Hi all, i have read anything about my problem, but i dont get any idea to solve in FR i get message like this : "rlm_sim_files: insufficient number of challenges for imsi imsi@wlan.mnc001.mcc510.3gppnetwork.org : 0 " "[sim_files] returnnot found " it's my log: Ready to process requests. rad_recv: Access-Request packet from host 192.168.1.1 port 2048, id=0, length=215 User-Name = "imsi@wlan.mnc001.mcc510.3gppnetwork.org" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "48f8b315461a" Calling-Station-Id = "1814563e5189" NAS-Identifier = "48f8b315461a" NAS-Port = 38 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x02000038013135313030313937363038303633393140776c616e2e6d6e633030312e6d63633531302e336770706e6574776f726b2e6f7267 Message-Authenticator = 0x538ea4f0fa860dbb61c7d2c88dbd8474 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "wlan.mnc001.mcc510.3gppnetwork.org" for User-Name = "imsi@wlan.mnc001.mcc510.3gppnetwork.org" [suffix] No such realm "wlan.mnc001.mcc510.3gppnetwork.org" ++[suffix] returns noop rlm_sim_files: insufficient number of challenges for imsi imsi@wlan.mnc001.mcc510.3gppnetwork.org: 0 ++[sim_files] returns notfound [eap] EAP packet type response id 0 length 56 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry imsi@wlan.mnc001.mcc510.3gppnetwork.org at line 205 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type sim [eap] Underlying EAP-Type set EAP ID to 61 ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.1.1 port 2048 EAP-Message = 0x013d0014120a00000f0200020001000011010100 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x7239b8fc7204aacaafa19b7e0dac3020 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.1 port 2048, id=0, length=265 Cleaning up request 0 ID 0 with timestamp +206 User-Name = "imsi@wlan.mnc001.mcc510.3gppnetwork.org" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "48f8b315461a" Calling-Station-Id = "1814563e5189" NAS-Identifier = "48f8b315461a" NAS-Port = 38 Framed-MTU = 1400 State = 0x7239b8fc7204aacaafa19b7e0dac3020 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x023d0058120a000007050000a6be580955eb9db84b9cd0ba4ac9ec71100100010e0e00333135313030313937363038303633393140776c616e2e6d6e633030312e6d63633531302e336770706e6574776f726b2e6f726700 Message-Authenticator = 0x7dd9b0c763e8fc3783f00303952476cb +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "wlan.mnc001.mcc510.3gppnetwork.org" for User-Name = "imsi@wlan.mnc001.mcc510.3gppnetwork.org" [suffix] No such realm "wlan.mnc001.mcc510.3gppnetwork.org" ++[suffix] returns noop rlm_sim_files: insufficient number of challenges for imsi imsi@wlan.mnc001.mcc510.3gppnetwork.org: 0 ++[sim_files] returns notfound [eap] EAP packet type response id 61 length 88 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry imsi@wlan.mnc001.mcc510.3gppnetwork.org at line 205 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/sim [eap] processing type sim rlm_eap_sim: subtype= 10 start. +++> EAP-sim decoded packet: User-Name = "imsi@wlan.mnc001.mcc510.3gppnetwork.org" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "48f8b315461a" Calling-Station-Id = "1814563e5189" NAS-Identifier = "48f8b315461a" NAS-Port = 38 Framed-MTU = 1400 State = 0x7239b8fc7204aacaafa19b7e0dac3020 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x023d0058120a000007050000a6be580955eb9db84b9cd0ba4ac9ec71100100010e0e00333135313030313937363038303633393140776c616e2e6d6e633030312e6d63633531302e336770706e6574776f726b2e6f726700 Message-Authenticator = 0x7dd9b0c763e8fc3783f00303952476cb EAP-Type = SIM EAP-Sim-Subtype = Start EAP-Sim-NONCE_MT = 0x0000a6be580955eb9db84b9cd0ba4ac9ec71 EAP-Sim-SELECTED_VERSION = 0x0001 EAP-Sim-IDENTITY = 0x00333135313030313937363038303633393140776c616e2e6d6e633030312e6d63633531302e336770706e6574776f726b2e6f726700 [eap] Underlying EAP-Type set EAP ID to 62 ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.1.1 port 2048 EAP-Message = 0x013e0050120b0000010d0000101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f0b050000f9e2857eab3d7c389db0c2455af08b29 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x7239b8fc7307aacaafa19b7e0dac3020 Finished request 1. Going to the next request Waking up in 4.9 seconds. Cleaning up request 1 ID 0 with timestamp +206 Ready to process requests. rad_recv: Access-Request packet from host 192.168.1.1 port 2048, id=0, length=215 User-Name = "imsi@wlan.mnc001.mcc510.3gppnetwork.org" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "48f8b315461a" Calling-Station-Id = "1814563e5189" NAS-Identifier = "48f8b315461a" NAS-Port = 38 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x02000038013135313030313937363038303633393140776c616e2e6d6e633030312e6d63633531302e336770706e6574776f726b2e6f7267 Message-Authenticator = 0xdca4e2db7c20e750a430bef09ea6aebb +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "wlan.mnc001.mcc510.3gppnetwork.org" for User-Name = "imsi@wlan.mnc001.mcc510.3gppnetwork.org" [suffix] No such realm "wlan.mnc001.mcc510.3gppnetwork.org" ++[suffix] returns noop rlm_sim_files: insufficient number of challenges for imsi imsi@wlan.mnc001.mcc510.3gppnetwork.org: 0 ++[sim_files] returns notfound [eap] EAP packet type response id 0 length 56 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry imsi@wlan.mnc001.mcc510.3gppnetwork.org at line 205 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type sim [eap] Underlying EAP-Type set EAP ID to 87 ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.1.1 port 2048 EAP-Message = 0x01570014120a00000f0200020001000011010100 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xfb8d25eafbda3700c521f1ba966c28c6 Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.1 port 2048, id=0, length=265 Cleaning up request 2 ID 0 with timestamp +231 User-Name = "1510019760806391@wlan.mnc001.mcc510.3gppnetwork.org " NAS-IP-Address = 192.168.1.1 Called-Station-Id = "48f8b315461a" Calling-Station-Id = "1814563e5189" NAS-Identifier = "48f8b315461a" NAS-Port = 38 Framed-MTU = 1400 State = 0xfb8d25eafbda3700c521f1ba966c28c6 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x02570058120a000007050000b6356c32e13a775e4150d27fa12bd917100100010e0e00333135313030313937363038303633393140776c616e2e6d6e633030312e6d63633531302e336770706e6574776f726b2e6f726700 Message-Authenticator = 0x3152ae01c462863ab1e119e0c24eac50 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "wlan.mnc001.mcc510.3gppnetwork.org" for User-Name = "imsi@wlan.mnc001.mcc510.3gppnetwork.org" [suffix] No such realm "wlan.mnc001.mcc510.3gppnetwork.org" ++[suffix] returns noop rlm_sim_files: insufficient number of challenges for imsi imsi@wlan.mnc001.mcc510.3gppnetwork.org: 0 ++[sim_files] returns notfound [eap] EAP packet type response id 87 length 88 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry imsi@wlan.mnc001.mcc510.3gppnetwork.org at line 205 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/sim [eap] processing type sim rlm_eap_sim: subtype= 10 start. +++> EAP-sim decoded packet: User-Name = "imsi@wlan.mnc001.mcc510.3gppnetwork.org" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "48f8b315461a" Calling-Station-Id = "1814563e5189" NAS-Identifier = "48f8b315461a" NAS-Port = 38 Framed-MTU = 1400 State = 0xfb8d25eafbda3700c521f1ba966c28c6 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x02570058120a000007050000b6356c32e13a775e4150d27fa12bd917100100010e0e00333135313030313937363038303633393140776c616e2e6d6e633030312e6d63633531302e336770706e6574776f726b2e6f726700 Message-Authenticator = 0x3152ae01c462863ab1e119e0c24eac50 EAP-Type = SIM EAP-Sim-Subtype = Start EAP-Sim-NONCE_MT = 0x0000b6356c32e13a775e4150d27fa12bd917 EAP-Sim-SELECTED_VERSION = 0x0001 EAP-Sim-IDENTITY = 0x00333135313030313937363038303633393140776c616e2e6d6e633030312e6d63633531302e336770706e6574776f726b2e6f726700 [eap] Underlying EAP-Type set EAP ID to 88 ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.1.1 port 2048 EAP-Message = 0x01580050120b0000010d0000101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f0b0500003b9af2c5246ca03fede9d65a01cda8e1 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xfb8d25eafad53700c521f1ba966c28c6 Finished request 3. Going to the next request Waking up in 4.9 seconds. Cleaning up request 3 ID 0 with timestamp +231 Ready to process requests. Thanx for your time and your answer
You should designate realm wlan.mnc001.mcc510.3gppnetwork.org as locally served in raddb/proxy.conf: # raddb/proxy.conf realm wlan.mnc001.mcc510.3gppnetwork.org { } Then you should add authentication vectors to raddb/simtriplets.dat: # raddb/simtriplets.dat # 1<IMSI>,<RAND>,<SRES>,<KC> 1250991417456196,cf92007bd3814afaa71a58bbe406b8a0,6b7ace84,b54e3cad99ab2000 ... At least 3 authentication vectors should be present for each IMSI. You can generate authentication vectors for your SIM card using smart card reader and agsm program (http://agsm.sourceforge.net/). On 30.05.2013 10:44, raptor raptor wrote:
Hi all, i have read anything about my problem, but i dont get any idea to solve
in FR i get message like this :
"rlm_sim_files: insufficient number of challenges for imsi imsi@wlan.mnc001.mcc510.3gppnetwork.org <mailto:imsi@wlan.mnc001.mcc510.3gppnetwork.org> : 0 " "[sim_files] returnnot found "
On 30/05/13 08:16, Iliya Peregoudov wrote:
You should designate realm wlan.mnc001.mcc510.3gppnetwork.org as locally served in raddb/proxy.conf:
Better yet, don't use the "suffix" module; look for the realm and strip it yourself: authorize { if (User-Name =~ /^(.*)@(.+)$/) { update request { Stripped-User-Name := "%{1}" Realm := "%{2}" } } } See the policy.conf/policy.d and list archives for better regexps for NAI-style usernames.
Hi, Phil Better yet, don't use the "suffix" module; look for the realm and strip it yourself: authorize { if (User-Name =~ /^(.*)@(.+)$/) { update request { Stripped-User-Name := "%{1}" Realm := "%{2}" } } } See the policy.conf/policy.d and list archives for better regexps for NAI-style usernames. is it in policy.conf or sites-enabled/default? if in policy.conf i can't find format like authorize {}, but i find cui_authorize On Thu, May 30, 2013 at 4:08 PM, Phil Mayers <p.mayers@imperial.ac.uk>wrote:
On 30/05/13 08:16, Iliya Peregoudov wrote:
You should designate realm wlan.mnc001.mcc510.**3gppnetwork.org<http://wlan.mnc001.mcc510.3gppnetwork.org>as locally served in raddb/proxy.conf:
Better yet, don't use the "suffix" module; look for the realm and strip it yourself:
authorize { if (User-Name =~ /^(.*)@(.+)$/) { update request { Stripped-User-Name := "%{1}" Realm := "%{2}" } } }
See the policy.conf/policy.d and list archives for better regexps for NAI-style usernames.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html <http://www.freeradius.org/list/users.html>
Hi, i have added simtriplets.dat and create file sim_files in /freeradius/modules and also i configure sim_files in authorize{} in /sites-enabled/default but i dont use suffix module so my concern is how to solve this message : "rlm_sim_files: insufficient number of challenges for imsi imsi@wlan.mnc001.mcc510.3gppnetwork.org : 0 " "[sim_files] returnnot found " here is my log: Ready to process requests. rad_recv: Access-Request packet from host 192.168.1.1 port 2048, id=0, length=215 User-Name = " 1510019760806391@wlan.mnc001.mcc510.3gppnetwork.org" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "48f8b315461a" Calling-Station-Id = "1814563e5189" NAS-Identifier = "48f8b315461a" NAS-Port = 38 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x02000038013135313030313937363038303633393140776c616e2e6d6e633030312e6d63633531302e336770706e6574776f726b2e6f7267 Message-Authenticator = 0x91af511bc958602ec652547f08683045 +- entering group authorize {...} ++[preprocess] returns ok rlm_sim_files: insufficient number of challenges for imsi 1510019760806391@wlan.mnc001.mcc510.3gppnetwork.org: 0 ++[sim_files] returns notfound [eap] EAP packet type response id 0 length 56 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry 1510019760806391@wlan.mnc001.mcc510.3gppnetwork.org at line 205 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type sim [eap] Underlying EAP-Type set EAP ID to 218 ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.1.1 port 2048 EAP-Message = 0x01da0014120a00000f0200020001000011010100 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1e96d6021e4cc425cab980602ba77fc7 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.1 port 2048, id=0, length=265 Cleaning up request 0 ID 0 with timestamp +91 User-Name = " 1510019760806391@wlan.mnc001.mcc510.3gppnetwork.org" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "48f8b315461a" Calling-Station-Id = "1814563e5189" NAS-Identifier = "48f8b315461a" NAS-Port = 38 Framed-MTU = 1400 State = 0x1e96d6021e4cc425cab980602ba77fc7 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x02da0058120a00000705000066bf4d6f1cf16dae34700d33b40a2cf2100100010e0e00333135313030313937363038303633393140776c616e2e6d6e633030312e6d63633531302e336770706e6574776f726b2e6f726700 Message-Authenticator = 0x46abb1e0d252ff580dd8d31e5a56ba46 +- entering group authorize {...} ++[preprocess] returns ok rlm_sim_files: insufficient number of challenges for imsi 1510019760806391@wlan.mnc001.mcc510.3gppnetwork.org: 0 ++[sim_files] returns notfound [eap] EAP packet type response id 218 length 88 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry 1510019760806391@wlan.mnc001.mcc510.3gppnetwork.org at line 205 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/sim [eap] processing type sim +++> EAP-sim decoded packet: User-Name = " 1510019760806391@wlan.mnc001.mcc510.3gppnetwork.org" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "48f8b315461a" Calling-Station-Id = "1814563e5189" NAS-Identifier = "48f8b315461a" NAS-Port = 38 Framed-MTU = 1400 State = 0x1e96d6021e4cc425cab980602ba77fc7 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x02da0058120a00000705000066bf4d6f1cf16dae34700d33b40a2cf2100100010e0e00333135313030313937363038303633393140776c616e2e6d6e633030312e6d63633531302e336770706e6574776f726b2e6f726700 Message-Authenticator = 0x46abb1e0d252ff580dd8d31e5a56ba46 EAP-Type = SIM EAP-Sim-Subtype = Start EAP-Sim-NONCE_MT = 0x000066bf4d6f1cf16dae34700d33b40a2cf2 EAP-Sim-SELECTED_VERSION = 0x0001 EAP-Sim-IDENTITY = 0x00333135313030313937363038303633393140776c616e2e6d6e633030312e6d63633531302e336770706e6574776f726b2e6f726700 [eap] Underlying EAP-Type set EAP ID to 219 ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.1.1 port 2048 EAP-Message = 0x01db0050120b0000010d0000101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f0b050000d0b87a34927435f51b0b4892462ced47 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1e96d6021f4dc425cab980602ba77fc7 Finished request 1. Going to the next request Waking up in 4.9 seconds. Cleaning up request 1 ID 0 with timestamp +91 Ready to process requests. thanx for your answer On Thu, May 30, 2013 at 2:16 PM, Iliya Peregoudov <iperegudov@cboss.ru>wrote:
You should designate realm wlan.mnc001.mcc510.**3gppnetwork.org<http://wlan.mnc001.mcc510.3gppnetwork.org>as locally served in raddb/proxy.conf:
# raddb/proxy.conf realm wlan.mnc001.mcc510.**3gppnetwork.org<http://wlan.mnc001.mcc510.3gppnetwork.org>{ }
Then you should add authentication vectors to raddb/simtriplets.dat:
# raddb/simtriplets.dat # 1<IMSI>,<RAND>,<SRES>,<KC> 1250991417456196,**cf92007bd3814afaa71a58bbe406b8** a0,6b7ace84,b54e3cad99ab2000 ...
At least 3 authentication vectors should be present for each IMSI.
You can generate authentication vectors for your SIM card using smart card reader and agsm program (http://agsm.sourceforge.net/)**.
On 30.05.2013 10:44, raptor raptor wrote:
Hi all, i have read anything about my problem, but i dont get any idea to solve
in FR i get message like this :
"rlm_sim_files: insufficient number of challenges for imsi imsi@wlan.mnc001.mcc510.**3gppnetwork.org<imsi@wlan.mnc001.mcc510.3gppnetwork.org> <mailto:imsi@wlan.mnc001.**mcc510.3gppnetwork.org<imsi@wlan.mnc001.mcc510.3gppnetwork.org>> : 0 " "[sim_files] returnnot found "
- List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html <http://www.freeradius.org/list/users.html>
Call suffix before sim_files. The rlm_sim_files module uses "canonical username" as a key for searching authentication vectors. Initially canonical username points to User-Name attribute. rlm_realm module (suffix is an instance of this module) split User-Name to Stripped-User-Name and Realm and set canonical username to point to Stripped-User-Name. Or you can put full username 1<IMSI>@wlan.mnc001.mcc510.3gppnetwork.org into simtriplets.dat. This will work without calling suffix. On 30.05.2013 19:26, raptor raptor wrote:
Hi,
i have added simtriplets.dat and create file sim_files in /freeradius/modules and also i configure sim_files in authorize{} in /sites-enabled/default but i dont use suffix module
so my concern is how to solve this message : "rlm_sim_files: insufficient number of challenges for imsi imsi@wlan.mnc001.mcc510.3gppnetwork.org <mailto:imsi@wlan.mnc001.mcc510.3gppnetwork.org> : 0 " "[sim_files] returnnot found "
i have added Stripped-User-Name in sites-enabled/default and also i disabled suffix module but, i found like fatal mistake could someone tell me what i should do to fix this this is my log Ready to process requests. rad_recv: Access-Request packet from host 192.168.1.1 port 2048, id=0, length=215 User-Name = "15100xxxxxxxxxxx@wlan.mnc001.mcc510.3gppnetwork.org " NAS-IP-Address = 192.168.1.1 Called-Station-Id = "48f8b315461a" Calling-Station-Id = "1814563e5189" NAS-Identifier = "48f8b315461a" NAS-Port = 38 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x02000038013135313030313937363038303633393140776c616e2e6d6e633030312e6d63633531302e336770706e6574776f726b2e6f7267 Message-Authenticator = 0xe0a42673f8bb72f47e48dcb350887961 +- entering group authorize {...} ++[preprocess] returns ok ++? if (User-Name =~ /^(.*)@(.+)$/) ? Evaluating (User-Name =~ /^(.*)@(.+)$/) -> TRUE ++? if (User-Name =~ /^(.*)@(.+)$/) -> TRUE ++- entering if (User-Name =~ /^(.*)@(.+)$/) {...} expand: %{1} -> 15100xxxxxxxxxx expand: %{2} -> wlan.mnc001.mcc510.3gppnetwork.org +++[request] returns ok ++- if (User-Name =~ /^(.*)@(.+)$/) returns ok ASSERT FAILED rlm_sim_files.c[212]: k != NULL Aborted best regard On Fri, May 31, 2013 at 12:59 PM, Iliya Peregoudov <iperegudov@cboss.ru>wrote:
Call suffix before sim_files.
The rlm_sim_files module uses "canonical username" as a key for searching authentication vectors. Initially canonical username points to User-Name attribute. rlm_realm module (suffix is an instance of this module) split User-Name to Stripped-User-Name and Realm and set canonical username to point to Stripped-User-Name.
Or you can put full username 1<IMSI>@wlan.mnc001.mcc510.**3gppnetwork.org<http://wlan.mnc001.mcc510.3gppnetwork.org>into simtriplets.dat. This will work without calling suffix.
On 30.05.2013 19:26, raptor raptor wrote:
Hi,
i have added simtriplets.dat and create file sim_files in /freeradius/modules and also i configure sim_files in authorize{} in /sites-enabled/default but i dont use suffix module
so my concern is how to solve this message : "rlm_sim_files: insufficient number of challenges for imsi imsi@wlan.mnc001.mcc510.**3gppnetwork.org<imsi@wlan.mnc001.mcc510.3gppnetwork.org> <mailto:imsi@wlan.mnc001.**mcc510.3gppnetwork.org<imsi@wlan.mnc001.mcc510.3gppnetwork.org>> : 0 " "[sim_files] returnnot found "
- List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html <http://www.freeradius.org/list/users.html>
Apparently there is an error in simtriplets.dat. Format is 1<IMSI>,<RAND>,<SRES>,<KC> <RAND>, <SRES>, and <KC> should be in hexadecimal digits, without 0x prefix. An even number of hexadecimal digits should be in there. On 01.06.2013 5:51, raptor raptor wrote:
ASSERT FAILED rlm_sim_files.c[212]: k != NULL
Iliya Peregoudov wrote:
Apparently there is an error in simtriplets.dat. Format is
1<IMSI>,<RAND>,<SRES>,<KC>
<RAND>, <SRES>, and <KC> should be in hexadecimal digits, without 0x prefix. An even number of hexadecimal digits should be in there.
The simtriplets.dat dile doesn't have "0x" prefixes in its examples In any case, hitting an assertion because of a format error is stupid. I've pushed a fix. It will now complain about syntax errors instead. Alan DeKok.
my simtriplets.dat : 1<imsi> 1510019760806391,AAC0FAFDC47D4524AC9E2A3D51BDBA39,2A71bac3,7868589a75fdc000 1510019760806391,BF9A9F6EEB36422895D010927D76972C,F49dd880,3Afbcf2fA9b0a000 1510019760806391,C63837CFECD348deB119C35CFECD4898,49312999,FD488938B6f2a000 On Mon, Jun 3, 2013 at 9:26 PM, Alan DeKok <aland@deployingradius.com>wrote:
Iliya Peregoudov wrote:
Apparently there is an error in simtriplets.dat. Format is
1<IMSI>,<RAND>,<SRES>,<KC>
<RAND>, <SRES>, and <KC> should be in hexadecimal digits, without 0x prefix. An even number of hexadecimal digits should be in there.
The simtriplets.dat dile doesn't have "0x" prefixes in its examples
In any case, hitting an assertion because of a format error is stupid. I've pushed a fix. It will now complain about syntax errors instead.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
simtriplets.dat format that i wite: 1<imsi>,<RAND>,<SRES>,<Kc> 1510019760806391,AAC0FAFDC47D4524AC9E2A3D51BDBA39,2A71bac3,7868589a75fdc000 1510019760806391,BF9A9F6EEB36422895D010927D76972C,F49dd880,3Afbcf2fA9b0a000 1510019760806391,C63837CFECD348deB119C35CFECD4898,49312999,FD488938B6f2a000 i add in users file: DEFAULT Auth-Type := EAP, EAP-Type := SIM EAP-Sim-Rand1 = 0x101112131415161718191a1b1c1d1e1f, EAP-Sim-SRES1 = 0xd1d2d3d4, EAP-Sim-Rand2 = 0x202122232425262728292a2b2c2d2e2f, EAP-Sim-SRES2 = 0xe1e2e3e4, EAP-Sim-Rand3 = 0x303132333435363738393a3b3c3d3e3f, EAP-Sim-SRES3 = 0xf1f2f3f4, EAP-Sim-KC1 = 0xa0a1a2a3a4a5a6a7, EAP-Sim-KC2 = 0xb0b1b2b3b4b5b6b7, EAP-Sim-KC3 = 0xc0c1c2c3c4c5c6c7, i think number of RAND in simtriplets.dat is same in EAP-Sim-Rand1 (32 octet) is my format wrong? i'm using freeradius-server-2.1.9 and nokia e63 and i run freeradius so here the log: Ready to process requests. rad_recv: Access-Request packet from host 192.168.1.1 port 2048, id=0, length=215 User-Name = "1510019760806391@wlan.mnc001.mcc510.3gppnetwork.org " NAS-IP-Address = 192.168.1.1 Called-Station-Id = "48f8b315461a" Calling-Station-Id = "1814563e5189" NAS-Identifier = "48f8b315461a" NAS-Port = 38 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x02000038013135313030313937363038303633393140776c616e2e6d6e633030312e6d63633531302e336770706e6574776f726b2e6f7267 Message-Authenticator = 0xa01e03afe31bdb73b9c01a64096ec87a +- entering group authorize {...} ++[preprocess] returns ok [suffix] Looking up realm "wlan.mnc001.mcc510.3gppnetwork.org" for User-Name = "1510019760806391@wlan.mnc001.mcc510.3gppnetwork.org" [suffix] Found realm "wlan.mnc001.mcc510.3gppnetwork.org" [suffix] Adding Stripped-User-Name = "1510019760806391" [suffix] Adding Realm = "wlan.mnc001.mcc510.3gppnetwork.org" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok rlm_sim_files: insufficient number of challenges for imsi 1510019760806391: 0 ++[sim_files] returns notfound [eap] EAP packet type response id 0 length 56 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 205 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type sim [eap] Underlying EAP-Type set EAP ID to 26 ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.1.1 port 2048 EAP-Message = 0x011a0014120a00000f0200020001000011010100 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x019a1a23018008ce78acd4b07bc4c4ac Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.1 port 2048, id=0, length=265 Cleaning up request 0 ID 0 with timestamp +227 User-Name = "1510019760806391@wlan.mnc001.mcc510.3gppnetwork.org " NAS-IP-Address = 192.168.1.1 Called-Station-Id = "48f8b315461a" Calling-Station-Id = "1814563e5189" NAS-Identifier = "48f8b315461a" NAS-Port = 38 Framed-MTU = 1400 State = 0x019a1a23018008ce78acd4b07bc4c4ac NAS-Port-Type = Wireless-802.11 EAP-Message = 0x021a0058120a00000705000043837c0b63fd6c4dc3fccbebc8439b04100100010e0e00333135313030313937363038303633393140776c616e2e6d6e633030312e6d63633531302e336770706e6574776f726b2e6f726700 Message-Authenticator = 0x441da87c8c81ad6b22b7596fba8b9098 +- entering group authorize {...} ++[preprocess] returns ok [suffix] Looking up realm "wlan.mnc001.mcc510.3gppnetwork.org" for User-Name = "1510019760806391@wlan.mnc001.mcc510.3gppnetwork.org" [suffix] Found realm "wlan.mnc001.mcc510.3gppnetwork.org" [suffix] Adding Stripped-User-Name = "1510019760806391" [suffix] Adding Realm = "wlan.mnc001.mcc510.3gppnetwork.org" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok rlm_sim_files: insufficient number of challenges for imsi 1510019760806391: 0 ++[sim_files] returns notfound [eap] EAP packet type response id 26 length 88 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 205 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/sim [eap] processing type sim rlm_eap_sim: subtype= 10 start. +++> EAP-sim decoded packet: User-Name = "1510019760806391@wlan.mnc001.mcc510.3gppnetwork.org " NAS-IP-Address = 192.168.1.1 Called-Station-Id = "48f8b315461a" Calling-Station-Id = "1814563e5189" NAS-Identifier = "48f8b315461a" NAS-Port = 38 Framed-MTU = 1400 State = 0x019a1a23018008ce78acd4b07bc4c4ac NAS-Port-Type = Wireless-802.11 EAP-Message = 0x021a0058120a00000705000043837c0b63fd6c4dc3fccbebc8439b04100100010e0e00333135313030313937363038303633393140776c616e2e6d6e633030312e6d63633531302e336770706e6574776f726b2e6f726700 Message-Authenticator = 0x441da87c8c81ad6b22b7596fba8b9098 Stripped-User-Name = "1510019760806391" Realm = "wlan.mnc001.mcc510.3gppnetwork.org" EAP-Type = SIM EAP-Sim-Subtype = Start EAP-Sim-NONCE_MT = 0x000043837c0b63fd6c4dc3fccbebc8439b04 EAP-Sim-SELECTED_VERSION = 0x0001 EAP-Sim-IDENTITY = 0x00333135313030313937363038303633393140776c616e2e6d6e633030312e6d63633531302e336770706e6574776f726b2e6f726700 [eap] Underlying EAP-Type set EAP ID to 27 ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.1.1 port 2048 EAP-Message = 0x011b0050120b0000010d0000101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f0b050000fb675502a3304188312931054f33cd1f Message-Authenticator = 0x00000000000000000000000000000000 State = 0x019a1a23008108ce78acd4b07bc4c4ac Finished request 1. Going to the next request Waking up in 4.9 seconds. Cleaning up request 1 ID 0 with timestamp +227 Ready to process requests. rad_recv: Access-Request packet from host 192.168.1.1 port 2048, id=0, length=215 User-Name = "1510019760806391@wlan.mnc001.mcc510.3gppnetwork.org " NAS-IP-Address = 192.168.1.1 Called-Station-Id = "48f8b315461a" Calling-Station-Id = "1814563e5189" NAS-Identifier = "48f8b315461a" NAS-Port = 38 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x02000038013135313030313937363038303633393140776c616e2e6d6e633030312e6d63633531302e336770706e6574776f726b2e6f7267 Message-Authenticator = 0xfafe8eadeb1ae3d38fa8f19d05d593be +- entering group authorize {...} ++[preprocess] returns ok [suffix] Looking up realm "wlan.mnc001.mcc510.3gppnetwork.org" for User-Name = "1510019760806391@wlan.mnc001.mcc510.3gppnetwork.org" [suffix] Found realm "wlan.mnc001.mcc510.3gppnetwork.org" [suffix] Adding Stripped-User-Name = "1510019760806391" [suffix] Adding Realm = "wlan.mnc001.mcc510.3gppnetwork.org" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok rlm_sim_files: insufficient number of challenges for imsi 1510019760806391: 0 ++[sim_files] returns notfound [eap] EAP packet type response id 0 length 56 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 205 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type sim [eap] Underlying EAP-Type set EAP ID to 82 ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.1.1 port 2048 EAP-Message = 0x01520014120a00000f0200020001000011010100 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xbae09375bab281899c287550956630d3 Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.1 port 2048, id=0, length=265 Cleaning up request 2 ID 0 with timestamp +539 User-Name = "1510019760806391@wlan.mnc001.mcc510.3gppnetwork.org " NAS-IP-Address = 192.168.1.1 Called-Station-Id = "48f8b315461a" Calling-Station-Id = "1814563e5189" NAS-Identifier = "48f8b315461a" NAS-Port = 38 Framed-MTU = 1400 State = 0xbae09375bab281899c287550956630d3 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x02520058120a00000705000084dc530744f7039807a5ba5b36513d18100100010e0e00333135313030313937363038303633393140776c616e2e6d6e633030312e6d63633531302e336770706e6574776f726b2e6f726700 Message-Authenticator = 0x01b366d26fd7d24f8ad84fc3a12c0919 +- entering group authorize {...} ++[preprocess] returns ok [suffix] Looking up realm "wlan.mnc001.mcc510.3gppnetwork.org" for User-Name = "1510019760806391@wlan.mnc001.mcc510.3gppnetwork.org" [suffix] Found realm "wlan.mnc001.mcc510.3gppnetwork.org" [suffix] Adding Stripped-User-Name = "1510019760806391" [suffix] Adding Realm = "wlan.mnc001.mcc510.3gppnetwork.org" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok rlm_sim_files: insufficient number of challenges for imsi 1510019760806391: 0 ++[sim_files] returns notfound [eap] EAP packet type response id 82 length 88 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 205 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/sim [eap] processing type sim rlm_eap_sim: subtype= 10 start. +++> EAP-sim decoded packet: User-Name = "1510019760806391@wlan.mnc001.mcc510.3gppnetwork.org " NAS-IP-Address = 192.168.1.1 Called-Station-Id = "48f8b315461a" Calling-Station-Id = "1814563e5189" NAS-Identifier = "48f8b315461a" NAS-Port = 38 Framed-MTU = 1400 State = 0xbae09375bab281899c287550956630d3 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x02520058120a00000705000084dc530744f7039807a5ba5b36513d18100100010e0e00333135313030313937363038303633393140776c616e2e6d6e633030312e6d63633531302e336770706e6574776f726b2e6f726700 Message-Authenticator = 0x01b366d26fd7d24f8ad84fc3a12c0919 Stripped-User-Name = "1510019760806391" Realm = "wlan.mnc001.mcc510.3gppnetwork.org" EAP-Type = SIM EAP-Sim-Subtype = Start EAP-Sim-NONCE_MT = 0x000084dc530744f7039807a5ba5b36513d18 EAP-Sim-SELECTED_VERSION = 0x0001 EAP-Sim-IDENTITY = 0x00333135313030313937363038303633393140776c616e2e6d6e633030312e6d63633531302e336770706e6574776f726b2e6f726700 [eap] Underlying EAP-Type set EAP ID to 83 ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.1.1 port 2048 EAP-Message = 0x01530050120b0000010d0000101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f0b050000eb630e1e2e57b50fb053ac8f6114a820 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xbae09375bbb381899c287550956630d3 Finished request 3. Going to the next request Waking up in 4.9 seconds. Cleaning up request 3 ID 0 with timestamp +539 Ready to process requests. thank you for advice best regard On Mon, Jun 3, 2013 at 9:26 PM, Alan DeKok <aland@deployingradius.com>wrote:
Iliya Peregoudov wrote:
Apparently there is an error in simtriplets.dat. Format is
1<IMSI>,<RAND>,<SRES>,<KC>
<RAND>, <SRES>, and <KC> should be in hexadecimal digits, without 0x prefix. An even number of hexadecimal digits should be in there.
The simtriplets.dat dile doesn't have "0x" prefixes in its examples
In any case, hitting an assertion because of a format error is stupid. I've pushed a fix. It will now complain about syntax errors instead.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 09.06.2013 5:34, raptor raptor wrote:
simtriplets.dat format that i wite:
1<imsi>,<RAND>,<SRES>,<Kc> 1510019760806391,AAC0FAFDC47D4524AC9E2A3D51BDBA39,2A71bac3,7868589a75fdc000 1510019760806391,BF9A9F6EEB36422895D010927D76972C,F49dd880,3Afbcf2fA9b0a000 1510019760806391,C63837CFECD348deB119C35CFECD4898,49312999,FD488938B6f2a000
Your simtriplets.dat format is ok.
i add in users file:
DEFAULTAuth-Type := EAP, EAP-Type := SIM EAP-Sim-Rand1 = 0x101112131415161718191a1b1c1d1e1f, EAP-Sim-SRES1 = 0xd1d2d3d4, EAP-Sim-Rand2 = 0x202122232425262728292a2b2c2d2e2f, EAP-Sim-SRES2 = 0xe1e2e3e4, EAP-Sim-Rand3 = 0x303132333435363738393a3b3c3d3e3f, EAP-Sim-SRES3 = 0xf1f2f3f4, EAP-Sim-KC1 = 0xa0a1a2a3a4a5a6a7, EAP-Sim-KC2 = 0xb0b1b2b3b4b5b6b7, EAP-Sim-KC3 = 0xc0c1c2c3c4c5c6c7,
Your users format is ok: 16-octet RAND, 4-octet SRES, 8-octet Kc. Auth vectors in users file differ from those in simtriplets.dat. You cannot use arbitrary auth vectors. EAP-SIM is mutual authentication protocol. UE checks that AAA knows correct auth vectors when Request/SIM/Challenge received before sending Response/SIM/Challenge.
rlm_sim_files: insufficient number of challenges for imsi 1510019760806391: 0 ++[sim_files] returns notfound
It's strange that rlm_sim_files was unable to find auth vectors. Ensure that simtriplets.dat has UNIX line endings (LF, not CRLF).
Sending Access-Challenge of id 0 to 192.168.1.1 port 2048 EAP-Message = 0x011a0014120a00000f0200020001000011010100 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x019a1a23018008ce78acd4b07bc4c4ac
Here radiusd generates EAP Request/SIM/Start. There is no cryptography yet so UE will respond with Response/SIM/Start.
+++> EAP-sim decoded packet: User-Name = "1510019760806391@wlan.mnc001.mcc510.3gppnetwork.org" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "48f8b315461a" Calling-Station-Id = "1814563e5189" NAS-Identifier = "48f8b315461a" NAS-Port = 38 Framed-MTU = 1400 State = 0x019a1a23018008ce78acd4b07bc4c4ac NAS-Port-Type = Wireless-802.11 EAP-Message = 0x021a0058120a00000705000043837c0b63fd6c4dc3fccbebc8439b04100100010e0e00333135313030313937363038303633393140776c616e2e6d6e633030312e6d63633531302e336770706e6574776f726b2e6f726700 Message-Authenticator = 0x441da87c8c81ad6b22b7596fba8b9098 Stripped-User-Name = "1510019760806391" Realm = "wlan.mnc001.mcc510.3gppnetwork.org" EAP-Type = SIM EAP-Sim-Subtype = Start EAP-Sim-NONCE_MT = 0x000043837c0b63fd6c4dc3fccbebc8439b04 EAP-Sim-SELECTED_VERSION = 0x0001 EAP-Sim-IDENTITY = 0x00333135313030313937363038303633393140776c616e2e6d6e633030312e6d63633531302e336770706e6574776f726b2e6f726700
This is Response/SIM/Start from UE.
Sending Access-Challenge of id 0 to 192.168.1.1 port 2048 EAP-Message = 0x011b0050120b0000010d0000101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f0b050000fb675502a3304188312931054f33cd1f Message-Authenticator = 0x00000000000000000000000000000000 State = 0x019a1a23008108ce78acd4b07bc4c4ac
Here radiusd generates EAP Request/SIM/Challenge using auth vectors from users file and NONCE_MT from Response/EAP/Start. UE will reject this EAP request (because AAA does not know correct auth vectors) and will restart EAP authentication.
Iliya Peregoudov wite : 1.
rlm_sim_files: insufficient number of challenges for imsi 1510019760806391: 0 ++[sim_files] returns notfound
It's strange that rlm_sim_files was unable to find auth vectors. Ensure that simtriplets.dat has UNIX line endings (LF, not CRLF). i'm sorry i dont understand about LF UNIX line ending, could you show me what should i do to simtriplets.dat format? is there any mistake? 2. Your users format is ok: 16-octet RAND, 4-octet SRES, 8-octet Kc. Auth vectors in users file differ from those in simtriplets.dat. You cannot use arbitrary auth vectors. EAP-SIM is mutual authentication protocol. UE checks that AAA knows correct auth vectors when Request/SIM/Challenge received before sending Response/SIM/Challenge. i got that format in /src/tests/eapsim-03/users-example.txt what should i fill in Rand1 attribute? thanx for your advice best regard On Mon, Jun 10, 2013 at 5:29 PM, Iliya Peregoudov <iperegudov@cboss.ru>wrote:
On 09.06.2013 5:34, raptor raptor wrote:
simtriplets.dat format that i wite:
1<imsi>,<RAND>,<SRES>,<Kc> 1510019760806391,**AAC0FAFDC47D4524AC9E2A3D51BDBA** 39,2A71bac3,7868589a75fdc000 1510019760806391,**BF9A9F6EEB36422895D010927D7697** 2C,F49dd880,3Afbcf2fA9b0a000 1510019760806391,**C63837CFECD348deB119C35CFECD48** 98,49312999,FD488938B6f2a000
Your simtriplets.dat format is ok.
i add in users file:
DEFAULTAuth-Type := EAP, EAP-Type := SIM
EAP-Sim-Rand1 = 0x101112131415161718191a1b1c1d**1e1f, EAP-Sim-SRES1 = 0xd1d2d3d4, EAP-Sim-Rand2 = 0x202122232425262728292a2b2c2d**2e2f, EAP-Sim-SRES2 = 0xe1e2e3e4, EAP-Sim-Rand3 = 0x303132333435363738393a3b3c3d**3e3f, EAP-Sim-SRES3 = 0xf1f2f3f4, EAP-Sim-KC1 = 0xa0a1a2a3a4a5a6a7, EAP-Sim-KC2 = 0xb0b1b2b3b4b5b6b7, EAP-Sim-KC3 = 0xc0c1c2c3c4c5c6c7,
Your users format is ok: 16-octet RAND, 4-octet SRES, 8-octet Kc.
Auth vectors in users file differ from those in simtriplets.dat. You cannot use arbitrary auth vectors. EAP-SIM is mutual authentication protocol. UE checks that AAA knows correct auth vectors when Request/SIM/Challenge received before sending Response/SIM/Challenge.
rlm_sim_files: insufficient number of challenges for imsi
1510019760806391: 0 ++[sim_files] returns notfound
It's strange that rlm_sim_files was unable to find auth vectors. Ensure that simtriplets.dat has UNIX line endings (LF, not CRLF).
Sending Access-Challenge of id 0 to 192.168.1.1 port 2048
EAP-Message = 0x011a0014120a00000f0200020001**000011010100 Message-Authenticator = 0x0000000000000000000000000000**0000 State = 0x019a1a23018008ce78acd4b07bc4**c4ac
Here radiusd generates EAP Request/SIM/Start. There is no cryptography yet so UE will respond with Response/SIM/Start.
+++> EAP-sim decoded packet:
User-Name = "1510019760806391@wlan.mnc001.**mcc510.3gppnetwork.org<1510019760806391@wlan.mnc001.mcc510.3gppnetwork.org> " NAS-IP-Address = 192.168.1.1 Called-Station-Id = "48f8b315461a" Calling-Station-Id = "1814563e5189" NAS-Identifier = "48f8b315461a" NAS-Port = 38 Framed-MTU = 1400 State = 0x019a1a23018008ce78acd4b07bc4**c4ac NAS-Port-Type = Wireless-802.11 EAP-Message = 0x021a0058120a0000070500004383**7c0b63fd6c4dc3fccbebc8439b0410** 0100010e0e00333135313030313937**363038303633393140776c616e2e6d** 6e633030312e6d63633531302e3367**70706e6574776f726b2e6f726700 Message-Authenticator = 0x441da87c8c81ad6b22b7596fba8b**9098 Stripped-User-Name = "1510019760806391" Realm = "wlan.mnc001.mcc510.**3gppnetwork.org<http://wlan.mnc001.mcc510.3gppnetwork.org> " EAP-Type = SIM EAP-Sim-Subtype = Start EAP-Sim-NONCE_MT = 0x000043837c0b63fd6c4dc3fccbeb**c8439b04 EAP-Sim-SELECTED_VERSION = 0x0001 EAP-Sim-IDENTITY = 0x0033313531303031393736303830**3633393140776c616e2e6d6e633030** 312e6d63633531302e336770706e65**74776f726b2e6f726700
This is Response/SIM/Start from UE.
Sending Access-Challenge of id 0 to 192.168.1.1 port 2048
EAP-Message = 0x011b0050120b0000010d00001011**12131415161718191a1b1c1d1e1f20** 2122232425262728292a2b2c2d2e2f**303132333435363738393a3b3c3d3e** 3f0b050000fb675502a33041883129**31054f33cd1f Message-Authenticator = 0x0000000000000000000000000000**0000 State = 0x019a1a23008108ce78acd4b07bc4**c4ac
Here radiusd generates EAP Request/SIM/Challenge using auth vectors from users file and NONCE_MT from Response/EAP/Start. UE will reject this EAP request (because AAA does not know correct auth vectors) and will restart EAP authentication.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html <http://www.freeradius.org/list/users.html>
On 11.06.2013 7:00, raptor raptor wrote:
i'm sorry i dont understand about LF UNIX line ending, could you show me what should i do to simtriplets.dat format? is there any mistake?
Run dos2unix simtriplets.dat in UNIX shell. This will ensure simtriplets.dat has UNIX line endings.
i got that format in /src/tests/eapsim-03/users-example.txt what should i fill in Rand1 attribute?
I assume that your simtriplets.dat contains correct auth vectors (e.g. generated by SIM card and extracted using agsm program): 1510019760806391,AAC0FAFDC47D4524AC9E2A3D51BDBA39,2A71bac3,7868589a75fdc000 1510019760806391,BF9A9F6EEB36422895D010927D76972C,F49dd880,3Afbcf2fA9b0a000 1510019760806391,C63837CFECD348deB119C35CFECD4898,49312999,FD488938B6f2a000 Equivalent users entry should look like: 1510019760806391 EAP-Type:=SIM EAP-Sim-Rand1:=0xAAC0FAFDC47D4524AC9E2A3D51BDBA39, EAP-Sim-SRES1:=0x2A71bac3, EAP-Sim-KC1:=0x7868589a75fdc000, EAP-Sim-Rans2:=0xBF9A9F6EEB36422895D010927D76972C, EAP-Sim-SRES2:=0xF49dd880, EAP-Sim-KC2:=0x3Afbcf2fA9b0a000, EAP-Sim-Rand3:=0xC63837CFECD348deB119C35CFECD4898, EAP-Sim-SRES3:=0x49312999, EAP-Sim-KC3:=0xFD488938B6f2a000
Hi Iliya Peregoudov thanx for your advice and your time 1. when i change users entry, i get notification that access-accept has succesfull but unfortunately, when i restart the system cant access-accept and i must change attribute in users from agsm program here the log: Ready to process requests. rad_recv: Access-Request packet from host 192.168.1.1 port 2048, id=0, length=215 User-Name = "1510019760806391@wlan.mnc001.mcc510.3gppnetwork.org " NAS-IP-Address = 192.168.1.1 Called-Station-Id = "48f8b315461a" Calling-Station-Id = "1814563e5189" NAS-Identifier = "48f8b315461a" NAS-Port = 38 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x02000038013135313030313937363038303633393140776c616e2e6d6e633030312e6d63633531302e336770706e6574776f726b2e6f7267 Message-Authenticator = 0x95014bdec4f49a1b5363bd5988ab5ddd +- entering group authorize {...} ++[preprocess] returns ok [suffix] Looking up realm "wlan.mnc001.mcc510.3gppnetwork.org" for User-Name = "1510019760806391@wlan.mnc001.mcc510.3gppnetwork.org" [suffix] Found realm "wlan.mnc001.mcc510.3gppnetwork.org" [suffix] Adding Stripped-User-Name = "1510019760806391" [suffix] Adding Realm = "wlan.mnc001.mcc510.3gppnetwork.org" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok rlm_sim_files: insufficient number of challenges for imsi 1510019760806391: 0 ++[sim_files] returns notfound [eap] EAP packet type response id 0 length 56 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 227 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type sim [eap] Underlying EAP-Type set EAP ID to 81 ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.1.1 port 2048 EAP-Message = 0x01510014120a00000f0200020001000011010100 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf0cf8a6cf09e98be2ec974e82cdf9f5b Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.1 port 2048, id=0, length=265 Cleaning up request 0 ID 0 with timestamp +13 User-Name = "1510019760806391@wlan.mnc001.mcc510.3gppnetwork.org " NAS-IP-Address = 192.168.1.1 Called-Station-Id = "48f8b315461a" Calling-Station-Id = "1814563e5189" NAS-Identifier = "48f8b315461a" NAS-Port = 38 Framed-MTU = 1400 State = 0xf0cf8a6cf09e98be2ec974e82cdf9f5b NAS-Port-Type = Wireless-802.11 EAP-Message = 0x02510058120a000007050000a3663d2e1ff07a1cb29d04fdb0047908100100010e0e00333135313030313937363038303633393140776c616e2e6d6e633030312e6d63633531302e336770706e6574776f726b2e6f726700 Message-Authenticator = 0x6b683386c02724d0f0b7710f5ede4a93 +- entering group authorize {...} ++[preprocess] returns ok [suffix] Looking up realm "wlan.mnc001.mcc510.3gppnetwork.org" for User-Name = "1510019760806391@wlan.mnc001.mcc510.3gppnetwork.org" [suffix] Found realm "wlan.mnc001.mcc510.3gppnetwork.org" [suffix] Adding Stripped-User-Name = "1510019760806391" [suffix] Adding Realm = "wlan.mnc001.mcc510.3gppnetwork.org" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok rlm_sim_files: insufficient number of challenges for imsi 1510019760806391: 0 ++[sim_files] returns notfound [eap] EAP packet type response id 81 length 88 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 227 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/sim [eap] processing type sim rlm_eap_sim: subtype= 10 start. +++> EAP-sim decoded packet: User-Name = "1510019760806391@wlan.mnc001.mcc510.3gppnetwork.org " NAS-IP-Address = 192.168.1.1 Called-Station-Id = "48f8b315461a" Calling-Station-Id = "1814563e5189" NAS-Identifier = "48f8b315461a" NAS-Port = 38 Framed-MTU = 1400 State = 0xf0cf8a6cf09e98be2ec974e82cdf9f5b NAS-Port-Type = Wireless-802.11 EAP-Message = 0x02510058120a000007050000a3663d2e1ff07a1cb29d04fdb0047908100100010e0e00333135313030313937363038303633393140776c616e2e6d6e633030312e6d63633531302e336770706e6574776f726b2e6f726700 Message-Authenticator = 0x6b683386c02724d0f0b7710f5ede4a93 Stripped-User-Name = "1510019760806391" Realm = "wlan.mnc001.mcc510.3gppnetwork.org" EAP-Type = SIM EAP-Sim-Subtype = Start EAP-Sim-NONCE_MT = 0x0000a3663d2e1ff07a1cb29d04fdb0047908 EAP-Sim-SELECTED_VERSION = 0x0001 EAP-Sim-IDENTITY = 0x00333135313030313937363038303633393140776c616e2e6d6e633030312e6d63633531302e336770706e6574776f726b2e6f726700 [eap] Underlying EAP-Type set EAP ID to 82 ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.1.1 port 2048 EAP-Message = 0x01520050120b0000010d0000307ca6eca31a4a549e879b2674f0feef90b5da4be8174863a276a439c7c2cec79bd7fc87248f4db6af4646a80b4baca50b0500003e86636bdab81ae6982ce83aa6f14ac7 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf0cf8a6cf19d98be2ec974e82cdf9f5b Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.1 port 2048, id=0, length=205 Cleaning up request 1 ID 0 with timestamp +13 User-Name = "1510019760806391@wlan.mnc001.mcc510.3gppnetwork.org " NAS-IP-Address = 192.168.1.1 Called-Station-Id = "48f8b315461a" Calling-Station-Id = "1814563e5189" NAS-Identifier = "48f8b315461a" NAS-Port = 38 Framed-MTU = 1400 State = 0xf0cf8a6cf19d98be2ec974e82cdf9f5b NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0252001c120b00000b050000bbff92fe6855f8aa9a62504e58070daa Message-Authenticator = 0xf3712470b4c966857d76f6ff1f44415e +- entering group authorize {...} ++[preprocess] returns ok [suffix] Looking up realm "wlan.mnc001.mcc510.3gppnetwork.org" for User-Name = "1510019760806391@wlan.mnc001.mcc510.3gppnetwork.org" [suffix] Found realm "wlan.mnc001.mcc510.3gppnetwork.org" [suffix] Adding Stripped-User-Name = "1510019760806391" [suffix] Adding Realm = "wlan.mnc001.mcc510.3gppnetwork.org" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok rlm_sim_files: insufficient number of challenges for imsi 1510019760806391: 0 ++[sim_files] returns notfound [eap] EAP packet type response id 82 length 28 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 227 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/sim [eap] processing type sim rlm_eap_sim: subtype= 11 challenge. MAC check succeed [eap] Underlying EAP-Type set EAP ID to 83 [eap] Freeing handler ++[eap] returns ok +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 0 to 192.168.1.1 port 2048 MS-MPPE-Recv-Key = 0xb1bd9cf479d08726b2277e72dd2b941613f870f149ebb11113b2cfb7de1b26d7 MS-MPPE-Send-Key = 0xa89a0b0b6d0d3b4d8d15314c00749f6135072e59c3c403afce10b0fb30c4386d EAP-Message = 0x03530004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "1510019760806391" Finished request 2. Going to the next request Waking up in 4.9 seconds. Cleaning up request 2 ID 0 with timestamp +14 Ready to process requests. 2. i've changed users entry as you suggest and i still get the same notification rlm_sim_files : isufficient number of challenges of challenges for imsi thanx for your help i'm really really appreciate it best regards On Tue, Jun 11, 2013 at 1:51 PM, Iliya Peregoudov <iperegudov@cboss.ru>wrote:
On 11.06.2013 7:00, raptor raptor wrote:
i'm sorry i dont understand about LF UNIX line ending, could you show me what should i do to simtriplets.dat format? is there any mistake?
Run
dos2unix simtriplets.dat
in UNIX shell. This will ensure simtriplets.dat has UNIX line endings.
i got that format in /src/tests/eapsim-03/users-**example.txt
what should i fill in Rand1 attribute?
I assume that your simtriplets.dat contains correct auth vectors (e.g. generated by SIM card and extracted using agsm program):
1510019760806391,**AAC0FAFDC47D4524AC9E2A3D51BDBA** 39,2A71bac3,7868589a75fdc000 1510019760806391,**BF9A9F6EEB36422895D010927D7697** 2C,F49dd880,3Afbcf2fA9b0a000 1510019760806391,**C63837CFECD348deB119C35CFECD48** 98,49312999,FD488938B6f2a000
Equivalent users entry should look like:
1510019760806391 EAP-Type:=SIM EAP-Sim-Rand1:=**0xAAC0FAFDC47D4524AC9E2A3D51BD**BA39, EAP-Sim-SRES1:=0x2A71bac3, EAP-Sim-KC1:=**0x7868589a75fdc000, EAP-Sim-Rans2:=**0xBF9A9F6EEB36422895D010927D76**972C, EAP-Sim-SRES2:=0xF49dd880, EAP-Sim-KC2:=**0x3Afbcf2fA9b0a000, EAP-Sim-Rand3:=**0xC63837CFECD348deB119C35CFECD**4898, EAP-Sim-SRES3:=0x49312999, EAP-Sim-KC3:=**0xFD488938B6f2a000
- List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html <http://www.freeradius.org/list/users.html>
On 11.06.2013 12:27, raptor raptor wrote:
1. when i change users entry, i get notification that access-accept has succesfull but unfortunately, when i restart the system cant access-accept and i must change attribute in users from agsm program here the log:
I do not understand clearly whether you think you succeed or no.
2. i've changed users entry as you suggest and i still get the same notification rlm_sim_files : isufficient number of challenges of challenges for imsi
Changing users file will not fix simtriplets.dat. I do not understand why do you still bother about rlm_sim_files. You've already configured auth vectors using users file and it works well. Just comment out sim_files module invocation and "isufficient number of challenges" will go away.
Hi, IIlya Thanx for your advice it works On Thu, Jun 13, 2013 at 2:47 PM, Iliya Peregoudov <iperegudov@cboss.ru>wrote:
On 11.06.2013 12:27, raptor raptor wrote:
1. when i change users entry, i get notification that access-accept has succesfull but unfortunately, when i restart the system cant access-accept and i must change attribute in users from agsm program here the log:
I do not understand clearly whether you think you succeed or no.
2.
i've changed users entry as you suggest and i still get the same notification rlm_sim_files : isufficient number of challenges of challenges for imsi
Changing users file will not fix simtriplets.dat.
I do not understand why do you still bother about rlm_sim_files. You've already configured auth vectors using users file and it works well. Just comment out sim_files module invocation and "isufficient number of challenges" will go away.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html <http://www.freeradius.org/list/users.html>
Hi, i have tried with one client and it's success to authenticate and access internet in wlan could this test we use multiple clients? i just try one client and success but when i use another client and it fails is it correct if i add other client in users and simtriplets.dat? ex: simtriplets.dat 151001xxxxxxxxxx,Rand1,SRES1,kC1 151001xxxxxxxxxx,Rand2,SRES2,kC2 151001xxxxxxxxxx,Rand3,SRES3,kC3 151002xxxxxxxxxx,Rand1,SRES1,kC1 151002xxxxxxxxxx,Rand2,SRES2,kC2 151002xxxxxxxxxx,Rand3,SRES3,kC3 and also in users 151001xxxxxxxxxx@wlan.mnc........ EAP-Type :=SIM EAP-Sim-Rand1 = 0x... . . . . 151002xxxxxxxxxx@wlan.mnc........ EAP-Type :=SIM EAP-Sim-Rand1 = 0x... . . . . thanx for your time and your advice best regards On Thu, Jun 20, 2013 at 11:24 AM, raptor raptor <raptorspor@gmail.com>wrote:
Hi, IIlya Thanx for your advice it works
On Thu, Jun 13, 2013 at 2:47 PM, Iliya Peregoudov <iperegudov@cboss.ru>wrote:
On 11.06.2013 12:27, raptor raptor wrote:
1. when i change users entry, i get notification that access-accept has succesfull but unfortunately, when i restart the system cant access-accept and i must change attribute in users from agsm program here the log:
I do not understand clearly whether you think you succeed or no.
2.
i've changed users entry as you suggest and i still get the same notification rlm_sim_files : isufficient number of challenges of challenges for imsi
Changing users file will not fix simtriplets.dat.
I do not understand why do you still bother about rlm_sim_files. You've already configured auth vectors using users file and it works well. Just comment out sim_files module invocation and "isufficient number of challenges" will go away.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html <http://www.freeradius.org/list/users.html>
On 20.06.2013 8:38, raptor raptor wrote:
i just try one client and success but when i use another client and it fails
Post debug log if you want to diagnose authentication failure.
is it correct if i add other client in users and simtriplets.dat?
Yes, you should add auth vectors for all your SIM cards into users file, one stanza for every SIM card. If you still get "insufficient number of challenges" message then your simtriplets.dat is not relevant. Just forget about it. Auth vectors from users file are sufficient. Freeradius is very flexible. There is no one single way of correctly configure it. But there are indefinite number of ways to misconfigure it. If you prefer not to diagnose authentication failures but insert random stuff into randomly selected configuration files it's unlikely you accidentally configure it correctly.
Hi IIiya, thanx for your quick response here is my log debug rad_recv: Access-Request packet from host 192.168.2.1 port 2048, id=0, length=215 User-Name = "1510019760806391@wlan.mnc001.mcc510.3gppnetwork.org " NAS-IP-Address = 192.168.2.1 Called-Station-Id = "48f8b315461a" Calling-Station-Id = "1814563e5189" NAS-Identifier = "48f8b315461a" NAS-Port = 38 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x02000038013135313030313937363038303633393140776c616e2e6d6e633030312e6d63633531302e336770706e6574776f726b2e6f7267 Message-Authenticator = 0x1e692ae9b93631a0f54bda0997d713f2 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] Looking up realm "wlan.mnc001.mcc510.3gppnetwork.org" for User-Name = "1510019760806391@wlan.mnc001.mcc510.3gppnetwork.org" [suffix] No such realm "wlan.mnc001.mcc510.3gppnetwork.org" ++[suffix] returns noop rlm_sim_files: authorized user/imsi 1510019760806391@wlan.mnc001.mcc510.3gppnetwork.org rlm_sim_files: Adding EAP-Type: eap-sim ++[sim_files] returns ok [eap] EAP packet type response id 0 length 56 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry 1510019760806391@wlan.mnc001.mcc510.3gppnetwork.org at line 1 ++[files] returns ok ++[sql] returns notfound ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type sim [eap] Underlying EAP-Type set EAP ID to 116 ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.2.1 port 2048 EAP-Message = 0x01740014120a00000f0200020001000011010100 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2e42338f2e362191820b0799859172e9 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.2.1 port 2048, id=0, length=265 Cleaning up request 0 ID 0 with timestamp +10 User-Name = "1510019760806391@wlan.mnc001.mcc510.3gppnetwork.org " NAS-IP-Address = 192.168.2.1 Called-Station-Id = "48f8b315461a" Calling-Station-Id = "1814563e5189" NAS-Identifier = "48f8b315461a" NAS-Port = 38 Framed-MTU = 1400 State = 0x2e42338f2e362191820b0799859172e9 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x02740058120a000007050000c857b63e06e1bb7341a729ea36de8804100100010e0e00333135313030313937363038303633393140776c616e2e6d6e633030312e6d63633531302e336770706e6574776f726b2e6f726700 Message-Authenticator = 0x4228372d93c4496516a4c62a6b0d1f84 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] Looking up realm "wlan.mnc001.mcc510.3gppnetwork.org" for User-Name = "1510019760806391@wlan.mnc001.mcc510.3gppnetwork.org" [suffix] No such realm "wlan.mnc001.mcc510.3gppnetwork.org" ++[suffix] returns noop rlm_sim_files: authorized user/imsi 1510019760806391@wlan.mnc001.mcc510.3gppnetwork.org rlm_sim_files: Adding EAP-Type: eap-sim ++[sim_files] returns ok [eap] EAP packet type response id 116 length 88 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry 1510019760806391@wlan.mnc001.mcc510.3gppnetwork.org at line 1 ++[files] returns ok [sql] User 1510019760806391@wlan.mnc001.mcc510.3gppnetwork.org not found ++[sql] returns notfound ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/sim [eap] processing type sim +++> EAP-sim decoded packet: User-Name = "1510019760806391@wlan.mnc001.mcc510.3gppnetwork.org " NAS-IP-Address = 192.168.2.1 Called-Station-Id = "48f8b315461a" Calling-Station-Id = "1814563e5189" NAS-Identifier = "48f8b315461a" NAS-Port = 38 Framed-MTU = 1400 State = 0x2e42338f2e362191820b0799859172e9 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x02740058120a000007050000c857b63e06e1bb7341a729ea36de8804100100010e0e00333135313030313937363038303633393140776c616e2e6d6e633030312e6d63633531302e336770706e6574776f726b2e6f726700 Message-Authenticator = 0x4228372d93c4496516a4c62a6b0d1f84 EAP-Type = SIM EAP-Sim-Subtype = Start EAP-Sim-NONCE_MT = 0x0000c857b63e06e1bb7341a729ea36de8804 EAP-Sim-SELECTED_VERSION = 0x0001 EAP-Sim-IDENTITY = 0x3135313030313937363038303633393140776c616e2e6d6e633030312e6d63633531302e336770706e6574776f726b2e6f7267 [eap] Underlying EAP-Type set EAP ID to 117 ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.2.1 port 2048 EAP-Message = 0x01750050120b0000010d000033c0caad1ca74b91b8c4c597a497c951ec28a5ea58bf4f7d9a15fb267c80bc6cf51e6dc5eeb149028f5cba3779f2b9160b050000128bccbc8968ba6d16040402b139d839 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2e42338f2f372191820b0799859172e9 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.2.1 port 2048, id=0, length=205 Cleaning up request 1 ID 0 with timestamp +10 User-Name = "1510019760806391@wlan.mnc001.mcc510.3gppnetwork.org " NAS-IP-Address = 192.168.2.1 Called-Station-Id = "48f8b315461a" Calling-Station-Id = "1814563e5189" NAS-Identifier = "48f8b315461a" NAS-Port = 38 Framed-MTU = 1400 State = 0x2e42338f2f372191820b0799859172e9 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0275001c120b00000b050000fe0ad02adb05fa535c5e7beaa8810f69 Message-Authenticator = 0x17809a1e9fcb50736607e844ac964694 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] Looking up realm "wlan.mnc001.mcc510.3gppnetwork.org" for User-Name = "1510019760806391@wlan.mnc001.mcc510.3gppnetwork.org" [suffix] No such realm "wlan.mnc001.mcc510.3gppnetwork.org" ++[suffix] returns noop rlm_sim_files: authorized user/imsi 1510019760806391@wlan.mnc001.mcc510.3gppnetwork.org rlm_sim_files: Adding EAP-Type: eap-sim ++[sim_files] returns ok [eap] EAP packet type response id 117 length 28 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry 1510019760806391@wlan.mnc001.mcc510.3gppnetwork.org at line 1 ++[files] returns ok ++[sql] returns notfound ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/sim [eap] processing type sim MAC check succeed [eap] Underlying EAP-Type set EAP ID to 118 [eap] Freeing handler ++[eap] returns ok # Executing section post-auth from file /etc/freeradius/sites-enabled/default +- entering group post-auth {...} ++[sql] returns ok ++[exec] returns noop Sending Access-Accept of id 0 to 192.168.2.1 port 2048 MS-MPPE-Recv-Key = 0x9d0b6b0a9151822473399a9fed44e8f0d74df083532a7d437e436f60866252d8 MS-MPPE-Send-Key = 0xebf07da25ca3cd97267d1fc6a1ce18d68ad2737902f610284bdb45c6eed0cb7f EAP-Message = 0x03760004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "1510019760806391@wlan.mnc001.mcc510.3gppnetwork.org " Finished request 2. Going to the next request Waking up in 4.9 seconds. Cleaning up request 2 ID 0 with timestamp +11 Ready to process requests. this is my log with 1 client thanx very much for your help best regards On Thu, Jun 20, 2013 at 2:53 PM, Iliya Peregoudov <iperegudov@cboss.ru>wrote:
On 20.06.2013 8:38, raptor raptor wrote:
i just try one client and success but when i use another client and it fails
Post debug log if you want to diagnose authentication failure.
is it correct if i add other client in users and simtriplets.dat?
Yes, you should add auth vectors for all your SIM cards into users file, one stanza for every SIM card.
If you still get "insufficient number of challenges" message then your simtriplets.dat is not relevant. Just forget about it. Auth vectors from users file are sufficient.
Freeradius is very flexible. There is no one single way of correctly configure it. But there are indefinite number of ways to misconfigure it. If you prefer not to diagnose authentication failures but insert random stuff into randomly selected configuration files it's unlikely you accidentally configure it correctly.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html <http://www.freeradius.org/list/users.html>
On 20.06.2013 13:38, raptor raptor wrote:
Sending Access-Accept of id 0 to 192.168.2.1 port 2048 MS-MPPE-Recv-Key = 0x9d0b6b0a9151822473399a9fed44e8f0d74df083532a7d437e436f60866252d8 MS-MPPE-Send-Key = 0xebf07da25ca3cd97267d1fc6a1ce18d68ad2737902f610284bdb45c6eed0cb7f EAP-Message = 0x03760004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "1510019760806391@wlan.mnc001.mcc510.3gppnetwork.org" Finished request 2.
I cannot see authentication failure in this debug log.
Hi, IIiya i'm sorry my posting above is about one client first, i connect with one client and it's success (until "Finished request 2" in debug log) and then in next request, i try with different supplicant/client to authenticate and i have input identitiy (IMSI, RAND, SRES,KC) in to simtriplets.dat and users also my simtriplets.dat format 1510019760806391,326258E6F77C40f3866DB25DEA60AE4D,DD287535,7F743521EBabb000 1510019760806391,FD9989BD90AD4a03962E6C08C000C14B,BFf89ad2,1C7098005Fea8c00 1510019760806391,26CC8DB02C9848c7BBCC2790E3F0913B,17172cc6,BF34bf34D4ca4c00 1510080325656501,5A8F4C0677DE4930B47825B55534CC79,94d66001,AC85d79439b564c0 1510080325656501,8E29A03F8E13466fBF84D12F6A9D4734,E284e39e,13a524d040094ef4 1510080325656501,BC5D3CEB1EAC4164AA463E289222C450,AE8bdfc6,B0354bf3402e42ed my users format 1510019760806391@wlan.mnc001.mcc510.3gppnetwork.org EAP-Type := SIM EAP-Sim-Rand1 = 0x 326258E6F77C40f3866DB25DEA60AE4D, EAP-Sim-SRES1 = 0x DD287535, EAP-Sim-KC1 = 0x 7F743521EBabb000, EAP-Sim-Rand2 = 0x FD9989BD90AD4a03962E6C08C000C14B, EAP-Sim-SRES2 = 0x BFf89ad2, EAP-Sim-KC2 = 0x 1C7098005Fea8c00, EAP-Sim-Rand3 = 0x 26CC8DB02C9848c7BBCC2790E3F0913B, EAP-Sim-SRES3 = 0x 17172cc6, EAP-Sim-KC3 = 0x BF34bf34D4ca4c00, 1510080325656501@wlan.mnc008.mcc510.3gppnetwork.org EAP-Type := SIM EAP-Sim-Rand1 = 0x 5A8F4C0677DE4930B47825B55534CC79, EAP-Sim-SRES1 = 0x 94d66001, EAP-Sim-KC1 = 0x AC85d79439b564c0, EAP-Sim-Rand2 = 0x 8E29A03F8E13466fBF84D12F6A9D4734, EAP-Sim-SRES2 = 0x E284e39e, EAP-Sim-KC2 = 0x 13a524d040094ef4, EAP-Sim-Rand3 = 0x BC5D3CEB1EAC4164AA463E289222C450, EAP-Sim-SRES3 = 0x AE8bdfc6, EAP-Sim-KC3 = 0x B0354bf3402e42ed here is my debug log: rad_recv: Access-Request packet from host 192.168.2.1 port 2048, id=1, length=215 User-Name = "1510019760806391@wlan.mnc001.mcc510.3gppnetwork.org " NAS-IP-Address = 192.168.2.1 Called-Station-Id = "48f8b315461a" Calling-Station-Id = "1814563e5189" NAS-Identifier = "48f8b315461a" NAS-Port = 38 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x02000038013135313030313937363038303633393140776c616e2e6d6e633030312e6d63633531302e336770706e6574776f726b2e6f7267 Message-Authenticator = 0x509abafbd92ee8417dcb22095d89059d # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] Looking up realm "wlan.mnc001.mcc510.3gppnetwork.org" for User-Name = "1510019760806391@wlan.mnc001.mcc510.3gppnetwork.org" [suffix] No such realm "wlan.mnc001.mcc510.3gppnetwork.org" ++[suffix] returns noop rlm_sim_files: authorized user/imsi 1510019760806391@wlan.mnc001.mcc510.3gppnetwork.org rlm_sim_files: Adding EAP-Type: eap-sim ++[sim_files] returns ok [eap] EAP packet type response id 0 length 56 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry 1510019760806391@wlan.mnc001.mcc510.3gppnetwork.org at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type sim [eap] Underlying EAP-Type set EAP ID to 161 ++[eap] returns handled Sending Access-Challenge of id 1 to 192.168.2.1 port 2048 EAP-Message = 0x01a10014120a00000f0200020001000011010100 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x86406e6686e17cf5f398cb77ce20781c Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.2.1 port 2048, id=1, length=265 Cleaning up request 0 ID 1 with timestamp +25 User-Name = "1510019760806391@wlan.mnc001.mcc510.3gppnetwork.org " NAS-IP-Address = 192.168.2.1 Called-Station-Id = "48f8b315461a" Calling-Station-Id = "1814563e5189" NAS-Identifier = "48f8b315461a" NAS-Port = 38 Framed-MTU = 1400 State = 0x86406e6686e17cf5f398cb77ce20781c NAS-Port-Type = Wireless-802.11 EAP-Message = 0x02a10058120a0000070500005004b19c6e3aacce33e95d1f3c10c481100100010e0e00333135313030313937363038303633393140776c616e2e6d6e633030312e6d63633531302e336770706e6574776f726b2e6f726700 Message-Authenticator = 0xc9bbe2c285ff35377724d62bb118966b # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] Looking up realm "wlan.mnc001.mcc510.3gppnetwork.org" for User-Name = "1510019760806391@wlan.mnc001.mcc510.3gppnetwork.org" [suffix] No such realm "wlan.mnc001.mcc510.3gppnetwork.org" ++[suffix] returns noop rlm_sim_files: authorized user/imsi 1510019760806391@wlan.mnc001.mcc510.3gppnetwork.org rlm_sim_files: Adding EAP-Type: eap-sim ++[sim_files] returns ok [eap] EAP packet type response id 161 length 88 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry 1510019760806391@wlan.mnc001.mcc510.3gppnetwork.org at line 1 ++[files] returns ok [sql] User 1510019760806391@wlan.mnc001.mcc510.3gppnetwork.org not found ++[sql] returns notfound ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/sim [eap] processing type sim +++> EAP-sim decoded packet: User-Name = "1510019760806391@wlan.mnc001.mcc510.3gppnetwork.org " NAS-IP-Address = 192.168.2.1 Called-Station-Id = "48f8b315461a" Calling-Station-Id = "1814563e5189" NAS-Identifier = "48f8b315461a" NAS-Port = 38 Framed-MTU = 1400 State = 0x86406e6686e17cf5f398cb77ce20781c NAS-Port-Type = Wireless-802.11 EAP-Message = 0x02a10058120a0000070500005004b19c6e3aacce33e95d1f3c10c481100100010e0e00333135313030313937363038303633393140776c616e2e6d6e633030312e6d63633531302e336770706e6574776f726b2e6f726700 Message-Authenticator = 0xc9bbe2c285ff35377724d62bb118966b EAP-Type = SIM EAP-Sim-Subtype = Start EAP-Sim-NONCE_MT = 0x00005004b19c6e3aacce33e95d1f3c10c481 EAP-Sim-SELECTED_VERSION = 0x0001 EAP-Sim-IDENTITY = 0x3135313030313937363038303633393140776c616e2e6d6e633030312e6d63633531302e336770706e6574776f726b2e6f7267 [eap] Underlying EAP-Type set EAP ID to 162 ++[eap] returns handled Sending Access-Challenge of id 1 to 192.168.2.1 port 2048 EAP-Message = 0x01a20050120b0000010d0000326258e6f77c40f3866db25dea60ae4dfd9989bd90ad4a03962e6c08c000c14b26cc8db02c9848c7bbcc2790e3f0913b0b050000dec6228540e79bb78b2b1a497cba928e Message-Authenticator = 0x00000000000000000000000000000000 State = 0x86406e6687e27cf5f398cb77ce20781c Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.2.1 port 2048, id=1, length=205 Cleaning up request 1 ID 1 with timestamp +25 User-Name = "1510019760806391@wlan.mnc001.mcc510.3gppnetwork.org " NAS-IP-Address = 192.168.2.1 Called-Station-Id = "48f8b315461a" Calling-Station-Id = "1814563e5189" NAS-Identifier = "48f8b315461a" NAS-Port = 38 Framed-MTU = 1400 State = 0x86406e6687e27cf5f398cb77ce20781c NAS-Port-Type = Wireless-802.11 EAP-Message = 0x02a2001c120b00000b050000f2d858a5a86f03c2be282e6cde78c7e1 Message-Authenticator = 0x2ca89c665a9f9e46895e8098aac382ee # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] Looking up realm "wlan.mnc001.mcc510.3gppnetwork.org" for User-Name = "1510019760806391@wlan.mnc001.mcc510.3gppnetwork.org" [suffix] No such realm "wlan.mnc001.mcc510.3gppnetwork.org" ++[suffix] returns noop rlm_sim_files: authorized user/imsi 1510019760806391@wlan.mnc001.mcc510.3gppnetwork.org rlm_sim_files: Adding EAP-Type: eap-sim ++[sim_files] returns ok [eap] EAP packet type response id 162 length 28 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry 1510019760806391@wlan.mnc001.mcc510.3gppnetwork.org at line 1 ++[files] returns ok [sql] User 1510019760806391@wlan.mnc001.mcc510.3gppnetwork.org not found ++[sql] returns notfound ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/sim [eap] processing type sim MAC check succeed [eap] Underlying EAP-Type set EAP ID to 163 [eap] Freeing handler ++[eap] returns ok # Executing section post-auth from file /etc/freeradius/sites-enabled/default +- entering group post-auth {...} ++[sql] returns ok ++[exec] returns noop Sending Access-Accept of id 1 to 192.168.2.1 port 2048 MS-MPPE-Recv-Key = 0x1493962f20dce781f0e363ecdac45c203fe566abf333ec6e3d6f11398159f97b MS-MPPE-Send-Key = 0x976c0332286aac5b7fabc037a7ef34de9f7879861e3412582892bc0f9f06a0f0 EAP-Message = 0x03a30004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "1510019760806391@wlan.mnc001.mcc510.3gppnetwork.org " Finished request 2. Going to the next request Waking up in 4.9 seconds. Cleaning up request 2 ID 1 with timestamp +26 Ready to process requests. rad_recv: Access-Request packet from host 192.168.2.1 port 2048, id=2, length=215 User-Name = "1510080325656501@wlan.mnc008.mcc510.3gppnetwork.org " NAS-IP-Address = 192.168.2.1 Called-Station-Id = "48f8b315461a" Calling-Station-Id = "001adc019b98" NAS-Identifier = "48f8b315461a" NAS-Port = 2 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x02000038013135313030383033323536353635303140776c616e2e6d6e633030382e6d63633531302e336770706e6574776f726b2e6f7267 Message-Authenticator = 0x1e6d83334fd94f359c5fda46d916ce7e # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] Looking up realm "wlan.mnc008.mcc510.3gppnetwork.org" for User-Name = "1510080325656501@wlan.mnc008.mcc510.3gppnetwork.org" [suffix] No such realm "wlan.mnc008.mcc510.3gppnetwork.org" ++[suffix] returns noop rlm_sim_files: authorized user/imsi 1510080325656501@wlan.mnc008.mcc510.3gppnetwork.org rlm_sim_files: Adding EAP-Type: eap-sim ++[sim_files] returns ok [eap] EAP packet type response id 0 length 56 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[sql] returns notfound ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type sim can not initiate sim, no RAND1 attribute [eap] Default EAP type sim failed in initiate [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type REJECT # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> 1510080325656501@wlan.mnc008.mcc510.3gppnetwork.org attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 3 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 3 Sending Access-Reject of id 2 to 192.168.2.1 port 2048 EAP-Message = 0x04000004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 4.9 seconds. Cleaning up request 3 ID 2 with timestamp +135 Ready to process requests. thank you very much for your help,time and your advice best regards On Thu, Jun 20, 2013 at 4:49 PM, Iliya Peregoudov <iperegudov@cboss.ru>wrote:
On 20.06.2013 13:38, raptor raptor wrote:
Sending Access-Accept of id 0 to 192.168.2.1 port 2048 MS-MPPE-Recv-Key = 0x9d0b6b0a9151822473399a9fed44** e8f0d74df083532a7d437e436f6086**6252d8 MS-MPPE-Send-Key = 0xebf07da25ca3cd97267d1fc6a1ce** 18d68ad2737902f610284bdb45c6ee**d0cb7f EAP-Message = 0x03760004 Message-Authenticator = 0x0000000000000000000000000000**0000 User-Name = "1510019760806391@wlan.mnc001.**mcc510.3gppnetwork.org<1510019760806391@wlan.mnc001.mcc510.3gppnetwork.org> " Finished request 2.
I cannot see authentication failure in this debug log.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html <http://www.freeradius.org/list/users.html>
On 20.06.2013 17:56, raptor raptor wrote:
my users format
1510019760806391@wlan.mnc001.mcc510.3gppnetwork.org EAP-Type := SIM EAP-Sim-Rand1 = 0x 326258E6F77C40f3866DB25DEA60AE4D, EAP-Sim-SRES1 = 0x DD287535, EAP-Sim-KC1 = 0x 7F743521EBabb000, EAP-Sim-Rand2 = 0x FD9989BD90AD4a03962E6C08C000C14B, EAP-Sim-SRES2 = 0x BFf89ad2, EAP-Sim-KC2 = 0x 1C7098005Fea8c00, EAP-Sim-Rand3 = 0x 26CC8DB02C9848c7BBCC2790E3F0913B, EAP-Sim-SRES3 = 0x 17172cc6, EAP-Sim-KC3 = 0x BF34bf34D4ca4c00,
Syntax error here. There should be no comma at the end of stanza. Due to comma next non-blank line is also considered to be part of this stanza. So next stanza (1510080325656501) will not be parsed correctly.
rad_recv: Access-Request packet from host 192.168.2.1 port 2048, id=2, length=215 User-Name = "1510080325656501@wlan.mnc008.mcc510.3gppnetwork.org" NAS-IP-Address = 192.168.2.1 Called-Station-Id = "48f8b315461a" Calling-Station-Id = "001adc019b98" NAS-Identifier = "48f8b315461a" NAS-Port = 2 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x02000038013135313030383033323536353635303140776c616e2e6d6e633030382e6d63633531302e336770706e6574776f726b2e6f7267 Message-Authenticator = 0x1e6d83334fd94f359c5fda46d916ce7e
[skipped]
++[files] returns noop
rlm_files was unable to find stanza for 1510080325656501 due to before mentioned syntax error.
[eap] processing type sim can not initiate sim, no RAND1 attribute
EAP-Sim-Rand1 attribute is not found in reply list. I don't know why. rlm_sim_files earlier said that it successfully found auth vectors. Definitely rlm_sim_files not working as expected. Try to fix syntax error in users file.
Hi, thanx for your reply i also tried using patch in http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120914/... but unfortunately, when i already connect with one device successfully, i try another device the result another device is rejected by server any idea? thanx for your time and your answer best regard On Fri, Jun 21, 2013 at 6:31 PM, Iliya Peregoudov <iperegudov@cboss.ru>wrote:
On 20.06.2013 17:56, raptor raptor wrote:
my users format
1510019760806391@wlan.mnc001.**mcc510.3gppnetwork.org<1510019760806391@wlan.mnc001.mcc510.3gppnetwork.org>EAP-Type := SIM EAP-Sim-Rand1 = 0x 326258E6F77C40f3866DB25DEA60AE**4D, EAP-Sim-SRES1 = 0x DD287535, EAP-Sim-KC1 = 0x 7F743521EBabb000, EAP-Sim-Rand2 = 0x FD9989BD90AD4a03962E6C08C000C1**4B, EAP-Sim-SRES2 = 0x BFf89ad2, EAP-Sim-KC2 = 0x 1C7098005Fea8c00, EAP-Sim-Rand3 = 0x 26CC8DB02C9848c7BBCC2790E3F091**3B, EAP-Sim-SRES3 = 0x 17172cc6, EAP-Sim-KC3 = 0x BF34bf34D4ca4c00,
Syntax error here. There should be no comma at the end of stanza. Due to comma next non-blank line is also considered to be part of this stanza. So next stanza (1510080325656501) will not be parsed correctly.
rad_recv: Access-Request packet from host 192.168.2.1 port 2048, id=2,
length=215 User-Name = "1510080325656501@wlan.mnc008.**mcc510.3gppnetwork.org<1510080325656501@wlan.mnc008.mcc510.3gppnetwork.org> " NAS-IP-Address = 192.168.2.1 Called-Station-Id = "48f8b315461a" Calling-Station-Id = "001adc019b98" NAS-Identifier = "48f8b315461a" NAS-Port = 2 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0200003801313531303038303332** 3536353635303140776c616e2e6d6e**633030382e6d63633531302e336770** 706e6574776f726b2e6f7267 Message-Authenticator = 0x1e6d83334fd94f359c5fda46d916**ce7e
[skipped]
++[files] returns noop
rlm_files was unable to find stanza for 1510080325656501 due to before mentioned syntax error.
[eap] processing type sim
can not initiate sim, no RAND1 attribute
EAP-Sim-Rand1 attribute is not found in reply list. I don't know why. rlm_sim_files earlier said that it successfully found auth vectors. Definitely rlm_sim_files not working as expected.
Try to fix syntax error in users file.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html <http://www.freeradius.org/list/users.html>
Hi IIiya, thanx for your answer i tried to fix syntax error in in users file and also i tried using patch in http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120914/... but unfortunately, the result is same, my first device can connect to internet and the second device can't connect if my first device is already connect thanx for your time and your answer best regards On Fri, Jun 21, 2013 at 6:31 PM, Iliya Peregoudov <iperegudov@cboss.ru>wrote:
On 20.06.2013 17:56, raptor raptor wrote:
my users format
1510019760806391@wlan.mnc001.**mcc510.3gppnetwork.org<1510019760806391@wlan.mnc001.mcc510.3gppnetwork.org>EAP-Type := SIM EAP-Sim-Rand1 = 0x 326258E6F77C40f3866DB25DEA60AE**4D, EAP-Sim-SRES1 = 0x DD287535, EAP-Sim-KC1 = 0x 7F743521EBabb000, EAP-Sim-Rand2 = 0x FD9989BD90AD4a03962E6C08C000C1**4B, EAP-Sim-SRES2 = 0x BFf89ad2, EAP-Sim-KC2 = 0x 1C7098005Fea8c00, EAP-Sim-Rand3 = 0x 26CC8DB02C9848c7BBCC2790E3F091**3B, EAP-Sim-SRES3 = 0x 17172cc6, EAP-Sim-KC3 = 0x BF34bf34D4ca4c00,
Syntax error here. There should be no comma at the end of stanza. Due to comma next non-blank line is also considered to be part of this stanza. So next stanza (1510080325656501) will not be parsed correctly.
rad_recv: Access-Request packet from host 192.168.2.1 port 2048, id=2,
length=215 User-Name = "1510080325656501@wlan.mnc008.**mcc510.3gppnetwork.org<1510080325656501@wlan.mnc008.mcc510.3gppnetwork.org> " NAS-IP-Address = 192.168.2.1 Called-Station-Id = "48f8b315461a" Calling-Station-Id = "001adc019b98" NAS-Identifier = "48f8b315461a" NAS-Port = 2 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0200003801313531303038303332** 3536353635303140776c616e2e6d6e**633030382e6d63633531302e336770** 706e6574776f726b2e6f7267 Message-Authenticator = 0x1e6d83334fd94f359c5fda46d916**ce7e
[skipped]
++[files] returns noop
rlm_files was unable to find stanza for 1510080325656501 due to before mentioned syntax error.
[eap] processing type sim
can not initiate sim, no RAND1 attribute
EAP-Sim-Rand1 attribute is not found in reply list. I don't know why. rlm_sim_files earlier said that it successfully found auth vectors. Definitely rlm_sim_files not working as expected.
Try to fix syntax error in users file.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html <http://www.freeradius.org/list/users.html>
Hi Iliya, I'm been trying my self EAP-SIM auth for a while, with nothing but odd results. I'm using FreeRADIUS Version 3.0.0 (git #25b6fdd), in wich the support for sim_files module have been dropped. I tryied setting the vectors vía the users file for my IMSI but its not working, I was just about to start a fresh thread for this, but since it seem that raptor and I are struggling with the same situation I'm popping in here.
Equivalent users entry should look like:
1510019760806391 EAP-Type:=SIM EAP-Sim-Rand1:=0xAAC0FAFDC47D4524AC9E2A3D51BDBA39, EAP-Sim-SRES1:=0x2A71bac3, EAP-Sim-KC1:=0x7868589a75fdc000, EAP-Sim-Rans2:=0xBF9A9F6EEB36422895D010927D76972C, EAP-Sim-SRES2:=0xF49dd880, EAP-Sim-KC2:=0x3Afbcf2fA9b0a000, EAP-Sim-Rand3:=0xC63837CFECD348deB119C35CFECD4898, EAP-Sim-SRES3:=0x49312999, EAP-Sim-KC3:=0xFD488938B6f2a000
The vectors are right, I extracted them directly from our VLR, here is the portion of my users file: <fragment users_file> 1714020096302050 Auth-Type :=EAP, EAP-Type :=SIM, EAP-Sim-Rand1 :=0x9FDDE3536228C010B2CD21081166DE48, EAP-Sim-SRES1 := 0xEF4ED51A, EAP-Sim-KC1 :=0x2F35C251A5CE3C00, EAP-Sim-Rand2 :=0xBA20E6E8BB359BD0843EBF34673D1541, EAP-Sim-SRES2 :=0xBDC5490D, EAP-Sim-KC2 :=0x8FE8D4E09E5BFC00, EAP-Sim-Rand3 :=0xB4C3D755C3C359E3EF6E928641CA59F1, EAP-Sim-SRES3 :=0x404A3DAA, EAP-Sim-KC3 :=0x83EF559E1B33A000 </fragment users_file> In my proxy.conf I added this entry for stripping the domain/realm from the username. <fragment proxy.conf_file> realm wlan.mnc002.mcc714.3gppnetwork.org { } </fragment proxy.conf_file> in the eap file i added this entry <fragment eap_file> sim { } </fragment eap_file> from the logs i got this: <fragment logs_output> Tue Jun 11 09:09:01 2013 : Debug: (1) suffix : Looking up realm "wlan.mnc002.mcc714.3gppnetwork.org" for User-Name = "1714020096302050@wlan.mnc002.mcc714.3gppnetwork.org" Tue Jun 11 09:09:01 2013 : Debug: (1) suffix : Found realm "wlan.mnc002.mcc714.3gppnetwork.org" Tue Jun 11 09:09:01 2013 : Debug: (1) suffix : Adding Stripped-User-Name = "1714020096302050" Tue Jun 11 09:09:01 2013 : Debug: (1) suffix : Adding Realm = "wlan.mnc002.mcc714.3gppnetwork.org" Tue Jun 11 09:09:01 2013 : Debug: (1) suffix : Authentication realm is LOCAL. Tue Jun 11 09:09:01 2013 : Debug: (1) modsingle[authorize]: returned from suffix (rlm_realm) for request 1 Tue Jun 11 09:09:01 2013 : Debug: (1) [suffix] = ok Tue Jun 11 09:09:01 2013 : Debug: (1) modsingle[authorize]: calling eap (rlm_eap) for request 1 Tue Jun 11 09:09:01 2013 : Debug: (1) eap : EAP packet type response id 1 length 6 Tue Jun 11 09:09:01 2013 : Debug: (1) eap : No EAP Start, assuming it's an on-going EAP conversation Tue Jun 11 09:09:01 2013 : Debug: (1) modsingle[authorize]: returned from eap (rlm_eap) for request 1 Tue Jun 11 09:09:01 2013 : Debug: (1) [eap] = updated Tue Jun 11 09:09:01 2013 : Debug: (1) modsingle[authorize]: calling files (rlm_files) for request 1 Tue Jun 11 09:09:01 2013 : Debug: (1) files : users: Matched entry 1714020096302050 at line 208 Tue Jun 11 09:09:01 2013 : Debug: (1) modsingle[authorize]: returned from files (rlm_files) for request 1 Tue Jun 11 09:09:01 2013 : Debug: (1) [files] = ok Tue Jun 11 09:09:01 2013 : Debug: (1) modsingle[authorize]: calling expiration (rlm_expiration) for request 1 Tue Jun 11 09:09:01 2013 : Debug: (1) modsingle[authorize]: returned from expiration (rlm_expiration) for request 1 Tue Jun 11 09:09:01 2013 : Debug: (1) [expiration] = noop Tue Jun 11 09:09:01 2013 : Debug: (1) modsingle[authorize]: calling logintime (rlm_logintime) for request 1 Tue Jun 11 09:09:01 2013 : Debug: (1) modsingle[authorize]: returned from logintime (rlm_logintime) for request 1 Tue Jun 11 09:09:01 2013 : Debug: (1) [logintime] = noop Tue Jun 11 09:09:01 2013 : Debug: (1) modsingle[authorize]: calling pap (rlm_pap) for request 1 Tue Jun 11 09:09:01 2013 : WARNING: (1) WARNING: pap : No "known good" password found for the user. Not setting Auth-Type. Tue Jun 11 09:09:01 2013 : WARNING: (1) WARNING: pap : Authentication will fail unless a "known good" password is available. Tue Jun 11 09:09:01 2013 : Debug: (1) modsingle[authorize]: returned from pap (rlm_pap) for request 1 Tue Jun 11 09:09:01 2013 : Debug: (1) [pap] = noop Tue Jun 11 09:09:01 2013 : Debug: (1) Found Auth-Type = EAP Tue Jun 11 09:09:01 2013 : Debug: (1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default Tue Jun 11 09:09:01 2013 : Debug: (1) group authenticate { Tue Jun 11 09:09:01 2013 : Debug: (1) - entering group authenticate {...} Tue Jun 11 09:09:01 2013 : Debug: (1) modsingle[authenticate]: calling eap (rlm_eap) for request 1 Tue Jun 11 09:09:01 2013 : Debug: (1) eap : Expiring EAP session with state 0xf386ee4bf387ea0a Tue Jun 11 09:09:01 2013 : Debug: (1) eap : Finished EAP session with state 0xf386ee4bf387ea0a Tue Jun 11 09:09:01 2013 : Debug: (1) eap : Previous EAP request found for state 0xf386ee4bf387ea0a, released from the list Tue Jun 11 09:09:01 2013 : Debug: (1) eap : Peer sent NAK (3) Tue Jun 11 09:09:01 2013 : Debug: (1) eap : Found mutually acceptable type SIM (18) Tue Jun 11 09:09:01 2013 : Debug: (1) eap : Calling eap_sim to process EAP data Tue Jun 11 09:09:01 2013 : Debug: can not initiate sim, no RAND1 attribute Tue Jun 11 09:09:01 2013 : ERROR: (1) ERROR: eap : Failed starting EAP SIM (18) session. EAP sub-module failed Tue Jun 11 09:09:01 2013 : Debug: (1) eap : Failed in EAP select Tue Jun 11 09:09:01 2013 : Debug: (1) modsingle[authenticate]: returned from eap (rlm_eap) for request 1 Tue Jun 11 09:09:01 2013 : Debug: (1) [eap] = invalid Tue Jun 11 09:09:01 2013 : Debug: (1) Failed to authenticate the user. Tue Jun 11 09:09:01 2013 : Debug: (1) Using Post-Auth-Type Reject </fragment logs_output> The message says that there is no RAND1 attibute, but I have set it in the users file. I hope you could give me a hint of where the problem could be located. Best regards, --RM
After reading again the documentation, i got to this point: What's with the commas in the raddb/users file? Commas link lists of attributes together. The general format for a raddb/users file entry is: name Check-Item = Value, ..., Check-Item = Value Reply-Item = Value, . . . Reply-Item = Value Where the dots means repetition of attributes. * The first line contains check-items ONLY. * Commas go BETWEEN check-items. * The first line ends WITHOUT a comma. * The next number of lines are reply-items ONLY. * Commas go BETWEEN reply-items. * The last line of the reply-item list ends WITHOUT a comma. Check-items are used to match attributes in a request packet or to set server parameters. Reply-items are used to set attributes which are to go in the reply packet. So things like Simultaneous-Use go on the first line of a raddb/users file entry and Framed-IP-Address goes on any following line. I'm going to fix the user file and give it a try again. Regards, --RM
On 11.06.2013 22:21, Rodney Machado wrote:
After reading again the documentation, i got to this point: [skipped] I'm going to fix the user file and give it a try again.
rlm_eap_sim expects EAP-Sim-RAND1 (and friends) on reply list, not in control list. So correct users entry for EAP-SIM is: 1<IMSI> EAP-Type:=SIM EAP-Sim-RAND1:=0x..., ... EAP-Sim-KC3:=0x... EAP-Type control attribute is used to set initial EAP method. Initial EAP method selection performed by rlm_eap when Access-Request with EAP-Response/Identity handled. If there is no EAP-Type in control list default method is selected. Default outer EAP method is set in eap module configuration (eap { default_eap_type = ... }). Default inner EAP method is set in EAP-PEAP and EAP-TTLS method configuration (eap { peap { default_eap_type = ... }}).
On 30/05/13 08:22, EasyHorpak.com wrote:
On 30/05/2556 13:44, raptor raptor wrote:
[pap] WARNING! No "known good" password found for the user.Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
[pap] WARNING! No "known good" password found for the user.Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
It 's mean NAS send Auth type as EAP but this user set Auth type to pap.
No, it doesn't. This is normal output saying that PAP *wasn't* detected, but EAP *was*
participants (6)
-
Alan DeKok -
EasyHorpak.com -
Iliya Peregoudov -
Phil Mayers -
raptor raptor -
Rodney Machado