Hi, I am playing with EAP-SIM on 2.2.0, but I am facing an issue I cannot even understand :S Not because I don't want to, but the error messages are not talking much. I did compute SRES/Kc for my SIM, but after the third triplet, I just have: rlm_perl: Added pair EAP-Sim-Rand3 = 0xff626ed6104164234aabebecafecafe3 rlm_perl: Added pair EAP-Sim-Rand2 = 0x771634015641aabcd4e5a2a3ab521242 rlm_perl: Added pair EAP-Sim-SRES1 = 0xa0a116fe rlm_perl: Added pair EAP-Sim-SRES2 = 0xc891c365 rlm_perl: Added pair EAP-Sim-KC1 = 0x603c63ecd59340cb rlm_perl: Added pair EAP-Sim-Rand1 = 0xab521824610aca27814bbde2810347a1 rlm_perl: Added pair EAP-Sim-KC3 = 0xa62f0f3aca277041 rlm_perl: Added pair EAP-Sim-KC2 = 0xbdaf3f47b1fc2520 rlm_perl: Added pair EAP-Sim-SRES3 = 0x6daeb494 rlm_perl: Added pair Auth-Type = EAP rlm_perl: Added pair EAP-Type = SIM ++[packetfence] returns noop Found Auth-Type = EAP # Executing group from file /usr/local/pf/raddb/sites-enabled/packetfence +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/sim [eap] processing type sim [eap] Handler failed in EAP/sim [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. I am using sim_files to populate the attributes. Anyone can enlight me? By the way, the same config works on 2.1.12 (just tested it): rlm_perl: Added pair EAP-Sim-Rand3 = 0xff626ed6104164234aabebecafecafe3 rlm_perl: Added pair EAP-Sim-Rand2 = 0x771634015641aabcd4e5a2a3ab521242 rlm_perl: Added pair EAP-Sim-SRES1 = 0xa0a116fe rlm_perl: Added pair EAP-Sim-SRES2 = 0xc891c365 rlm_perl: Added pair EAP-Sim-KC1 = 0x603c63ecd59340cb rlm_perl: Added pair EAP-Sim-Rand1 = 0xab521824610aca27814bbde2810347a1 rlm_perl: Added pair EAP-Sim-KC3 = 0xa62f0f3aca277041 rlm_perl: Added pair EAP-Sim-KC2 = 0xbdaf3f47b1fc2520 rlm_perl: Added pair EAP-Sim-SRES3 = 0x6daeb494 rlm_perl: Added pair Auth-Type = EAP rlm_perl: Added pair EAP-Type = SIM ++[packetfence] returns noop Found Auth-Type = EAP # Executing group from file /usr/local/pf/raddb/sites-enabled/packetfence +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/sim [eap] processing type sim MAC check succeed [eap] Underlying EAP-Type set EAP ID to 27 [eap] Freeing handler ++[eap] returns ok # Executing section post-auth from file /usr/local/pf/raddb/sites-enabled/packetfence +- entering group post-auth {...} ++[exec] returns noop ++[reply] returns noop } # server packetfence Sending Access-Accept of id 34 to 10.0.0.24 port 1051 Thanks! -- Francois Gaudreault, ing. jr fgaudreault@inverse.ca :: +1.514.447.4918 (x130) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org)
On 09/11/2012 07:49 PM, Francois Gaudreault wrote:
Hi,
I am playing with EAP-SIM on 2.2.0, but I am facing an issue I cannot even understand :S Not because I don't want to, but the error messages are not talking much.
I did compute SRES/Kc for my SIM, but after the third triplet, I just have:
Don't trim the debug. Critical info is higher up - like the actual radius packet!
Hi, On 2012-09-11 4:05 PM, Phil Mayers wrote:
On 09/11/2012 07:49 PM, Francois Gaudreault wrote:
Hi,
I am playing with EAP-SIM on 2.2.0, but I am facing an issue I cannot even understand :S Not because I don't want to, but the error messages are not talking much.
I did compute SRES/Kc for my SIM, but after the third triplet, I just have:
Don't trim the debug. Critical info is higher up - like the actual radius packet! I always trim it the first time, I don't want to spam the planet in case the issue is simple :) Here is the entire debug (with my IMSI trimmed):
rad_recv: Access-Request packet from host 10.0.0.24 port 1051, id=15, length=298 User-Name = "IMSI@wlan.mnc720.mcc302.3gppnetwork.org" Calling-Station-Id = "5C-59-48-ED-C4-96" NAS-IP-Address = 10.0.0.24 NAS-Port = 1 Called-Station-Id = "50-A7-33-31-CF-B8:PacketFence-Ruckus" Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = "50-A7-33-31-CF-B8" Connect-Info = "CONNECT 802.11g" EAP-Message = 0x02000038013133303237323034303434313338393040776c616e2e6d6e633732302e6d63633330322e336770706e6574776f726b2e6f7267 Vendor-25053-Attr-3 = 0x5061636b657446656e63652d5275636b7573 Message-Authenticator = 0x8a5c5a80c992696a2eb8b097b865b86f server packetfence { # Executing section authorize from file /usr/local/pf/raddb//sites-enabled/packetfence +- entering group authorize {...} [suffix] Looking up realm "wlan.mnc720.mcc302.3gppnetwork.org" for User-Name = "IMSI@wlan.mnc720.mcc302.3gppnetwork.org" [suffix] No such realm "wlan.mnc720.mcc302.3gppnetwork.org" ++[suffix] returns noop ++[preprocess] returns ok rlm_sim_files: authorized user/imsi IMSI@wlan.mnc720.mcc302.3gppnetwork.org rlm_sim_files: Adding EAP-Type: eap-sim ++[sim_files] returns ok [eap] EAP packet type response id 0 length 56 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop rlm_perl: Added pair NAS-Port-Type = Wireless-802.11 rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair Called-Station-Id = 50-A7-33-31-CF-B8:PacketFence-Ruckus rlm_perl: Added pair Calling-Station-Id = 5C-59-48-ED-C4-96 rlm_perl: Added pair Message-Authenticator = 0x8a5c5a80c992696a2eb8b097b865b86f rlm_perl: Added pair Vendor-25053-Attr-3 = 0x5061636b657446656e63652d5275636b7573 rlm_perl: Added pair User-Name = IMSI@wlan.mnc720.mcc302.3gppnetwork.org rlm_perl: Added pair NAS-Identifier = 50-A7-33-31-CF-B8 rlm_perl: Added pair EAP-Message = 0x02000038013133303237323034303434313338393040776c616e2e6d6e633732302e6d63633330322e336770706e6574776f726b2e6f7267 rlm_perl: Added pair Connect-Info = CONNECT 802.11g rlm_perl: Added pair EAP-Type = Identity rlm_perl: Added pair NAS-IP-Address = 10.0.0.24 rlm_perl: Added pair NAS-Port = 1 rlm_perl: Added pair Framed-MTU = 1400 rlm_perl: Added pair EAP-Sim-Rand3 = 0xff626ed6104164234aabebecafecafe3 rlm_perl: Added pair EAP-Sim-Rand2 = 0x771634015641aabcd4e5a2a3ab521242 rlm_perl: Added pair EAP-Sim-SRES1 = 0xa0a116fe rlm_perl: Added pair EAP-Sim-SRES2 = 0xc891c365 rlm_perl: Added pair EAP-Sim-KC1 = 0x603c63ecd59340cb rlm_perl: Added pair EAP-Sim-Rand1 = 0xab521824610aca27814bbde2810347a1 rlm_perl: Added pair EAP-Sim-KC3 = 0xa62f0f3aca277041 rlm_perl: Added pair EAP-Sim-KC2 = 0xbdaf3f47b1fc2520 rlm_perl: Added pair EAP-Sim-SRES3 = 0x6daeb494 rlm_perl: Added pair Auth-Type = EAP rlm_perl: Added pair EAP-Type = SIM ++[packetfence] returns noop Found Auth-Type = EAP # Executing group from file /usr/local/pf/raddb//sites-enabled/packetfence +- entering group authenticate {...} [eap] EAP Identity [eap] processing type sim [eap] Underlying EAP-Type set EAP ID to 246 ++[eap] returns handled } # server packetfence Sending Access-Challenge of id 15 to 10.0.0.24 port 1051 EAP-Message = 0x01f60014120a00000f0200020001000011010100 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x8c646e1d8c927cd94949c1e5aaf22aa6 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.0.0.24 port 1051, id=16, length=348 User-Name = "IMSI@wlan.mnc720.mcc302.3gppnetwork.org" Calling-Station-Id = "5C-59-48-ED-C4-96" NAS-IP-Address = 10.0.0.24 NAS-Port = 1 Called-Station-Id = "50-A7-33-31-CF-B8:PacketFence-Ruckus" Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = "50-A7-33-31-CF-B8" Connect-Info = "CONNECT 802.11g" EAP-Message = 0x02f60058120a00000e0e00333133303237323034303434313338393040776c616e2e6d6e633732302e6d63633330322e336770706e6574776f726b2e6f72670010010001070500007ae3c3b294faa5fac85c9cdc58737c87 State = 0x8c646e1d8c927cd94949c1e5aaf22aa6 Vendor-25053-Attr-3 = 0x5061636b657446656e63652d5275636b7573 Message-Authenticator = 0x88694e884a0ddf10baa7b004fb336f9a server packetfence { # Executing section authorize from file /usr/local/pf/raddb//sites-enabled/packetfence +- entering group authorize {...} [suffix] Looking up realm "wlan.mnc720.mcc302.3gppnetwork.org" for User-Name = "IMSI@wlan.mnc720.mcc302.3gppnetwork.org" [suffix] No such realm "wlan.mnc720.mcc302.3gppnetwork.org" ++[suffix] returns noop ++[preprocess] returns ok rlm_sim_files: authorized user/imsi IMSI@wlan.mnc720.mcc302.3gppnetwork.org rlm_sim_files: Adding EAP-Type: eap-sim ++[sim_files] returns ok [eap] EAP packet type response id 246 length 88 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop rlm_perl: Added pair NAS-Port-Type = Wireless-802.11 rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair State = 0x8c646e1d8c927cd94949c1e5aaf22aa6 rlm_perl: Added pair Called-Station-Id = 50-A7-33-31-CF-B8:PacketFence-Ruckus rlm_perl: Added pair Calling-Station-Id = 5C-59-48-ED-C4-96 rlm_perl: Added pair Message-Authenticator = 0x88694e884a0ddf10baa7b004fb336f9a rlm_perl: Added pair Vendor-25053-Attr-3 = 0x5061636b657446656e63652d5275636b7573 rlm_perl: Added pair User-Name = IMSI@wlan.mnc720.mcc302.3gppnetwork.org rlm_perl: Added pair NAS-Identifier = 50-A7-33-31-CF-B8 rlm_perl: Added pair EAP-Message = 0x02f60058120a00000e0e00333133303237323034303434313338393040776c616e2e6d6e633732302e6d63633330322e336770706e6574776f726b2e6f72670010010001070500007ae3c3b294faa5fac85c9cdc58737c87 rlm_perl: Added pair Connect-Info = CONNECT 802.11g rlm_perl: Added pair EAP-Type = SIM rlm_perl: Added pair NAS-IP-Address = 10.0.0.24 rlm_perl: Added pair NAS-Port = 1 rlm_perl: Added pair Framed-MTU = 1400 rlm_perl: Added pair EAP-Sim-Rand3 = 0xff626ed6104164234aabebecafecafe3 rlm_perl: Added pair EAP-Sim-Rand2 = 0x771634015641aabcd4e5a2a3ab521242 rlm_perl: Added pair EAP-Sim-SRES1 = 0xa0a116fe rlm_perl: Added pair EAP-Sim-SRES2 = 0xc891c365 rlm_perl: Added pair EAP-Sim-KC1 = 0x603c63ecd59340cb rlm_perl: Added pair EAP-Sim-Rand1 = 0xab521824610aca27814bbde2810347a1 rlm_perl: Added pair EAP-Sim-KC3 = 0xa62f0f3aca277041 rlm_perl: Added pair EAP-Sim-KC2 = 0xbdaf3f47b1fc2520 rlm_perl: Added pair EAP-Sim-SRES3 = 0x6daeb494 rlm_perl: Added pair Auth-Type = EAP rlm_perl: Added pair EAP-Type = SIM ++[packetfence] returns noop Found Auth-Type = EAP # Executing group from file /usr/local/pf/raddb//sites-enabled/packetfence +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/sim [eap] processing type sim +++> EAP-sim decoded packet: NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User State = 0x8c646e1d8c927cd94949c1e5aaf22aa6 Called-Station-Id = "50-A7-33-31-CF-B8:PacketFence-Ruckus" Calling-Station-Id = "5C-59-48-ED-C4-96" Message-Authenticator = 0x88694e884a0ddf10baa7b004fb336f9a Vendor-25053-Attr-3 = 0x5061636b657446656e63652d5275636b7573 User-Name = "IMSI@wlan.mnc720.mcc302.3gppnetwork.org" NAS-Identifier = "50-A7-33-31-CF-B8" EAP-Message = 0x02f60058120a00000e0e00333133303237323034303434313338393040776c616e2e6d6e633732302e6d63633330322e336770706e6574776f726b2e6f72670010010001070500007ae3c3b294faa5fac85c9cdc58737c87 Connect-Info = "CONNECT 802.11g" EAP-Type = SIM NAS-IP-Address = 10.0.0.24 NAS-Port = 1 Framed-MTU = 1400 EAP-Sim-Subtype = Start EAP-Sim-IDENTITY = 0x00333133303237323034303434313338393040776c616e2e6d6e633732302e6d63633330322e336770706e6574776f726b2e6f726700 EAP-Sim-SELECTED_VERSION = 0x0001 EAP-Sim-NONCE_MT = 0x00007ae3c3b294faa5fac85c9cdc58737c87 [eap] Underlying EAP-Type set EAP ID to 247 ++[eap] returns handled } # server packetfence Sending Access-Challenge of id 16 to 10.0.0.24 port 1051 EAP-Message = 0x01f70050120b0000010d0000ab521824610aca27814bbde2810347a1771634015641aabcd4e5a2a3ab521242ff626ed6104164234aabebecafecafe30b0500002df305602586daa58dd2298a30c3716f Message-Authenticator = 0x00000000000000000000000000000000 State = 0x8c646e1d8d937cd94949c1e5aaf22aa6 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.0.0.24 port 1051, id=17, length=272 User-Name = "IMSI0@wlan.mnc720.mcc302.3gppnetwork.org" Calling-Station-Id = "5C-59-48-ED-C4-96" NAS-IP-Address = 10.0.0.24 NAS-Port = 1 Called-Station-Id = "50-A7-33-31-CF-B8:PacketFence-Ruckus" Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = "50-A7-33-31-CF-B8" Connect-Info = "CONNECT 802.11g" EAP-Message = 0x02f7000c120e000016010000 State = 0x8c646e1d8d937cd94949c1e5aaf22aa6 Vendor-25053-Attr-3 = 0x5061636b657446656e63652d5275636b7573 Message-Authenticator = 0x047a99ca66948ebc4867a1fba43ac0ad server packetfence { # Executing section authorize from file /usr/local/pf/raddb//sites-enabled/packetfence +- entering group authorize {...} [suffix] Looking up realm "wlan.mnc720.mcc302.3gppnetwork.org" for User-Name = "IMSI@wlan.mnc720.mcc302.3gppnetwork.org" [suffix] No such realm "wlan.mnc720.mcc302.3gppnetwork.org" ++[suffix] returns noop ++[preprocess] returns ok rlm_sim_files: authorized user/imsi IMSI@wlan.mnc720.mcc302.3gppnetwork.org rlm_sim_files: Adding EAP-Type: eap-sim ++[sim_files] returns ok [eap] EAP packet type response id 247 length 12 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop rlm_perl: Added pair NAS-Port-Type = Wireless-802.11 rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair State = 0x8c646e1d8d937cd94949c1e5aaf22aa6 rlm_perl: Added pair Called-Station-Id = 50-A7-33-31-CF-B8:PacketFence-Ruckus rlm_perl: Added pair Calling-Station-Id = 5C-59-48-ED-C4-96 rlm_perl: Added pair Message-Authenticator = 0x047a99ca66948ebc4867a1fba43ac0ad rlm_perl: Added pair Vendor-25053-Attr-3 = 0x5061636b657446656e63652d5275636b7573 rlm_perl: Added pair User-Name = IMSI@wlan.mnc720.mcc302.3gppnetwork.org rlm_perl: Added pair NAS-Identifier = 50-A7-33-31-CF-B8 rlm_perl: Added pair EAP-Message = 0x02f7000c120e000016010000 rlm_perl: Added pair Connect-Info = CONNECT 802.11g rlm_perl: Added pair EAP-Type = SIM rlm_perl: Added pair NAS-IP-Address = 10.0.0.24 rlm_perl: Added pair NAS-Port = 1 rlm_perl: Added pair Framed-MTU = 1400 rlm_perl: Added pair EAP-Sim-Rand3 = 0xff626ed6104164234aabebecafecafe3 rlm_perl: Added pair EAP-Sim-Rand2 = 0x771634015641aabcd4e5a2a3ab521242 rlm_perl: Added pair EAP-Sim-SRES1 = 0xa0a116fe rlm_perl: Added pair EAP-Sim-SRES2 = 0xc891c365 rlm_perl: Added pair EAP-Sim-KC1 = 0x603c63ecd59340cb rlm_perl: Added pair EAP-Sim-Rand1 = 0xab521824610aca27814bbde2810347a1 rlm_perl: Added pair EAP-Sim-KC3 = 0xa62f0f3aca277041 rlm_perl: Added pair EAP-Sim-KC2 = 0xbdaf3f47b1fc2520 rlm_perl: Added pair EAP-Sim-SRES3 = 0x6daeb494 rlm_perl: Added pair Auth-Type = EAP rlm_perl: Added pair EAP-Type = SIM ++[packetfence] returns noop Found Auth-Type = EAP # Executing group from file /usr/local/pf/raddb//sites-enabled/packetfence +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/sim [eap] processing type sim [eap] Handler failed in EAP/sim [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. } # server packetfence Using Post-Auth-Type REJECT # Executing group from file /usr/local/pf/raddb//sites-enabled/packetfence +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> IMSI@wlan.mnc720.mcc302.3gppnetwork.org attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 2 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 2 Sending Access-Reject of id 17 to 10.0.0.24 port 1051 EAP-Message = 0x04f70004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 2.9 seconds. -- Francois Gaudreault, ing. jr fgaudreault@inverse.ca :: +1.514.447.4918 (x130) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org)
Hi,
That's not nice. The module should return some kind of message.
If you say so :P
This looks like an issue for digging into the code.
Ok. Let me know if you need me to test anything, I will be glad to do so :) Thanks! -- Francois Gaudreault, ing. jr fgaudreault@inverse.ca :: +1.514.447.4918 (x130) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org)
On 12 Sep 2012, at 13:12, Francois Gaudreault <fgaudreault@inverse.ca> wrote:
Hi,
That's not nice. The module should return some kind of message.
If you say so :P
This looks like an issue for digging into the code.
Ok. Let me know if you need me to test anything, I will be glad to do so :)
I believe that was a suggestion :) -Arran
On 11/09/12 21:28, Francois Gaudreault wrote:
User-Name = "IMSI0@wlan.mnc720.mcc302.3gppnetwork.org" Calling-Station-Id = "5C-59-48-ED-C4-96" NAS-IP-Address = 10.0.0.24 NAS-Port = 1 Called-Station-Id = "50-A7-33-31-CF-B8:PacketFence-Ruckus" Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = "50-A7-33-31-CF-B8" Connect-Info = "CONNECT 802.11g" EAP-Message = 0x02f7000c120e000016010000
This is your problem. This is an EAP-AKA/SIM "Client error" packet. 02 - eap response f7 - ID 000c - length 12 - EAP-SIM 0e - subtype 14 - client error 000016010000 - client error junk Certainly the rlm_eap_sim code is unhelpful - it is missing lots of logging by the looks of it - but the reason auth is failing is because the client is telling it to.
Hi,
User-Name = "IMSI0@wlan.mnc720.mcc302.3gppnetwork.org" Calling-Station-Id = "5C-59-48-ED-C4-96" NAS-IP-Address = 10.0.0.24 NAS-Port = 1 Called-Station-Id = "50-A7-33-31-CF-B8:PacketFence-Ruckus" Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = "50-A7-33-31-CF-B8" Connect-Info = "CONNECT 802.11g" EAP-Message = 0x02f7000c120e000016010000
This is your problem. This is an EAP-AKA/SIM "Client error" packet.
02 - eap response f7 - ID 000c - length 12 - EAP-SIM 0e - subtype 14 - client error 000016010000 - client error junk Hmmm interesting. But how can it be working on 2.1.12 with the exact same client and config? Maybe I can retry with 2.2.0 and see if I still get this error on multiple retries. I'll get back to you.
Thanks for looking into it. -- Francois Gaudreault, ing. jr fgaudreault@inverse.ca :: +1.514.447.4918 (x130) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org)
Hi again,
This is your problem. This is an EAP-AKA/SIM "Client error" packet.
02 - eap response f7 - ID 000c - length 12 - EAP-SIM 0e - subtype 14 - client error 000016010000 - client error junk Hmmm interesting. But how can it be working on 2.1.12 with the exact same client and config? Maybe I can retry with 2.2.0 and see if I still get this error on multiple retries. I'll get back to you. No go with 2.2.0, tried with multiple clients. I got you a trace from 2.1.12, maybe you can see the difference:
ad_recv: Access-Request packet from host 10.0.0.24 port 1051, id=84, length=298 User-Name = "IMSI@wlan.mnc720.mcc302.3gppnetwork.org" Calling-Station-Id = "5C-59-48-ED-C4-96" NAS-IP-Address = 10.0.0.24 NAS-Port = 1 Called-Station-Id = "50-A7-33-31-CF-B8:PacketFence-Ruckus" Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = "50-A7-33-31-CF-B8" Connect-Info = "CONNECT 802.11g" EAP-Message = 0x02000038013133303237323033303539333439353340776c616e2e6d6e633732302e6d63633330322e336770706e6574776f726b2e6f7267 Vendor-25053-Attr-3 = 0x5061636b657446656e63652d5275636b7573 Message-Authenticator = 0xe41d2cabb012a327e68e0ef19e187cfa server packetfence { # Executing section authorize from file /usr/local/pf/raddb/sites-enabled/packetfence +- entering group authorize {...} [suffix] Looking up realm "wlan.mnc720.mcc302.3gppnetwork.org" for User-Name = "IMSI@wlan.mnc720.mcc302.3gppnetwork.org" [suffix] No such realm "wlan.mnc720.mcc302.3gppnetwork.org" ++[suffix] returns noop ++[preprocess] returns ok rlm_sim_files: authorized user/imsi IMSI@wlan.mnc720.mcc302.3gppnetwork.org rlm_sim_files: Adding EAP-Type: eap-sim ++[sim_files] returns ok [eap] EAP packet type response id 0 length 56 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop rlm_perl: Added pair NAS-Port-Type = Wireless-802.11 rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair Called-Station-Id = 50-A7-33-31-CF-B8:PacketFence-Ruckus rlm_perl: Added pair Calling-Station-Id = 5C-59-48-ED-C4-96 rlm_perl: Added pair Message-Authenticator = 0xe41d2cabb012a327e68e0ef19e187cfa rlm_perl: Added pair Vendor-25053-Attr-3 = 0x5061636b657446656e63652d5275636b7573 rlm_perl: Added pair User-Name = IMSI@wlan.mnc720.mcc302.3gppnetwork.org rlm_perl: Added pair NAS-Identifier = 50-A7-33-31-CF-B8 rlm_perl: Added pair EAP-Message = 0x02000038013133303237323033303539333439353340776c616e2e6d6e633732302e6d63633330322e336770706e6574776f726b2e6f7267 rlm_perl: Added pair Connect-Info = CONNECT 802.11g rlm_perl: Added pair EAP-Type = Identity rlm_perl: Added pair NAS-IP-Address = 10.0.0.24 rlm_perl: Added pair NAS-Port = 1 rlm_perl: Added pair Framed-MTU = 1400 rlm_perl: Added pair EAP-Sim-Rand3 = 0x658719018376aab4d2a5ccde7a21b651 rlm_perl: Added pair EAP-Sim-Rand2 = 0x12314312514145bbdede1d3a5d7d8d81 rlm_perl: Added pair EAP-Sim-SRES1 = 0x4b0bd392 rlm_perl: Added pair EAP-Sim-SRES2 = 0x3fde44f1 rlm_perl: Added pair EAP-Sim-KC1 = 0x838482d6086d5505 rlm_perl: Added pair EAP-Sim-Rand1 = 0x512317ac521bade521831aa3a3a51231 rlm_perl: Added pair EAP-Sim-KC3 = 0x9f62a11a186fb409 rlm_perl: Added pair EAP-Sim-KC2 = 0xb9ea43fb85bca1a1 rlm_perl: Added pair EAP-Sim-SRES3 = 0x1ed3946d rlm_perl: Added pair Auth-Type = EAP rlm_perl: Added pair EAP-Type = SIM ++[packetfence] returns noop Found Auth-Type = EAP # Executing group from file /usr/local/pf/raddb/sites-enabled/packetfence +- entering group authenticate {...} [eap] EAP Identity [eap] processing type sim [eap] Underlying EAP-Type set EAP ID to 26 ++[eap] returns handled } # server packetfence Sending Access-Challenge of id 84 to 10.0.0.24 port 1051 EAP-Message = 0x011a0014120a00000f0200020001000011010100 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6594e662658ef44f2c778a0c39bde699 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.0.0.24 port 1051, id=85, length=348 User-Name = "IMSI@wlan.mnc720.mcc302.3gppnetwork.org" Calling-Station-Id = "5C-59-48-ED-C4-96" NAS-IP-Address = 10.0.0.24 NAS-Port = 1 Called-Station-Id = "50-A7-33-31-CF-B8:PacketFence-Ruckus" Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = "50-A7-33-31-CF-B8" Connect-Info = "CONNECT 802.11g" EAP-Message = 0x021a0058120a00000e0e00333133303237323033303539333439353340776c616e2e6d6e633732302e6d63633330322e336770706e6574776f726b2e6f726700100100010705000005f0ed522fe4c61aaef4c1488151e370 State = 0x6594e662658ef44f2c778a0c39bde699 Vendor-25053-Attr-3 = 0x5061636b657446656e63652d5275636b7573 Message-Authenticator = 0x7f5a27e0a1425fa5cd18f46bb0f5b1ef server packetfence { # Executing section authorize from file /usr/local/pf/raddb/sites-enabled/packetfence +- entering group authorize {...} [suffix] Looking up realm "wlan.mnc720.mcc302.3gppnetwork.org" for User-Name = "IMSI@wlan.mnc720.mcc302.3gppnetwork.org" [suffix] No such realm "wlan.mnc720.mcc302.3gppnetwork.org" ++[suffix] returns noop ++[preprocess] returns ok rlm_sim_files: authorized user/imsi IMSI@wlan.mnc720.mcc302.3gppnetwork.org rlm_sim_files: Adding EAP-Type: eap-sim ++[sim_files] returns ok [eap] EAP packet type response id 26 length 88 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop rlm_perl: Added pair NAS-Port-Type = Wireless-802.11 rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair State = 0x6594e662658ef44f2c778a0c39bde699 rlm_perl: Added pair Called-Station-Id = 50-A7-33-31-CF-B8:PacketFence-Ruckus rlm_perl: Added pair Calling-Station-Id = 5C-59-48-ED-C4-96 rlm_perl: Added pair Message-Authenticator = 0x7f5a27e0a1425fa5cd18f46bb0f5b1ef rlm_perl: Added pair Vendor-25053-Attr-3 = 0x5061636b657446656e63652d5275636b7573 rlm_perl: Added pair User-Name = IMSI@wlan.mnc720.mcc302.3gppnetwork.org rlm_perl: Added pair NAS-Identifier = 50-A7-33-31-CF-B8 rlm_perl: Added pair EAP-Message = 0x021a0058120a00000e0e00333133303237323033303539333439353340776c616e2e6d6e633732302e6d63633330322e336770706e6574776f726b2e6f726700100100010705000005f0ed522fe4c61aaef4c1488151e370 rlm_perl: Added pair Connect-Info = CONNECT 802.11g rlm_perl: Added pair EAP-Type = SIM rlm_perl: Added pair NAS-IP-Address = 10.0.0.24 rlm_perl: Added pair NAS-Port = 1 rlm_perl: Added pair Framed-MTU = 1400 rlm_perl: Added pair EAP-Sim-Rand3 = 0x658719018376aab4d2a5ccde7a21b651 rlm_perl: Added pair EAP-Sim-Rand2 = 0x12314312514145bbdede1d3a5d7d8d81 rlm_perl: Added pair EAP-Sim-SRES1 = 0x4b0bd392 rlm_perl: Added pair EAP-Sim-SRES2 = 0x3fde44f1 rlm_perl: Added pair EAP-Sim-KC1 = 0x838482d6086d5505 rlm_perl: Added pair EAP-Sim-Rand1 = 0x512317ac521bade521831aa3a3a51231 rlm_perl: Added pair EAP-Sim-KC3 = 0x9f62a11a186fb409 rlm_perl: Added pair EAP-Sim-KC2 = 0xb9ea43fb85bca1a1 rlm_perl: Added pair EAP-Sim-SRES3 = 0x1ed3946d rlm_perl: Added pair Auth-Type = EAP rlm_perl: Added pair EAP-Type = SIM ++[packetfence] returns noop Found Auth-Type = EAP # Executing group from file /usr/local/pf/raddb/sites-enabled/packetfence +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/sim [eap] processing type sim +++> EAP-sim decoded packet: NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User State = 0x6594e662658ef44f2c778a0c39bde699 Called-Station-Id = "50-A7-33-31-CF-B8:PacketFence-Ruckus" Calling-Station-Id = "5C-59-48-ED-C4-96" Message-Authenticator = 0x7f5a27e0a1425fa5cd18f46bb0f5b1ef Vendor-25053-Attr-3 = 0x5061636b657446656e63652d5275636b7573 User-Name = "IMSI@wlan.mnc720.mcc302.3gppnetwork.org" NAS-Identifier = "50-A7-33-31-CF-B8" EAP-Message = 0x021a0058120a00000e0e00333133303237323033303539333439353340776c616e2e6d6e633732302e6d63633330322e336770706e6574776f726b2e6f726700100100010705000005f0ed522fe4c61aaef4c1488151e370 Connect-Info = "CONNECT 802.11g" EAP-Type = SIM NAS-IP-Address = 10.0.0.24 NAS-Port = 1 Framed-MTU = 1400 EAP-Sim-Subtype = Start EAP-Sim-IDENTITY = 0x00333133303237323033303539333439353340776c616e2e6d6e633732302e6d63633330322e336770706e6574776f726b2e6f726700 EAP-Sim-SELECTED_VERSION = 0x0001 EAP-Sim-NONCE_MT = 0x000005f0ed522fe4c61aaef4c1488151e370 [eap] Underlying EAP-Type set EAP ID to 27 ++[eap] returns handled } # server packetfence Sending Access-Challenge of id 85 to 10.0.0.24 port 1051 EAP-Message = 0x011b0050120b0000010d0000512317ac521bade521831aa3a3a5123112314312514145bbdede1d3a5d7d8d81658719018376aab4d2a5ccde7a21b6510b050000cbf0403a4e9eb5001804115677697857 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6594e662648ff44f2c778a0c39bde699 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.0.0.24 port 1051, id=86, length=288 User-Name = "IMSI@wlan.mnc720.mcc302.3gppnetwork.org" Calling-Station-Id = "5C-59-48-ED-C4-96" NAS-IP-Address = 10.0.0.24 NAS-Port = 1 Called-Station-Id = "50-A7-33-31-CF-B8:PacketFence-Ruckus" Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = "50-A7-33-31-CF-B8" Connect-Info = "CONNECT 802.11g" EAP-Message = 0x021b001c120b00000b0500005ce51fee12ba6c52690ac927bc4451a2 State = 0x6594e662648ff44f2c778a0c39bde699 Vendor-25053-Attr-3 = 0x5061636b657446656e63652d5275636b7573 Message-Authenticator = 0x973d4bff61816c94815b6990fbfe99c4 server packetfence { # Executing section authorize from file /usr/local/pf/raddb/sites-enabled/packetfence +- entering group authorize {...} [suffix] Looking up realm "wlan.mnc720.mcc302.3gppnetwork.org" for User-Name = "IMSI@wlan.mnc720.mcc302.3gppnetwork.org" [suffix] No such realm "wlan.mnc720.mcc302.3gppnetwork.org" ++[suffix] returns noop ++[preprocess] returns ok rlm_sim_files: authorized user/imsi IMSI@wlan.mnc720.mcc302.3gppnetwork.org rlm_sim_files: Adding EAP-Type: eap-sim ++[sim_files] returns ok [eap] EAP packet type response id 27 length 28 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop rlm_perl: Added pair NAS-Port-Type = Wireless-802.11 rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair State = 0x6594e662648ff44f2c778a0c39bde699 rlm_perl: Added pair Called-Station-Id = 50-A7-33-31-CF-B8:PacketFence-Ruckus rlm_perl: Added pair Calling-Station-Id = 5C-59-48-ED-C4-96 rlm_perl: Added pair Message-Authenticator = 0x973d4bff61816c94815b6990fbfe99c4 rlm_perl: Added pair Vendor-25053-Attr-3 = 0x5061636b657446656e63652d5275636b7573 rlm_perl: Added pair User-Name = IMSI@wlan.mnc720.mcc302.3gppnetwork.org rlm_perl: Added pair NAS-Identifier = 50-A7-33-31-CF-B8 rlm_perl: Added pair EAP-Message = 0x021b001c120b00000b0500005ce51fee12ba6c52690ac927bc4451a2 rlm_perl: Added pair Connect-Info = CONNECT 802.11g rlm_perl: Added pair EAP-Type = SIM rlm_perl: Added pair NAS-IP-Address = 10.0.0.24 rlm_perl: Added pair NAS-Port = 1 rlm_perl: Added pair Framed-MTU = 1400 rlm_perl: Added pair EAP-Sim-Rand3 = 0x658719018376aab4d2a5ccde7a21b651 rlm_perl: Added pair EAP-Sim-Rand2 = 0x12314312514145bbdede1d3a5d7d8d81 rlm_perl: Added pair EAP-Sim-SRES1 = 0x4b0bd392 rlm_perl: Added pair EAP-Sim-SRES2 = 0x3fde44f1 rlm_perl: Added pair EAP-Sim-KC1 = 0x838482d6086d5505 rlm_perl: Added pair EAP-Sim-Rand1 = 0x512317ac521bade521831aa3a3a51231 rlm_perl: Added pair EAP-Sim-KC3 = 0x9f62a11a186fb409 rlm_perl: Added pair EAP-Sim-KC2 = 0xb9ea43fb85bca1a1 rlm_perl: Added pair EAP-Sim-SRES3 = 0x1ed3946d rlm_perl: Added pair Auth-Type = EAP rlm_perl: Added pair EAP-Type = SIM ++[packetfence] returns noop Found Auth-Type = EAP # Executing group from file /usr/local/pf/raddb/sites-enabled/packetfence +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/sim [eap] processing type sim MAC check succeed [eap] Underlying EAP-Type set EAP ID to 28 [eap] Freeing handler ++[eap] returns ok # Executing section post-auth from file /usr/local/pf/raddb/sites-enabled/packetfence +- entering group post-auth {...} ++[exec] returns noop rlm_perl: Returning vlan 10 to request from 5c:59:48:ed:c4:96 port 1 rlm_perl: PacketFence RESULT RESPONSE CODE: 2 (2 means OK) rlm_perl: Added pair NAS-Port-Type = Wireless-802.11 rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair Called-Station-Id = 50-A7-33-31-CF-B8:PacketFence-Ruckus rlm_perl: Added pair State = 0x6594e662648ff44f2c778a0c39bde699 rlm_perl: Added pair Message-Authenticator = 0x973d4bff61816c94815b6990fbfe99c4 rlm_perl: Added pair Vendor-25053-Attr-3 = 0x5061636b657446656e63652d5275636b7573 rlm_perl: Added pair Connect-Info = CONNECT 802.11g rlm_perl: Added pair NAS-IP-Address = 10.0.0.24 rlm_perl: Added pair EAP-Type = SIM rlm_perl: Added pair Calling-Station-Id = 5C-59-48-ED-C4-96 rlm_perl: Added pair User-Name = IMSI@wlan.mnc720.mcc302.3gppnetwork.org rlm_perl: Added pair EAP-Sim-Subtype = Challenge rlm_perl: Added pair NAS-Identifier = 50-A7-33-31-CF-B8 rlm_perl: Added pair EAP-Message = 0x021b001c120b00000b0500005ce51fee12ba6c52690ac927bc4451a2 rlm_perl: Added pair EAP-Sim-MAC = 0x00005ce51fee12ba6c52690ac927bc4451a2 rlm_perl: Added pair NAS-Port = 1 rlm_perl: Added pair Framed-MTU = 1400 rlm_perl: Added pair EAP-Sim-Rand3 = 0x658719018376aab4d2a5ccde7a21b651 rlm_perl: Added pair EAP-Sim-SRES1 = 0x4b0bd392 rlm_perl: Added pair EAP-Id = 28 rlm_perl: Added pair MS-MPPE-Send-Key = 0xa7b5d6ea41e522f2d8a5b46febddca821c76e01de9c401fc1d469fa02a499429 rlm_perl: Added pair Tunnel-Type = 13 rlm_perl: Added pair EAP-Sim-KC1 = 0x838482d6086d5505 rlm_perl: Added pair EAP-Sim-Rand1 = 0x512317ac521bade521831aa3a3a51231 rlm_perl: Added pair Message-Authenticator = 0x00000000000000000000000000000000 rlm_perl: Added pair Tunnel-Private-Group-ID = 10 rlm_perl: Added pair EAP-Sim-KC3 = 0x9f62a11a186fb409 rlm_perl: Added pair EAP-Sim-Rand2 = 0x12314312514145bbdede1d3a5d7d8d81 rlm_perl: Added pair Tunnel-Medium-Type = 6 rlm_perl: Added pair EAP-Sim-SRES2 = 0x3fde44f1 rlm_perl: Added pair User-Name = IMSI@wlan.mnc720.mcc302.3gppnetwork.org rlm_perl: Added pair MS-MPPE-Recv-Key = 0x6d540f94b0b70378232cb2d9e5fd90e4c6e11e57902b61d5642bc83de1b6dbfa rlm_perl: Added pair EAP-Message = 0x031c0004 rlm_perl: Added pair EAP-Sim-KC2 = 0xb9ea43fb85bca1a1 rlm_perl: Added pair EAP-Sim-SRES3 = 0x1ed3946d rlm_perl: Added pair Auth-Type = EAP rlm_perl: Added pair EAP-Type = SIM ++[packetfence] returns ok } # server packetfence Sending Access-Accept of id 86 to 10.0.0.24 port 1051 MS-MPPE-Send-Key = 0xa7b5d6ea41e522f2d8a5b46febddca821c76e01de9c401fc1d469fa02a499429 Tunnel-Type:0 = VLAN Message-Authenticator = 0x00000000000000000000000000000000 Tunnel-Private-Group-Id:0 = "10" Tunnel-Medium-Type:0 = IEEE-802 User-Name = "IMSI@wlan.mnc720.mcc302.3gppnetwork.org" MS-MPPE-Recv-Key = 0x6d540f94b0b70378232cb2d9e5fd90e4c6e11e57902b61d5642bc83de1b6dbfa EAP-Message = 0x031c0004 Finished request 2. Thanks! -- Francois Gaudreault, ing. jr fgaudreault@inverse.ca :: +1.514.447.4918 (x130) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org)
On 12/09/12 14:32, Francois Gaudreault wrote:
Hi again,
This is your problem. This is an EAP-AKA/SIM "Client error" packet.
02 - eap response f7 - ID 000c - length 12 - EAP-SIM 0e - subtype 14 - client error 000016010000 - client error junk Hmmm interesting. But how can it be working on 2.1.12 with the exact same client and config? Maybe I can retry with 2.2.0 and see if I still get this error on multiple retries. I'll get back to you. No go with 2.2.0, tried with multiple clients. I got you a trace from 2.1.12, maybe you can see the difference:
The difference is obvious - in this trace, the client doesn't return an error. You're also testing with a different IMSI - despite you having "hidden" the IMSI, it's there in the hex: working: '\x0031302720305934953@wlan.mnc720.mcc302.3gppnetwork.org\x00' failing: '\x0031302720404413890@wlan.mnc720.mcc302.3gppnetwork.org\x00' If you're going to test and compare, test with the same equipment. My wild guess is you have a problem with SIM secret storage, maybe filesystem permissions or similar.
On 12/09/12 14:14, Francois Gaudreault wrote:
Hmmm interesting. But how can it be working on 2.1.12 with the exact same client and config? Maybe I can retry with 2.2.0 and see if I still get this error on multiple retries. I'll get back to you.
No idea; I'm not familiar with EAP-SIM. But the EAP-Message seemed obviously too short for that stage of a challenge/response auth, so I glanced at the RFC for the encoding. Maybe you've got a permissions problem on whatever datastore the SIM secrets are in?
Hi,
No idea; I'm not familiar with EAP-SIM. But the EAP-Message seemed obviously too short for that stage of a challenge/response auth, so I glanced at the RFC for the encoding.
Maybe you've got a permissions problem on whatever datastore the SIM secrets are in? Nope, I even tried with 777 just in case, but it was 644 which should be enough.
Here is the trace with the same client as 2.1.12, but on 2.2.0. The last trace we had was indeed with another SIM. rad_recv: Access-Request packet from host 10.0.0.24 port 1051, id=105, length=298 User-Name = "IMSI@wlan.mnc720.mcc302.3gppnetwork.org" Calling-Station-Id = "5C-59-48-ED-C4-96" NAS-IP-Address = 10.0.0.24 NAS-Port = 1 Called-Station-Id = "50-A7-33-31-CF-B8:PacketFence-Ruckus" Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = "50-A7-33-31-CF-B8" Connect-Info = "CONNECT 802.11g" EAP-Message = 0x02000038013133303237323033303539333439353340776c616e2e6d6e633732302e6d63633330322e336770706e6574776f726b2e6f7267 Vendor-25053-Attr-3 = 0x5061636b657446656e63652d5275636b7573 Message-Authenticator = 0x3254b54e86799aa4dbfd92f4eac2bbab server packetfence { # Executing section authorize from file /usr/local/pf/raddb/sites-enabled/packetfence +- entering group authorize {...} [suffix] Looking up realm "wlan.mnc720.mcc302.3gppnetwork.org" for User-Name = "IMSI@wlan.mnc720.mcc302.3gppnetwork.org" [suffix] No such realm "wlan.mnc720.mcc302.3gppnetwork.org" ++[suffix] returns noop ++[preprocess] returns ok rlm_sim_files: authorized user/imsi IMSI@wlan.mnc720.mcc302.3gppnetwork.org rlm_sim_files: Adding EAP-Type: eap-sim ++[sim_files] returns ok [eap] EAP packet type response id 0 length 56 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop rlm_perl: Added pair NAS-Port-Type = Wireless-802.11 rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair Called-Station-Id = 50-A7-33-31-CF-B8:PacketFence-Ruckus rlm_perl: Added pair Calling-Station-Id = 5C-59-48-ED-C4-96 rlm_perl: Added pair Message-Authenticator = 0x3254b54e86799aa4dbfd92f4eac2bbab rlm_perl: Added pair Vendor-25053-Attr-3 = 0x5061636b657446656e63652d5275636b7573 rlm_perl: Added pair User-Name = IMSI@wlan.mnc720.mcc302.3gppnetwork.org rlm_perl: Added pair NAS-Identifier = 50-A7-33-31-CF-B8 rlm_perl: Added pair EAP-Message = 0x02000038013133303237323033303539333439353340776c616e2e6d6e633732302e6d63633330322e336770706e6574776f726b2e6f7267 rlm_perl: Added pair Connect-Info = CONNECT 802.11g rlm_perl: Added pair EAP-Type = Identity rlm_perl: Added pair NAS-IP-Address = 10.0.0.24 rlm_perl: Added pair NAS-Port = 1 rlm_perl: Added pair Framed-MTU = 1400 rlm_perl: Added pair EAP-Sim-Rand3 = 0x658719018376aab4d2a5ccde7a21b651 rlm_perl: Added pair EAP-Sim-Rand2 = 0x12314312514145bbdede1d3a5d7d8d81 rlm_perl: Added pair EAP-Sim-SRES1 = 0x4b0bd392 rlm_perl: Added pair EAP-Sim-SRES2 = 0x3fde44f1 rlm_perl: Added pair EAP-Sim-KC1 = 0x838482d6086d5505 rlm_perl: Added pair EAP-Sim-Rand1 = 0x512317ac521bade521831aa3a3a51231 rlm_perl: Added pair EAP-Sim-KC3 = 0x9f62a11a186fb409 rlm_perl: Added pair EAP-Sim-KC2 = 0xb9ea43fb85bca1a1 rlm_perl: Added pair EAP-Sim-SRES3 = 0x1ed3946d rlm_perl: Added pair Auth-Type = EAP rlm_perl: Added pair EAP-Type = SIM ++[packetfence] returns noop Found Auth-Type = EAP # Executing group from file /usr/local/pf/raddb/sites-enabled/packetfence +- entering group authenticate {...} [eap] EAP Identity [eap] processing type sim [eap] Underlying EAP-Type set EAP ID to 216 ++[eap] returns handled } # server packetfence Sending Access-Challenge of id 105 to 10.0.0.24 port 1051 EAP-Message = 0x01d80014120a00000f0200020001000011010100 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x031a0cc303c21e1dddf19e8563de7dbd Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.0.0.24 port 1051, id=106, length=348 User-Name = "IMSI@wlan.mnc720.mcc302.3gppnetwork.org" Calling-Station-Id = "5C-59-48-ED-C4-96" NAS-IP-Address = 10.0.0.24 NAS-Port = 1 Called-Station-Id = "50-A7-33-31-CF-B8:PacketFence-Ruckus" Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = "50-A7-33-31-CF-B8" Connect-Info = "CONNECT 802.11g" EAP-Message = 0x02d80058120a00000e0e00333133303237323033303539333439353340776c616e2e6d6e633732302e6d63633330322e336770706e6574776f726b2e6f72670010010001070500008e1f8f320c33aee4baf5b36f1a9a5ef6 State = 0x031a0cc303c21e1dddf19e8563de7dbd Vendor-25053-Attr-3 = 0x5061636b657446656e63652d5275636b7573 Message-Authenticator = 0xa6f31db6bfe9f1ae785521d4d8a9b63b server packetfence { # Executing section authorize from file /usr/local/pf/raddb/sites-enabled/packetfence +- entering group authorize {...} [suffix] Looking up realm "wlan.mnc720.mcc302.3gppnetwork.org" for User-Name = "IMSI@wlan.mnc720.mcc302.3gppnetwork.org" [suffix] No such realm "wlan.mnc720.mcc302.3gppnetwork.org" ++[suffix] returns noop ++[preprocess] returns ok rlm_sim_files: authorized user/imsi IMSI@wlan.mnc720.mcc302.3gppnetwork.org rlm_sim_files: Adding EAP-Type: eap-sim ++[sim_files] returns ok [eap] EAP packet type response id 216 length 88 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop rlm_perl: Added pair NAS-Port-Type = Wireless-802.11 rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair State = 0x031a0cc303c21e1dddf19e8563de7dbd rlm_perl: Added pair Called-Station-Id = 50-A7-33-31-CF-B8:PacketFence-Ruckus rlm_perl: Added pair Calling-Station-Id = 5C-59-48-ED-C4-96 rlm_perl: Added pair Message-Authenticator = 0xa6f31db6bfe9f1ae785521d4d8a9b63b rlm_perl: Added pair Vendor-25053-Attr-3 = 0x5061636b657446656e63652d5275636b7573 rlm_perl: Added pair User-Name = IMSI@wlan.mnc720.mcc302.3gppnetwork.org rlm_perl: Added pair NAS-Identifier = 50-A7-33-31-CF-B8 rlm_perl: Added pair EAP-Message = 0x02d80058120a00000e0e00333133303237323033303539333439353340776c616e2e6d6e633732302e6d63633330322e336770706e6574776f726b2e6f72670010010001070500008e1f8f320c33aee4baf5b36f1a9a5ef6 rlm_perl: Added pair Connect-Info = CONNECT 802.11g rlm_perl: Added pair EAP-Type = SIM rlm_perl: Added pair NAS-IP-Address = 10.0.0.24 rlm_perl: Added pair NAS-Port = 1 rlm_perl: Added pair Framed-MTU = 1400 rlm_perl: Added pair EAP-Sim-Rand3 = 0x658719018376aab4d2a5ccde7a21b651 rlm_perl: Added pair EAP-Sim-Rand2 = 0x12314312514145bbdede1d3a5d7d8d81 rlm_perl: Added pair EAP-Sim-SRES1 = 0x4b0bd392 rlm_perl: Added pair EAP-Sim-SRES2 = 0x3fde44f1 rlm_perl: Added pair EAP-Sim-KC1 = 0x838482d6086d5505 rlm_perl: Added pair EAP-Sim-Rand1 = 0x512317ac521bade521831aa3a3a51231 rlm_perl: Added pair EAP-Sim-KC3 = 0x9f62a11a186fb409 rlm_perl: Added pair EAP-Sim-KC2 = 0xb9ea43fb85bca1a1 rlm_perl: Added pair EAP-Sim-SRES3 = 0x1ed3946d rlm_perl: Added pair Auth-Type = EAP rlm_perl: Added pair EAP-Type = SIM ++[packetfence] returns noop Found Auth-Type = EAP # Executing group from file /usr/local/pf/raddb/sites-enabled/packetfence +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/sim [eap] processing type sim +++> EAP-sim decoded packet: NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User State = 0x031a0cc303c21e1dddf19e8563de7dbd Called-Station-Id = "50-A7-33-31-CF-B8:PacketFence-Ruckus" Calling-Station-Id = "5C-59-48-ED-C4-96" Message-Authenticator = 0xa6f31db6bfe9f1ae785521d4d8a9b63b Vendor-25053-Attr-3 = 0x5061636b657446656e63652d5275636b7573 User-Name = "IMSI@wlan.mnc720.mcc302.3gppnetwork.org" NAS-Identifier = "50-A7-33-31-CF-B8" EAP-Message = 0x02d80058120a00000e0e00333133303237323033303539333439353340776c616e2e6d6e633732302e6d63633330322e336770706e6574776f726b2e6f72670010010001070500008e1f8f320c33aee4baf5b36f1a9a5ef6 Connect-Info = "CONNECT 802.11g" EAP-Type = SIM NAS-IP-Address = 10.0.0.24 NAS-Port = 1 Framed-MTU = 1400 EAP-Sim-Subtype = Start EAP-Sim-IDENTITY = 0x00333133303237323033303539333439353340776c616e2e6d6e633732302e6d63633330322e336770706e6574776f726b2e6f726700 EAP-Sim-SELECTED_VERSION = 0x0001 EAP-Sim-NONCE_MT = 0x00008e1f8f320c33aee4baf5b36f1a9a5ef6 [eap] Underlying EAP-Type set EAP ID to 217 ++[eap] returns handled } # server packetfence Sending Access-Challenge of id 106 to 10.0.0.24 port 1051 EAP-Message = 0x01d90050120b0000010d0000512317ac521bade521831aa3a3a5123112314312514145bbdede1d3a5d7d8d81658719018376aab4d2a5ccde7a21b6510b050000a95a21b1166856cd87afaafbc3e27593 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x031a0cc302c31e1dddf19e8563de7dbd Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.0.0.24 port 1051, id=107, length=272 User-Name = "IMSI@wlan.mnc720.mcc302.3gppnetwork.org" Calling-Station-Id = "5C-59-48-ED-C4-96" NAS-IP-Address = 10.0.0.24 NAS-Port = 1 Called-Station-Id = "50-A7-33-31-CF-B8:PacketFence-Ruckus" Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = "50-A7-33-31-CF-B8" Connect-Info = "CONNECT 802.11g" EAP-Message = 0x02d9000c120e000016010000 State = 0x031a0cc302c31e1dddf19e8563de7dbd Vendor-25053-Attr-3 = 0x5061636b657446656e63652d5275636b7573 Message-Authenticator = 0x9d4a9f0d542a77b968ea642f201db204 server packetfence { # Executing section authorize from file /usr/local/pf/raddb/sites-enabled/packetfence +- entering group authorize {...} [suffix] Looking up realm "wlan.mnc720.mcc302.3gppnetwork.org" for User-Name = "IMSI@wlan.mnc720.mcc302.3gppnetwork.org" [suffix] No such realm "wlan.mnc720.mcc302.3gppnetwork.org" ++[suffix] returns noop ++[preprocess] returns ok rlm_sim_files: authorized user/imsi IMSI@wlan.mnc720.mcc302.3gppnetwork.org rlm_sim_files: Adding EAP-Type: eap-sim ++[sim_files] returns ok [eap] EAP packet type response id 217 length 12 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop rlm_perl: Added pair NAS-Port-Type = Wireless-802.11 rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair State = 0x031a0cc302c31e1dddf19e8563de7dbd rlm_perl: Added pair Called-Station-Id = 50-A7-33-31-CF-B8:PacketFence-Ruckus rlm_perl: Added pair Calling-Station-Id = 5C-59-48-ED-C4-96 rlm_perl: Added pair Message-Authenticator = 0x9d4a9f0d542a77b968ea642f201db204 rlm_perl: Added pair Vendor-25053-Attr-3 = 0x5061636b657446656e63652d5275636b7573 rlm_perl: Added pair User-Name = IMSI@wlan.mnc720.mcc302.3gppnetwork.org rlm_perl: Added pair NAS-Identifier = 50-A7-33-31-CF-B8 rlm_perl: Added pair EAP-Message = 0x02d9000c120e000016010000 rlm_perl: Added pair Connect-Info = CONNECT 802.11g rlm_perl: Added pair EAP-Type = SIM rlm_perl: Added pair NAS-IP-Address = 10.0.0.24 rlm_perl: Added pair NAS-Port = 1 rlm_perl: Added pair Framed-MTU = 1400 rlm_perl: Added pair EAP-Sim-Rand3 = 0x658719018376aab4d2a5ccde7a21b651 rlm_perl: Added pair EAP-Sim-Rand2 = 0x12314312514145bbdede1d3a5d7d8d81 rlm_perl: Added pair EAP-Sim-SRES1 = 0x4b0bd392 rlm_perl: Added pair EAP-Sim-SRES2 = 0x3fde44f1 rlm_perl: Added pair EAP-Sim-KC1 = 0x838482d6086d5505 rlm_perl: Added pair EAP-Sim-Rand1 = 0x512317ac521bade521831aa3a3a51231 rlm_perl: Added pair EAP-Sim-KC3 = 0x9f62a11a186fb409 rlm_perl: Added pair EAP-Sim-KC2 = 0xb9ea43fb85bca1a1 rlm_perl: Added pair EAP-Sim-SRES3 = 0x1ed3946d rlm_perl: Added pair Auth-Type = EAP rlm_perl: Added pair EAP-Type = SIM ++[packetfence] returns noop Found Auth-Type = EAP # Executing group from file /usr/local/pf/raddb/sites-enabled/packetfence +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/sim [eap] processing type sim [eap] Handler failed in EAP/sim [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. } # server packetfence Using Post-Auth-Type REJECT # Executing group from file /usr/local/pf/raddb/sites-enabled/packetfence +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> IMSI@wlan.mnc720.mcc302.3gppnetwork.org attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 3 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 3 Sending Access-Reject of id 107 to 10.0.0.24 port 1051 EAP-Message = 0x04d90004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.4 seconds. Thanks! -- Francois Gaudreault, ing. jr fgaudreault@inverse.ca :: +1.514.447.4918 (x130) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org)
Francois Gaudreault wrote:
Here is the trace with the same client as 2.1.12, but on 2.2.0. The last trace we had was indeed with another SIM.
There's only one change to the EAP-SIM code between 2.1.12 and 2.2.0. I'm a bit surprised that it would do anything. At this point, a "git bisect" would seem to be the best option. Alan DeKok.
Hi,
There's only one change to the EAP-SIM code between 2.1.12 and 2.2.0. I'm a bit surprised that it would do anything.
At this point, a "git bisect" would seem to be the best option.
Ok so I did bisect, and this commit appears to be the problematic one: 177dbabdcef84353768551c0a39d29c566538c06 is the first bad commit commit 177dbabdcef84353768551c0a39d29c566538c06 Author: Alan T. DeKok <aland@freeradius.org> Date: Tue Feb 21 08:57:49 2012 +0100 Try to use identity from SIM protocol, not EAP-Identity :040000 040000 9b1e92f731328f51c3e8faa637730ef396fe15b1 db33121f3c7923c35b8ad3d0c0a7cd3e7eb01a19 M src Hope it helps :) -- Francois Gaudreault, ing. jr fgaudreault@inverse.ca :: +1.514.447.4918 (x130) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org)
Francois Gaudreault wrote:
Ok so I did bisect, and this commit appears to be the problematic one:
177dbabdcef84353768551c0a39d29c566538c06 is the first bad commit commit 177dbabdcef84353768551c0a39d29c566538c06 Author: Alan T. DeKok <aland@freeradius.org> Date: Tue Feb 21 08:57:49 2012 +0100
Try to use identity from SIM protocol, not EAP-Identity
Well, the SIM identity doesn't agree with the EAP-Identity. The patch went in because Microsoft ran into inter-operability issues. The SIM identity can change during the protocol exchange. The old way of always using the EAP-Identity was wrong. I'm not sure what to suggest here. You can delete the patch in your private branch. But that means you'll run into other inter-operability issues later. You should probably do a bit more digging to see exactly *what* is going on in the failing case. Knowing that will help come up with a decent solution. Alan DeKok.
On 13/09/12 11:51, Alan DeKok wrote:
Francois Gaudreault wrote:
Ok so I did bisect, and this commit appears to be the problematic one:
177dbabdcef84353768551c0a39d29c566538c06 is the first bad commit commit 177dbabdcef84353768551c0a39d29c566538c06 Author: Alan T. DeKok <aland@freeradius.org> Date: Tue Feb 21 08:57:49 2012 +0100
Try to use identity from SIM protocol, not EAP-Identity
Well, the SIM identity doesn't agree with the EAP-Identity.
The patch went in because Microsoft ran into inter-operability issues. The SIM identity can change during the protocol exchange. The old way of always using the EAP-Identity was wrong.
Might also be helpful to know what the supplicant is here, too?
Hi,
Ok so I did bisect, and this commit appears to be the problematic one:
177dbabdcef84353768551c0a39d29c566538c06 is the first bad commit commit 177dbabdcef84353768551c0a39d29c566538c06 Author: Alan T. DeKok <aland@freeradius.org> Date: Tue Feb 21 08:57:49 2012 +0100
Try to use identity from SIM protocol, not EAP-Identity
Well, the SIM identity doesn't agree with the EAP-Identity.
The patch went in because Microsoft ran into inter-operability issues. The SIM identity can change during the protocol exchange. The old way of always using the EAP-Identity was wrong. I am not too familiar with that, so it's hard to comment. I can ask the MS EAP team if they want to share more. I guess they tested it working with their own stuff, but never re-tested with other device type. I believe it's another 3GPP/RFC understanding kind of thing.
Might also be helpful to know what the supplicant is here, too?
I tested with an iPhone 3GS device running 5.0.1. I still need some bytes to make it work and test with our Android (get the SRES/Kc from the Micro-SIM). I don't know if others on the list made it work with that patch on. -- Francois Gaudreault, ing. jr fgaudreault@inverse.ca :: +1.514.447.4918 (x130) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org)
Francois Gaudreault wrote:
I am not too familiar with that, so it's hard to comment. I can ask the MS EAP team if they want to share more. I guess they tested it working with their own stuff, but never re-tested with other device type. I believe it's another 3GPP/RFC understanding kind of thing.
Probably.
I tested with an iPhone 3GS device running 5.0.1. I still need some bytes to make it work and test with our Android (get the SRES/Kc from the Micro-SIM).
I don't know if others on the list made it work with that patch on.
I think few people are using EAP-SIM. Alan DeKok.
I am not too familiar with that, so it's hard to comment. I can ask the MS EAP team if they want to share more. I guess they tested it working with their own stuff, but never re-tested with other device type. I believe it's another 3GPP/RFC understanding kind of thing.
Probably. I just got back an answer from them. The reason of the patch was because when the supplicant was doing EAP negotiation between AKA-PRIME, AKA, and SIM, for some reason the server was using the wrong Identity. I asked them if they tested a "forced EAP-SIM" situation with their supplicant. We'll see I guess :P
I tested with an iPhone 3GS device running 5.0.1. I still need some bytes to make it work and test with our Android (get the SRES/Kc from the Micro-SIM).
I don't know if others on the list made it work with that patch on.
I think few people are using EAP-SIM.
Well you are probably right, but when providers will start pushing 3G/4G offload for real (if they ever do), there are not many ways of doing it... I think :P The reason of those tests on our side is to support WISPr and/or NewGen hotspots with our product. Thanks! -- Francois Gaudreault, ing. jr fgaudreault@inverse.ca :: +1.514.447.4918 (x130) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org)
On 13/09/12 15:52, Francois Gaudreault wrote:
Well you are probably right, but when providers will start pushing 3G/4G offload for real (if they ever do), there are not many ways of doing it... I think :P The reason of those tests on our side is to support WISPr and/or NewGen hotspots with our product.
That's a big "if", IMO. EAP-SIM would in theory be quite nice for a number of reasons right now, even without offload. It's a built-in, secure credential. Unfortunately, as our off-list emails suggests, you can't get easy access to SIM secrets in the general case (for obvious reasons). So unless someone (i.e. the mobile phone providers) starts running a radius server you can proxy *.3gppnetwork.org to, I can't see EAP-SIM being part of the solution. Far more likely is manufacturer-installed X.509 certs and EAP-TLS or a variant, or even EAP-TEAP with PAC or cert provisioning.
Well you are probably right, but when providers will start pushing 3G/4G offload for real (if they ever do), there are not many ways of doing it... I think :P The reason of those tests on our side is to support WISPr and/or NewGen hotspots with our product.
That's a big "if", IMO.
EAP-SIM would in theory be quite nice for a number of reasons right now, even without offload. It's a built-in, secure credential. Yup indeed!
Unfortunately, as our off-list emails suggests, you can't get easy access to SIM secrets in the general case (for obvious reasons). So unless someone (i.e. the mobile phone providers) starts running a radius server you can proxy *.3gppnetwork.org to, I can't see EAP-SIM being part of the solution.
Well the way it should work is that RADIUS needs to proxy to a 3GPP compliant AAA server or proxy to an ITP (MAP proxy) to speak to the HLR using SS7 so the RAND comes from the HLR/AuC, and SRES/Kc is sent back to the HLR to perform the authorization check :) The only way to test it without having that kind of infra is to pre-compute stuff to simulate the HLR calculations (offlist message). Thanks! -- Francois Gaudreault, ing. jr fgaudreault@inverse.ca :: +1.514.447.4918 (x130) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org)
I have manually parse EAP messages. EAP Identity and AT_IDENTITY are the same. EAP-Message from first Access-Request: 02 Code = 2 (EAP-Response) 00 Identifier = 0 00 38 Length = 56 01 Type = 1 (Identity) 31 33 30 32 37 32 30 34 30 34 34 Type-Data = 1302720404413890@wlan.mnc720.mcc302.3gppnetwork.org 31 33 38 39 30 40 77 6c 61 6e 2e 6d 6e 63 37 32 30 2e 6d 63 63 33 30 32 2e 33 67 70 70 6e 65 74 77 6f 72 6b 2e 6f 72 67 EAP-Message from second Access-Request: 02 Code = 2 (EAP-Response) f6 Identifier = 246 00 58 Length = 88 12 Type = 18 (EAP-SIM) 0a Subtype = 10 (SIM-Start) 00 00 Reserved 0e Attr Type = 14 (AT_IDENTITY) 0e Attr Length = 56 00 33 Identity Length = 51 31 33 30 32 Value = 1302720404413890@wlan.mnc720.mcc302.3gppnetwork.org 37 32 30 34 30 34 34 31 33 38 39 30 40 77 6c 61 6e 2e 6d 6e 63 37 32 30 2e 6d 63 63 33 30 32 2e 33 67 70 70 6e 65 74 77 6f 72 6b 2e 6f 72 67 00 10 Attr Type = 16 (AT_SELECTED_VERSION) 01 Attr Length = 4 00 01 Value = 1 07 Attr Type = 7 (AT_NONCE_MT) 05 Attr Length = 20 00 00 Reserved 7a e3 c3 b2 94 fa a5 fa Value = 16 random octets c8 5c 9c dc 58 73 7c 87 I see AT_IDENTITY is padded with single zero octet. Maybe rlm_eap_sim uses wrong length field, namely Attribute Length instead of Identity Length? Alan DeKok wrote:
Francois Gaudreault wrote:
Ok so I did bisect, and this commit appears to be the problematic one:
177dbabdcef84353768551c0a39d29c566538c06 is the first bad commit commit 177dbabdcef84353768551c0a39d29c566538c06 Author: Alan T. DeKok <aland@freeradius.org> Date: Tue Feb 21 08:57:49 2012 +0100
Try to use identity from SIM protocol, not EAP-Identity
Well, the SIM identity doesn't agree with the EAP-Identity.
The patch went in because Microsoft ran into inter-operability issues. The SIM identity can change during the protocol exchange. The old way of always using the EAP-Identity was wrong.
I'm not sure what to suggest here. You can delete the patch in your private branch. But that means you'll run into other inter-operability issues later.
You should probably do a bit more digging to see exactly *what* is going on in the failing case. Knowing that will help come up with a decent solution.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 12/09/12 16:00, Francois Gaudreault wrote:
Hi,
No idea; I'm not familiar with EAP-SIM. But the EAP-Message seemed obviously too short for that stage of a challenge/response auth, so I glanced at the RFC for the encoding.
Maybe you've got a permissions problem on whatever datastore the SIM secrets are in?
Nope, I even tried with 777 just in case, but it was 644 which should be enough.
Don't know then. The client is sending the reject - it doesn't like something the server is sending it. Clock sync - is the 2.2.0 machine a different server? Beyond that I'm only passing familiar with EAP-SIM, so would be guessing I'm afraid. I think you might have to do some debugging yourself.
Hi,
Don't know then. The client is sending the reject - it doesn't like something the server is sending it. Clock sync - is the 2.2.0 machine a different server?
Nope. Simple yum remove / install.
Beyond that I'm only passing familiar with EAP-SIM, so would be guessing I'm afraid. I think you might have to do some debugging yourself.
I am not familiar with bisect. So I guess it will take a while (build/test/tag as good or bad). By the way, I removed that * from the rlm_eap_sim.c (typo fix), and the auth did work, but then RADIUS segfault a bit after. Another question I have is, do I need more than 3 triplets line with 2.2.0? -- Francois Gaudreault, ing. jr fgaudreault@inverse.ca :: +1.514.447.4918 (x130) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org)
Hello Francois I have looked into rlm_eap_sim source and found that is incorrectly decode AT_IDENTITY attribute. This leads to incorrect AT_MAC attribute calculation. MAC mismatch detected by supplicant and it refuses to continue EAP-SIM authentication. Please try to apply patch I've attached. This patch fixes AT_IDENTITY attribute decoding. Francois Gaudreault wrote:
Hi,
Don't know then. The client is sending the reject - it doesn't like something the server is sending it. Clock sync - is the 2.2.0 machine a different server?
Nope. Simple yum remove / install.
Beyond that I'm only passing familiar with EAP-SIM, so would be guessing I'm afraid. I think you might have to do some debugging yourself.
I am not familiar with bisect. So I guess it will take a while (build/test/tag as good or bad).
By the way, I removed that * from the rlm_eap_sim.c (typo fix), and the auth did work, but then RADIUS segfault a bit after.
Another question I have is, do I need more than 3 triplets line with 2.2.0?
--- freeradius-server-2.2.0.orig/src/modules/rlm_eap/libeap/eapsimlib.c 2012-09-10 15:51:34.000000000 +0400 +++ freeradius-server-2.2.0/src/modules/rlm_eap/libeap/eapsimlib.c 2012-09-14 11:10:08.000000000 +0400 @@ -321,6 +321,7 @@ int eapsim_attribute; unsigned int eapsim_len; int es_attribute_count; + unsigned int id_len; es_attribute_count=0; @@ -366,12 +367,35 @@ return 0; } + /* AT_IDENTITY has special format */ + if (eapsim_attribute == PW_EAP_SIM_IDENTITY) { + if (eapsim_len < 4) { + radlog(L_ERR, "eap: EAP-Sim AT_IDENTITY (no.%d) has length too small", + es_attribute_count); + goto loop_end; + } + id_len = (attr[2] << 8) + attr[3]; + if (4 + id_len > eapsim_len) { + radlog(L_ERR, "eap: EAP-Sim AT_IDENTITY (no.%d) invalid length", + es_attribute_count); + goto loop_end; + } + } + newvp = paircreate(eapsim_attribute+ATTRIBUTE_EAP_SIM_BASE, PW_TYPE_OCTETS); - memcpy(newvp->vp_strvalue, &attr[2], eapsim_len-2); - newvp->length = eapsim_len-2; + switch (eapsim_attribute) { + case PW_EAP_SIM_IDENTITY: + memcpy(newvp->vp_strvalue, &attr[4], id_len); + newvp->length = id_len; + break; + default: + memcpy(newvp->vp_strvalue, &attr[2], eapsim_len-2); + newvp->length = eapsim_len-2; + } pairadd(&(r->vps), newvp); newvp = NULL; + loop_end: /* advance pointers, decrement length */ attr += eapsim_len; attrlen -= eapsim_len;
Iliya Peregoudov wrote:
Hello Francois
I have looked into rlm_eap_sim source and found that is incorrectly decode AT_IDENTITY attribute. This leads to incorrect AT_MAC attribute calculation. MAC mismatch detected by supplicant and it refuses to continue EAP-SIM authentication.
Please try to apply patch I've attached. This patch fixes AT_IDENTITY attribute decoding.
Nice. If it works, I'll apply it. Alan DeKok.
Hi Iliya/Alan,
I have looked into rlm_eap_sim source and found that is incorrectly decode AT_IDENTITY attribute. This leads to incorrect AT_MAC attribute calculation. MAC mismatch detected by supplicant and it refuses to continue EAP-SIM authentication.
Please try to apply patch I've attached. This patch fixes AT_IDENTITY attribute decoding.
Nice. If it works, I'll apply it. I just tested the patch with our iDevices, and EAP-SIM now works again :) Looks like the patch did the trick. I also asked MS to retest using their supplicant since I cannot test that myself.
Thank you very much!! -- Francois Gaudreault, ing. jr fgaudreault@inverse.ca :: +1.514.447.4918 (x130) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org)
participants (5)
-
Alan DeKok -
Arran Cudbard-Bell -
Francois Gaudreault -
Iliya Peregoudov -
Phil Mayers