e6d6e633037302e6d63633930312e336770706e6574776f726b2e6f726700 Message-Authenticator = 0x07c87b76cd6232ca08dc4529913d5cac NAS-Identifier = "MT_Yann" NAS-IP-Address = 192.168.10.212 Stripped-User-Name = "1901700000000653" Realm = "wlan.mnc070.mcc901.3gppnetwork.org" EAP-Type = SIM EAP-Sim-Subtype = Start EAP-Sim-NONCE_MT = 0x0000be65a474dc99300354fdd97e5176bbc5 EAP-Sim-SELECTED_VERSION = 0x0001 EAP-Sim-IDENTITY = 0x3139303137303030303030303036353340776c616e2e6d6e633037302e6d63633930312e336770706e6574776f726b2e6f7267 (1) eap : Underlying EAP-Type set EAP ID to 134 (1) [eap] = handled Sending Access-Challenge of id 20 to 192.168.10.212 port 41383 EAP-Message = 0x01860050120b0000010d00000123456789abcdef0123456789abcdef658719018376aab4d2a5ccde7a21b6510123456789abcdef0123456789abcdff0b050000217a0ab3b008a413f570885bca13bbe8 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x077b668806fd746db0e5f555c7ca40d2 (1) Finished request 1. Going to the next request Waking up in 0.3 seconds. Waking up in 4.6 seconds. (0) Cleaning up request packet ID 19 with timestamp +14 (1) Cleaning up request packet ID 20 with timestamp +14 Ready to process requests. <----------------------> Here the log messages by using Xsupplicant: Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /var/run/radiusd.sock Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Opening new proxy address * port 1814 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 192.168.10.212 port 34456, id=63, length=238 Service-Type = Framed-User Framed-MTU = 1400 User-Name = "1901700000000653" NAS-Port-Id = "ap_hotspot" NAS-Port-Type = Wireless-802.11 Acct-Session-Id = "82900026" Acct-Multi-Session-Id = "00-0C-42-64-41-9D-00-16-6F-BB-2D-CE-82-90-00-00-00-00-00-26" Calling-Station-Id = "00-16-6F-BB-2D-CE" Called-Station-Id = "00-0C-42-64-41-9D:YANN" EAP-Message = 0x020100150131393031373030303030303030363533 Message-Authenticator = 0x653921257bd23ec322ee3b4924d32751 NAS-Identifier = "MT_Yann" NAS-IP-Address = 192.168.10.212 (0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (0) group authorize { (0) - entering group authorize {...} (0) [preprocess] = ok (0) [chap] = noop (0) auth_log : expand: %{Packet-Src-IP-Address} -> 192.168.10.212 (0) auth_log : expand: /var/log/radiusd/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/radiusd/radacct/192.168.10.212/auth-detail-20121114 (0) auth_log : /var/log/radiusd/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radiusd/radacct/192.168.10.212/auth-detail-20121114 (0) auth_log : expand: %t -> Wed Nov 14 17:30:30 2012 (0) [auth_log] = ok (0) [mschap] = noop (0) [digest] = noop (0) suffix : No '@' in User-Name = "1901700000000653", looking up realm NULL (0) suffix : No such realm "NULL" (0) [suffix] = noop rlm_sim_files: authorized user/imsi 1901700000000653 rlm_sim_files: Adding EAP-Type: eap-sim (0) [sim_files] = ok (0) eap : EAP packet type response id 1 length 21 (0) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) Found Auth-Type = EAP (0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (0) group authenticate { (0) - entering group authenticate {...} (0) eap : EAP Identity (0) eap : processing type sim (0) eap : Underlying EAP-Type set EAP ID to 38 (0) [eap] = handled Sending Access-Challenge of id 63 to 192.168.10.212 port 34456 EAP-Message = 0x01260014120a00000f0200020001000011010100 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5b17c53a5b31d7c6686a4d2738ee4ab7 (0) Finished request 0. Waking up in 0.3 seconds. rad_recv: Access-Request packet from host 192.168.10.212 port 57441, id=64, length=267 Service-Type = Framed-User Framed-MTU = 1400 User-Name = "1901700000000653" State = 0x5b17c53a5b31d7c6686a4d2738ee4ab7 NAS-Port-Id = "ap_hotspot" NAS-Port-Type = Wireless-802.11 Acct-Session-Id = "82900026" Acct-Multi-Session-Id = "00-0C-42-64-41-9D-00-16-6F-BB-2D-CE-82-90-00-00-00-00-00-26" Calling-Station-Id = "00-16-6F-BB-2D-CE" Called-Station-Id = "00-0C-42-64-41-9D:YANN" EAP-Message = 0x02260020120a001b07050000a8605e360593e63583c864b6051046f410010001 Message-Authenticator = 0x0133a5fba265cea77256e0b429f11c02 NAS-Identifier = "MT_Yann" NAS-IP-Address = 192.168.10.212 (1) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (1) group authorize { (1) - entering group authorize {...} (1) [preprocess] = ok (1) [chap] = noop (1) auth_log : expand: %{Packet-Src-IP-Address} -> 192.168.10.212 (1) auth_log : expand: /var/log/radiusd/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/radiusd/radacct/192.168.10.212/auth-detail-20121114 (1) auth_log : /var/log/radiusd/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radiusd/radacct/192.168.10.212/auth-detail-20121114 (1) auth_log : expand: %t -> Wed Nov 14 17:30:30 2012 (1) [auth_log] = ok (1) [mschap] = noop (1) [digest] = noop (1) suffix : No '@' in User-Name = "1901700000000653", looking up realm NULL (1) suffix : No such realm "NULL" (1) [suffix] = noop rlm_sim_files: authorized user/imsi 1901700000000653 rlm_sim_files: Adding EAP-Type: eap-sim (1) [sim_files] = ok (1) eap : EAP packet type response id 38 length 32 (1) eap : No EAP Start, assuming it's an on-going EAP conversation (1) [eap] = updated (1) [files] = noop (1) [expiration] = noop (1) [logintime] = noop (1) pap : WARNING! No "known good" password found for the user. Authentication may fail because of this. (1) [pap] = noop (1) Found Auth-Type = EAP (1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (1) group authenticate { (1) - entering group authenticate {...} (1) eap : Request found, released from the list (1) eap : EAP/sim (1) eap : processing type sim +++> EAP-sim decoded packet: Service-Type = Framed-User Framed-MTU = 1400 User-Name = "1901700000000653" State = 0x5b17c53a5b31d7c6686a4d2738ee4ab7 NAS-Port-Id = "ap_hotspot" NAS-Port-Type = Wireless-802.11 Acct-Session-Id = "82900026" Acct-Multi-Session-Id = "00-0C-42-64-41-9D-00-16-6F-BB-2D-CE-82-90-00-00-00-00-00-26" Calling-Station-Id = "00-16-6F-BB-2D-CE" Called-Station-Id = "00-0C-42-64-41-9D:YANN" EAP-Message = 0x02260020120a001b07050000a8605e360593e63583c864b6051046f410010001 Message-Authenticator = 0x0133a5fba265cea77256e0b429f11c02 NAS-Identifier = "MT_Yann" NAS-IP-Address = 192.168.10.212 EAP-Type = SIM EAP-Sim-Subtype = Start EAP-Sim-NONCE_MT = 0x0000a8605e360593e63583c864b6051046f4 EAP-Sim-SELECTED_VERSION = 0x0001 (1) eap : Underlying EAP-Type set EAP ID to 39 (1) [eap] = handled Sending Access-Challenge of id 64 to 192.168.10.212 port 57441 EAP-Message = 0x01270050120b0000010d0000db1f1a922a6044b1ac9193596d34b701a20fd51626bd4f24b91755d927101729eeb85a0437da4ea4ab99cfbc1c439ce40b05000016397dc340ea5e69ab39925507ad8438 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5b17c53a5a30d7c6686a4d2738ee4ab7 (1) Finished request 1. Waking up in 0.2 seconds. rad_recv: Access-Request packet from host 192.168.10.212 port 36917, id=65, length=263 Service-Type = Framed-User Framed-MTU = 1400 User-Name = "1901700000000653" State = 0x5b17c53a5a30d7c6686a4d2738ee4ab7 NAS-Port-Id = "ap_hotspot" NAS-Port-Type = Wireless-802.11 Acct-Session-Id = "82900026" Acct-Multi-Session-Id = "00-0C-42-64-41-9D-00-16-6F-BB-2D-CE-82-90-00-00-00-00-00-26" Calling-Station-Id = "00-16-6F-BB-2D-CE" Called-Station-Id = "00-0C-42-64-41-9D:YANN" EAP-Message = 0x0227001c120b00170b0500007f86aeaeded71ccd418687567f8f8eb3 Message-Authenticator = 0xf263cce3cc9890197ca080b7f4629af2 NAS-Identifier = "MT_Yann" NAS-IP-Address = 192.168.10.212 (2) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (2) group authorize { (2) - entering group authorize {...} (2) [preprocess] = ok (2) [chap] = noop (2) auth_log : expand: %{Packet-Src-IP-Address} -> 192.168.10.212 (2) auth_log : expand: /var/log/radiusd/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/radiusd/radacct/192.168.10.212/auth-detail-20121114 (2) auth_log : /var/log/radiusd/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radiusd/radacct/192.168.10.212/auth-detail-20121114 (2) auth_log : expand: %t -> Wed Nov 14 17:30:30 2012 (2) [auth_log] = ok (2) [mschap] = noop (2) [digest] = noop (2) suffix : No '@' in User-Name = "1901700000000653", looking up realm NULL (2) suffix : No such realm "NULL" (2) [suffix] = noop rlm_sim_files: authorized user/imsi 1901700000000653 rlm_sim_files: Adding EAP-Type: eap-sim (2) [sim_files] = ok (2) eap : EAP packet type response id 39 length 28 (2) eap : No EAP Start, assuming it's an on-going EAP conversation (2) [eap] = updated (2) [files] = noop (2) [expiration] = noop (2) [logintime] = noop (2) pap : WARNING! No "known good" password found for the user. Authentication may fail because of this. (2) [pap] = noop (2) Found Auth-Type = EAP (2) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (2) group authenticate { (2) - entering group authenticate {...} (2) eap : Request found, released from the list (2) eap : EAP/sim (2) eap : processing type sim calculated MAC (05248e0d_917db8e0_55e8b312_b489d982_20c54ef4) did not match (2) eap : Handler failed in EAP/sim (2) eap : Failed in EAP select (2) [eap] = invalid (2) Failed to authenticate the user. (2) Using Post-Auth-Type Reject (2) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (2) group REJECT { (2) - entering group REJECT {...} (2) attr_filter.access_reject : expand: %{User-Name} -> 1901700000000653 (2) attr_filter.access_reject : Matched entry DEFAULT at line 11 (2) [attr_filter.access_reject] = updated (2) Finished request 2. Waking up in 0.2 seconds. rad_recv: Access-Request packet from host 192.168.10.212 port 36917, id=65, length=263 Discarding duplicate request from client bipsbk port 36917 - ID: 65 due to unfinished request 2 Waking up in 0.6 seconds. rad_recv: Access-Request packet from host 192.168.10.212 port 36917, id=65, length=263 Discarding duplicate request from client bipsbk port 36917 - ID: 65 due to delayed reject 2 Waking up in 0.4 seconds. (2) Sending delayed reject Sending Access-Reject of id 65 to 192.168.10.212 port 36917 EAP-Message = 0x04270004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.9 seconds. Has anyone an idea why the MAC not matches although Client and Server are using the same algorithm version (Version 1 mentioned in AT_VERSION_LIST from Server and in AT_SELECTED_VERSION from client) ? Best regards Yann
On 15/11/12 16:46, Yann R. Moupinda wrote:
Has anyone an idea why the MAC not matches although Client and Server are using the same algorithm version (Version 1 mentioned in AT_VERSION_LIST from Server and in AT_SELECTED_VERSION from client) ?
It's probably a bug somewhere. Very likely, the wrong data is being fed into the MAC at both ends. Unfortunately, since FreeRADIUS works with *some* EAP-SIM/AKA supplicants, I am guessing there are incompatible implementations out there. You would need to read the SIM/AKA RFCs in detail, and possibly feed the test data into FreeRADIUS to find the bug.
Hi guys, Thanks for your help. After reading your suggestions, i installed a new version of FreeRADIUS (FreeRADIUS 2.2.1). I haven't worked with the the patch yet (i'm going to do that later) but, just to show what i got with the new version 2.2.1 and changing the content of the simtriplets.dat 1. case : simtriplets.dat looks like following (imsi,rand,sres,kc) (3 different rand...) 1901700000000653,0123456789abcdef0123456789abcdef,0227bc86,44168f1de9259000 1901700000000653,0123456789abcdef0123456789abcde0,725bb218,25903c082654b400 1901700000000653,0123456789abcdef0123456789abcd18,ed404256,bc871da6ae8edc00 1901700000000653,0123456789abcdef0123456789abcd88,6695bd6e,58788a55e9052000 i got the same failure than before: after sending the 2nd access challenge, the server is waiting for the 3rd access request and doesn't get anything --> authentication failed . . . Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Ready to process requests. rad_recv: Access-Request packet from host 192.168.10.212 port 38803, id=29, length=238 Service-Type = Framed-User Framed-MTU = 1400 User-Name = "1901700000000653" NAS-Port-Id = "ap_hotspot" NAS-Port-Type = Wireless-802.11 Acct-Session-Id = "8220000e" Acct-Multi-Session-Id = "00-0C-42-64-41-9D-A8-7E-33-3E-9C-5B-82-20-00-00-00-00-00-0E" Calling-Station-Id = "A8-7E-33-3E-9C-5B" Called-Station-Id = "00-0C-42-64-41-9D:YANN" EAP-Message = 0x020100150131393031373030303030303030363533 Message-Authenticator = 0xcf4e5f6429686cc260b16bd23d82489f NAS-Identifier = "MT_Yann" NAS-IP-Address = 192.168.10.212 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} rlm_sim_files: authorized user/imsi 1901700000000653 rlm_sim_files: Adding EAP-Type: eap-sim ++[sim_files] returns ok ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "1901700000000653", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 21 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type sim [eap] Underlying EAP-Type set EAP ID to 108 ++[eap] returns handled Sending Access-Challenge of id 29 to 192.168.10.212 port 38803 EAP-Message = 0x016c0014120a00000f0200020001000011010100 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x870e2a6987623891aa6e49c2b1bcc9b6 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.10.212 port 50478, id=30, length=287 Service-Type = Framed-User Framed-MTU = 1400 User-Name = "1901700000000653" State = 0x870e2a6987623891aa6e49c2b1bcc9b6 NAS-Port-Id = "ap_hotspot" NAS-Port-Type = Wireless-802.11 Acct-Session-Id = "8220000e" Acct-Multi-Session-Id = "00-0C-42-64-41-9D-A8-7E-33-3E-9C-5B-82-20-00-00-00-00-00-0E" Calling-Station-Id = "A8-7E-33-3E-9C-5B" Called-Station-Id = "00-0C-42-64-41-9D:YANN" EAP-Message = 0x026c0034120a000007050000c27cfb1cfa7a257c9c89796e49bca230100100010e05001031393031373030303030303030363533 Message-Authenticator = 0xc691af8b618d9da88f9e289557530f6f NAS-Identifier = "MT_Yann" NAS-IP-Address = 192.168.10.212 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} rlm_sim_files: authorized user/imsi 1901700000000653 rlm_sim_files: Adding EAP-Type: eap-sim ++[sim_files] returns ok ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "1901700000000653", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 108 length 52 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/sim [eap] processing type sim +++> EAP-sim decoded packet: Service-Type = Framed-User Framed-MTU = 1400 User-Name = "1901700000000653" State = 0x870e2a6987623891aa6e49c2b1bcc9b6 NAS-Port-Id = "ap_hotspot" NAS-Port-Type = Wireless-802.11 Acct-Session-Id = "8220000e" Acct-Multi-Session-Id = "00-0C-42-64-41-9D-A8-7E-33-3E-9C-5B-82-20-00-00-00-00-00-0E" Calling-Station-Id = "A8-7E-33-3E-9C-5B" Called-Station-Id = "00-0C-42-64-41-9D:YANN" EAP-Message = 0x026c0034120a000007050000c27cfb1cfa7a257c9c89796e49bca230100100010e05001031393031373030303030303030363533 Message-Authenticator = 0xc691af8b618d9da88f9e289557530f6f NAS-Identifier = "MT_Yann" NAS-IP-Address = 192.168.10.212 EAP-Type = SIM EAP-Sim-Subtype = Start EAP-Sim-NONCE_MT = 0x0000c27cfb1cfa7a257c9c89796e49bca230 EAP-Sim-SELECTED_VERSION = 0x0001 EAP-Sim-IDENTITY = 0x31393031373030303030303030363533 [eap] Underlying EAP-Type set EAP ID to 109 ++[eap] returns handled Sending Access-Challenge of id 30 to 192.168.10.212 port 50478 EAP-Message = 0x016d0050120b0000010d00000123456789abcdef0123456789abcdef0123456789abcdef0123456789abcde00123456789abcdef0123456789abcd180b0500000bffb0f7777b066616d98519e625a531 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x870e2a6986633891aa6e49c2b1bcc9b6 Finished request 1. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 29 with timestamp +17 Cleaning up request 1 ID 30 with timestamp +17 Ready to process requests. - - - - - - - - - - - - - - - - -- - - - - - - - - - - - 2. case : simtriplets.dat looks like following (imsi,rand,sres,kc) (3 times the same rand...) 1901700000000653,0123456789abcdef0123456789abcdef,0227bc86,44168f1de9259000 1901700000000653,0123456789abcdef0123456789abcdef,0227bc86,44168f1de9259000 1901700000000653,0123456789abcdef0123456789abcdef,0227bc86,44168f1de9259000 i got a failure (it's normal i think) but in this case, the client sent the third request, saying to stop the authentication process. So, in this case the client reacts of the second access challenge and in the first case (with diffrent data in the simtriplets.dat) it does't. . . . Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 192.168.10.212 port 49529, id=6, length=308 Service-Type = Framed-User Framed-MTU = 1400 User-Name = "1901700000000653@wlan.mnc070.mcc901.3gppnetwork.org" NAS-Port-Id = "ap_hotspot" NAS-Port-Type = Wireless-802.11 Acct-Session-Id = "82400001" Acct-Multi-Session-Id = "00-0C-42-64-41-9D-A8-7E-33-3E-9C-5B-82-40-00-00-00-00-00-01" Calling-Station-Id = "A8-7E-33-3E-9C-5B" Called-Station-Id = "00-0C-42-64-41-9D:YANN" EAP-Message = 0x02010038013139303137303030303030303036353340776c616e2e6d6e633037302e6d63633930312e336770706e6574776f726b2e6f7267 Message-Authenticator = 0xb66e4f2652fec781e4c71b6dbd20b389 NAS-Identifier = "MT_Yann" NAS-IP-Address = 192.168.10.212 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] Looking up realm "wlan.mnc070.mcc901.3gppnetwork.org" for User-Name = "1901700000000653@wlan.mnc070.mcc901.3gppnetwork.org" [suffix] Found realm "~.*.3gppnetwork.org$" [suffix] Adding Stripped-User-Name = "1901700000000653" [suffix] Adding Realm = "wlan.mnc070.mcc901.3gppnetwork.org" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok rlm_sim_files: authorized user/imsi 1901700000000653 rlm_sim_files: Adding EAP-Type: eap-sim ++[sim_files] returns ok [eap] EAP packet type response id 1 length 56 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type sim [eap] Underlying EAP-Type set EAP ID to 4 ++[eap] returns handled Sending Access-Challenge of id 6 to 192.168.10.212 port 49529 EAP-Message = 0x01040014120a00000f0200020001000011010100 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf69e9f4cf69a8d1d0990f37eaa6db462 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.10.212 port 34603, id=7, length=358 Service-Type = Framed-User Framed-MTU = 1400 User-Name = "1901700000000653@wlan.mnc070.mcc901.3gppnetwork.org" State = 0xf69e9f4cf69a8d1d0990f37eaa6db462 NAS-Port-Id = "ap_hotspot" NAS-Port-Type = Wireless-802.11 Acct-Session-Id = "82400001" Acct-Multi-Session-Id = "00-0C-42-64-41-9D-A8-7E-33-3E-9C-5B-82-40-00-00-00-00-00-01" Calling-Station-Id = "A8-7E-33-3E-9C-5B" Called-Station-Id = "00-0C-42-64-41-9D:YANN" EAP-Message = 0x02040058120a00000705000097d3fd9e1c4410fa64112b4b80057c3d100100010e0e00333139303137303030303030303036353340776c616e2e6d6e633037302e6d63633930312e336770706e6574776f726b2e6f726700 Message-Authenticator = 0x741ccd1cadf88aea68338a49b9e65500 NAS-Identifier = "MT_Yann" NAS-IP-Address = 192.168.10.212 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] Looking up realm "wlan.mnc070.mcc901.3gppnetwork.org" for User-Name = "1901700000000653@wlan.mnc070.mcc901.3gppnetwork.org" [suffix] Found realm "~.*.3gppnetwork.org$" [suffix] Adding Stripped-User-Name = "1901700000000653" [suffix] Adding Realm = "wlan.mnc070.mcc901.3gppnetwork.org" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok rlm_sim_files: authorized user/imsi 1901700000000653 rlm_sim_files: Adding EAP-Type: eap-sim ++[sim_files] returns ok [eap] EAP packet type response id 4 length 88 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/sim [eap] processing type sim +++> EAP-sim decoded packet: Service-Type = Framed-User Framed-MTU = 1400 User-Name = "1901700000000653@wlan.mnc070.mcc901.3gppnetwork.org" State = 0xf69e9f4cf69a8d1d0990f37eaa6db462 NAS-Port-Id = "ap_hotspot" NAS-Port-Type = Wireless-802.11 Acct-Session-Id = "82400001" Acct-Multi-Session-Id = "00-0C-42-64-41-9D-A8-7E-33-3E-9C-5B-82-40-00-00-00-00-00-01" Calling-Station-Id = "A8-7E-33-3E-9C-5B" Called-Station-Id = "00-0C-42-64-41-9D:YANN" EAP-Message = 0x02040058120a00000705000097d3fd9e1c4410fa64112b4b80057c3d100100010e0e00333139303137303030303030303036353340776c616e2e6d6e633037302e6d63633930312e336770706e6574776f726b2e6f726700 Message-Authenticator = 0x741ccd1cadf88aea68338a49b9e65500 NAS-Identifier = "MT_Yann" NAS-IP-Address = 192.168.10.212 Stripped-User-Name = "1901700000000653" Realm = "wlan.mnc070.mcc901.3gppnetwork.org" EAP-Type = SIM EAP-Sim-Subtype = Start EAP-Sim-NONCE_MT = 0x000097d3fd9e1c4410fa64112b4b80057c3d EAP-Sim-SELECTED_VERSION = 0x0001 EAP-Sim-IDENTITY = 0x3139303137303030303030303036353340776c616e2e6d6e633037302e6d63633930312e336770706e6574776f726b2e6f7267 [eap] Underlying EAP-Type set EAP ID to 5 ++[eap] returns handled Sending Access-Challenge of id 7 to 192.168.10.212 port 34603 EAP-Message = 0x01050050120b0000010d00000123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0b050000095b748dc49685f14ee126dd201a6787 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf69e9f4cf79b8d1d0990f37eaa6db462 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.10.212 port 47748, id=8, length=282 Service-Type = Framed-User Framed-MTU = 1400 User-Name = "1901700000000653@wlan.mnc070.mcc901.3gppnetwork.org" State = 0xf69e9f4cf79b8d1d0990f37eaa6db462 NAS-Port-Id = "ap_hotspot" NAS-Port-Type = Wireless-802.11 Acct-Session-Id = "82400001" Acct-Multi-Session-Id = "00-0C-42-64-41-9D-A8-7E-33-3E-9C-5B-82-40-00-00-00-00-00-01" Calling-Station-Id = "A8-7E-33-3E-9C-5B" Called-Station-Id = "00-0C-42-64-41-9D:YANN" EAP-Message = 0x0205000c120e000016010000 Message-Authenticator = 0x67afd2e2a3861afd4c460375757d1fdd NAS-Identifier = "MT_Yann" NAS-IP-Address = 192.168.10.212 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] Looking up realm "wlan.mnc070.mcc901.3gppnetwork.org" for User-Name = "1901700000000653@wlan.mnc070.mcc901.3gppnetwork.org" [suffix] Found realm "~.*.3gppnetwork.org$" [suffix] Adding Stripped-User-Name = "1901700000000653" [suffix] Adding Realm = "wlan.mnc070.mcc901.3gppnetwork.org" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok rlm_sim_files: authorized user/imsi 1901700000000653 rlm_sim_files: Adding EAP-Type: eap-sim ++[sim_files] returns ok [eap] EAP packet type response id 5 length 12 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/sim [eap] processing type sim Client says error. Stopping! [eap] Handler failed in EAP/sim [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type REJECT # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> 1901700000000653@wlan.mnc070.mcc901.3gppnetwork.org attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 2 for 1 seconds Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 192.168.10.212 port 47748, id=8, length=282 Waiting to send Access-Reject to client bips_bk port 47748 - ID: 8 Waking up in 0.6 seconds. rad_recv: Access-Request packet from host 192.168.10.212 port 47748, id=8, length=282 Waiting to send Access-Reject to client bips_bk port 47748 - ID: 8 Waking up in 0.3 seconds. Cleaning up request 0 ID 6 with timestamp +20 Cleaning up request 1 ID 7 with timestamp +20 Sending delayed reject for request 2 Sending Access-Reject of id 8 to 192.168.10.212 port 47748 EAP-Message = 0x04050004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 4.9 seconds. Cleaning up request 2 ID 8 with timestamp +24 Ready to process requests. - - - - - - - - - -- - - - - - - - - are there any extra requirements on the RAND number except that they must be 128 byte long ? I'm trying to make another fix with the patch now. Yann
I have the same problem with Nokia E51 handset. EAP-SIM authentication interrupted by Nokia supplicant. Unfortunately there is no useful diagnostic on the handset. On other hand EAP-SIM authentication succeeds when I use wpa_supplicant on Windows using smart card reader with the same SIM card I've used with Nokia handset. Unfortunately I have neither iPhone nor Windows-based handset to test EAP-SIM against. Yann R. Moupinda wrote:
i got the same failure than before: after sending the 2nd access challenge, the server is waiting for the 3rd access request and doesn't get anything --> authentication failed
participants (5)
-
Alan DeKok -
Francois Gaudreault -
Iliya Peregoudov -
Phil Mayers -
Yann R. Moupinda