Hello Everyone, I have setup freeradius in my lab environment to authenticate an Android cell phone using EAP-SIM and a SIM card. Performing a packet capture over the Wi-Fi, I was able to realize that the phone receive the EAP-SIM challenge request but doesn't reply with a EAP-SIM Challenge response. Instead, it replies with a EAP-SIM Client-Error (0). I can also see the RAND values in the EAP-SIM Challenge Request packet. I have used this script to generate the triplets (RAND, SRES and KC) using the Ki number of the SIM card: https://github.com/skelsec/COMP128/blob/master/COMP128.py I have provided, below, the output of the freeradius server when I try to connect. Do you have an idea of what could be wrong? Do you think it could be related to the triplets not being generated correctly? Thank you in advance! Here are the logs: (0) Received Access-Request Id 108 from 192.168.20.19:54927 to 192.168.20.17:1812 length 291 (0) User-Name = "1901700000020240@wlan.mnc070.mcc901.3gppnetwork.org" (0) NAS-IP-Address = 192.168.20.19 (0) NAS-Port = 0 (0) NAS-Identifier = "192.168.20.19" (0) NAS-Port-Type = Wireless-802.11 (0) Calling-Station-Id = "c0eefb5acc11" (0) Called-Station-Id = "000b86ee0268" (0) Service-Type = Login-User (0) Framed-MTU = 1100 (0) EAP-Message = 0x02010038013139303137303030303030323032343040776c616e2e6d6e633037302e6d63633930312e336770706e6574776f726b2e6f7267 (0) Aruba-Essid-Name = "Test EAP-SIM" (0) Aruba-Location-Id = "00:0b:86:ee:02:68" (0) Aruba-AP-Group = "instant-EE:02:68" (0) Message-Authenticator = 0x7c7de18dffeab059ae54da7999356d53 (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: Looking up realm "wlan.mnc070.mcc901.3gppnetwork.org" for User-Name = "1901700000020240@wlan.mnc070.mcc901.3gppnetwork.org" (0) suffix: No such realm "wlan.mnc070.mcc901.3gppnetwork.org" (0) [suffix] = noop (0) eap: Peer sent EAP Response (code 2) ID 1 length 56 (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = eap (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) authenticate { (0) eap: Peer sent packet with method EAP Identity (1) (0) eap: Calling submodule eap_md5 to process data (0) eap_md5: Issuing MD5 Challenge (0) eap: Sending EAP Request (code 1) ID 2 length 22 (0) eap: EAP session adding &reply:State = 0x1646e2171644e69d (0) [eap] = handled (0) } # authenticate = handled (0) Using Post-Auth-Type Challenge (0) Post-Auth-Type sub-section not found. Ignoring. (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) Sent Access-Challenge Id 108 from 192.168.20.17:1812 to 192.168.20.19:54927 length 0 (0) EAP-Message = 0x010200160410970ed9f6222d1151ea27852e700dfc83 (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0x1646e2171644e69d214aa497303ba7f5 (0) Finished request Waking up in 4.9 seconds. (1) Received Access-Request Id 109 from 192.168.20.19:54927 to 192.168.20.17:1812 length 259 (1) User-Name = "1901700000020240@wlan.mnc070.mcc901.3gppnetwork.org" (1) NAS-IP-Address = 192.168.20.19 (1) NAS-Port = 0 (1) NAS-Identifier = "192.168.20.19" (1) NAS-Port-Type = Wireless-802.11 (1) Calling-Station-Id = "c0eefb5acc11" (1) Called-Station-Id = "000b86ee0268" (1) Service-Type = Login-User (1) Framed-MTU = 1100 (1) EAP-Message = 0x020200060312 (1) State = 0x1646e2171644e69d214aa497303ba7f5 (1) Aruba-Essid-Name = "Test EAP-SIM" (1) Aruba-Location-Id = "00:0b:86:ee:02:68" (1) Aruba-AP-Group = "instant-EE:02:68" (1) Message-Authenticator = 0x4b85a873255dd52687e055cdfde627c6 (1) session-state: No cached attributes (1) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (1) authorize { (1) policy filter_username { (1) if (&User-Name) { (1) if (&User-Name) -> TRUE (1) if (&User-Name) { (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@[^@]*@/ ) { (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # if (&User-Name) = notfound (1) } # policy filter_username = notfound (1) [preprocess] = ok (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix: Checking for suffix after "@" (1) suffix: Looking up realm "wlan.mnc070.mcc901.3gppnetwork.org" for User-Name = "1901700000020240@wlan.mnc070.mcc901.3gppnetwork.org" (1) suffix: No such realm "wlan.mnc070.mcc901.3gppnetwork.org" (1) [suffix] = noop (1) eap: Peer sent EAP Response (code 2) ID 2 length 6 (1) eap: No EAP Start, assuming it's an on-going EAP conversation (1) [eap] = updated (1) files: users: Matched entry 1901700000020240@wlan.mnc070.mcc901.3gppnetwork.org at line 96 (1) [files] = ok (1) if (User-Name =~ /^[0-9]+/) { (1) if (User-Name =~ /^[0-9]+/) -> TRUE (1) if (User-Name =~ /^[0-9]+/) { (1) update reply { (1) EXPAND %{control:EAP-Sim-Rand1} (1) --> 0x5e56fc4d1cb798dd53c4191e157472ac (1) &EAP-Sim-Rand1 := 0x5e56fc4d1cb798dd53c4191e157472ac (1) EXPAND %{control:EAP-Sim-Rand2} (1) --> 0x7711b7949ea67837276197a3bfc10561 (1) &EAP-Sim-Rand2 := 0x7711b7949ea67837276197a3bfc10561 (1) EXPAND %{control:EAP-Sim-Rand3} (1) --> 0xdb249cea25f603d22e193aa1ae792b20 (1) &EAP-Sim-Rand3 := 0xdb249cea25f603d22e193aa1ae792b20 (1) EXPAND %{control:EAP-Sim-SRES1} (1) --> 0x47c9aae3 (1) &EAP-Sim-SRES1 := 0x47c9aae3 (1) EXPAND %{control:EAP-Sim-SRES2} (1) --> 0x7112acb0 (1) &EAP-Sim-SRES2 := 0x7112acb0 (1) EXPAND %{control:EAP-Sim-SRES3} (1) --> 0x12d89ed9 (1) &EAP-Sim-SRES3 := 0x12d89ed9 (1) EXPAND %{control:EAP-Sim-KC1} (1) --> 0x44fb0ab88d208400 (1) &EAP-Sim-KC1 := 0x44fb0ab88d208400 (1) EXPAND %{control:EAP-Sim-KC2} (1) --> 0x9135bb2807184400 (1) &EAP-Sim-KC2 := 0x9135bb2807184400 (1) EXPAND %{control:EAP-Sim-KC3} (1) --> 0x783fa135bbb97000 (1) &EAP-Sim-KC3 := 0x783fa135bbb97000 (1) } # update reply = noop (1) } # if (User-Name =~ /^[0-9]+/) = noop (1) [expiration] = noop (1) [logintime] = noop (1) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (1) pap: WARNING: Authentication will fail unless a "known good" password is available (1) [pap] = noop (1) } # authorize = updated (1) Found Auth-Type = eap (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (1) authenticate { (1) eap: Expiring EAP session with state 0x1646e2171644e69d (1) eap: Finished EAP session with state 0x1646e2171644e69d (1) eap: Previous EAP request found for state 0x1646e2171644e69d, released from the list (1) eap: Peer sent packet with method EAP NAK (3) (1) eap: Found mutually acceptable type SIM (18) (1) eap: Calling submodule eap_sim to process data (1) eap: Sending EAP Request (code 1) ID 90 length 20 (1) eap: EAP session adding &reply:State = 0x1646e217171cf09d (1) [eap] = handled (1) } # authenticate = handled (1) Using Post-Auth-Type Challenge (1) Post-Auth-Type sub-section not found. Ignoring. (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (1) Sent Access-Challenge Id 109 from 192.168.20.17:1812 to 192.168.20.19:54927 length 0 (1) EAP-Message = 0x015a0014120a00000f0200020001000011010100 (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0x1646e217171cf09d214aa497303ba7f5 (1) Finished request Waking up in 4.9 seconds. (2) Received Access-Request Id 110 from 192.168.20.19:54927 to 192.168.20.17:1812 length 341 (2) User-Name = "1901700000020240@wlan.mnc070.mcc901.3gppnetwork.org" (2) NAS-IP-Address = 192.168.20.19 (2) NAS-Port = 0 (2) NAS-Identifier = "192.168.20.19" (2) NAS-Port-Type = Wireless-802.11 (2) Calling-Station-Id = "c0eefb5acc11" (2) Called-Station-Id = "000b86ee0268" (2) Service-Type = Login-User (2) Framed-MTU = 1100 (2) EAP-Message = 0x025a0058120a0000100100010705000043cdc6794d84b18456e0fe40aee0d7e20e0e00333139303137303030303030323032343040776c616e2e6d6e633037302e6d63633930312e336770706e6574776f726b2e6f726700 (2) State = 0x1646e217171cf09d214aa497303ba7f5 (2) Aruba-Essid-Name = "Test EAP-SIM" (2) Aruba-Location-Id = "00:0b:86:ee:02:68" (2) Aruba-AP-Group = "instant-EE:02:68" (2) Message-Authenticator = 0xa4a1ade2eae64052c6f0aa2ecc3ea908 (2) session-state: No cached attributes (2) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (2) authorize { (2) policy filter_username { (2) if (&User-Name) { (2) if (&User-Name) -> TRUE (2) if (&User-Name) { (2) if (&User-Name =~ / /) { (2) if (&User-Name =~ / /) -> FALSE (2) if (&User-Name =~ /@[^@]*@/ ) { (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (2) if (&User-Name =~ /\.\./ ) { (2) if (&User-Name =~ /\.\./ ) -> FALSE (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (2) if (&User-Name =~ /\.$/) { (2) if (&User-Name =~ /\.$/) -> FALSE (2) if (&User-Name =~ /@\./) { (2) if (&User-Name =~ /@\./) -> FALSE (2) } # if (&User-Name) = notfound (2) } # policy filter_username = notfound (2) [preprocess] = ok (2) [chap] = noop (2) [mschap] = noop (2) [digest] = noop (2) suffix: Checking for suffix after "@" (2) suffix: Looking up realm "wlan.mnc070.mcc901.3gppnetwork.org" for User-Name = "1901700000020240@wlan.mnc070.mcc901.3gppnetwork.org" (2) suffix: No such realm "wlan.mnc070.mcc901.3gppnetwork.org" (2) [suffix] = noop (2) eap: Peer sent EAP Response (code 2) ID 90 length 88 (2) eap: No EAP Start, assuming it's an on-going EAP conversation (2) [eap] = updated (2) files: users: Matched entry 1901700000020240@wlan.mnc070.mcc901.3gppnetwork.org at line 96 (2) [files] = ok (2) if (User-Name =~ /^[0-9]+/) { (2) if (User-Name =~ /^[0-9]+/) -> TRUE (2) if (User-Name =~ /^[0-9]+/) { (2) update reply { (2) EXPAND %{control:EAP-Sim-Rand1} (2) --> 0x5e56fc4d1cb798dd53c4191e157472ac (2) &EAP-Sim-Rand1 := 0x5e56fc4d1cb798dd53c4191e157472ac (2) EXPAND %{control:EAP-Sim-Rand2} (2) --> 0x7711b7949ea67837276197a3bfc10561 (2) &EAP-Sim-Rand2 := 0x7711b7949ea67837276197a3bfc10561 (2) EXPAND %{control:EAP-Sim-Rand3} (2) --> 0xdb249cea25f603d22e193aa1ae792b20 (2) &EAP-Sim-Rand3 := 0xdb249cea25f603d22e193aa1ae792b20 (2) EXPAND %{control:EAP-Sim-SRES1} (2) --> 0x47c9aae3 (2) &EAP-Sim-SRES1 := 0x47c9aae3 (2) EXPAND %{control:EAP-Sim-SRES2} (2) --> 0x7112acb0 (2) &EAP-Sim-SRES2 := 0x7112acb0 (2) EXPAND %{control:EAP-Sim-SRES3} (2) --> 0x12d89ed9 (2) &EAP-Sim-SRES3 := 0x12d89ed9 (2) EXPAND %{control:EAP-Sim-KC1} (2) --> 0x44fb0ab88d208400 (2) &EAP-Sim-KC1 := 0x44fb0ab88d208400 (2) EXPAND %{control:EAP-Sim-KC2} (2) --> 0x9135bb2807184400 (2) &EAP-Sim-KC2 := 0x9135bb2807184400 (2) EXPAND %{control:EAP-Sim-KC3} (2) --> 0x783fa135bbb97000 (2) &EAP-Sim-KC3 := 0x783fa135bbb97000 (2) } # update reply = noop (2) } # if (User-Name =~ /^[0-9]+/) = noop (2) [expiration] = noop (2) [logintime] = noop (2) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (2) pap: WARNING: Authentication will fail unless a "known good" password is available (2) [pap] = noop (2) } # authorize = updated (2) Found Auth-Type = eap (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (2) authenticate { (2) eap: Expiring EAP session with state 0x1646e217171cf09d (2) eap: Finished EAP session with state 0x1646e217171cf09d (2) eap: Previous EAP request found for state 0x1646e217171cf09d, released from the list (2) eap: Peer sent packet with method EAP SIM (18) (2) eap: Calling submodule eap_sim to process data (2) eap_sim: EAP-SIM decoded packet (2) eap_sim: User-Name = " 1901700000020240@wlan.mnc070.mcc901.3gppnetwork.org" (2) eap_sim: NAS-IP-Address = 192.168.20.19 (2) eap_sim: NAS-Port = 0 (2) eap_sim: NAS-Identifier = "192.168.20.19" (2) eap_sim: NAS-Port-Type = Wireless-802.11 (2) eap_sim: Calling-Station-Id = "c0eefb5acc11" (2) eap_sim: Called-Station-Id = "000b86ee0268" (2) eap_sim: Service-Type = Login-User (2) eap_sim: Framed-MTU = 1100 (2) eap_sim: EAP-Message = 0x025a0058120a0000100100010705000043cdc6794d84b18456e0fe40aee0d7e20e0e00333139303137303030303030323032343040776c616e2e6d6e633037302e6d63633930312e336770706e6574776f726b2e6f726700 (2) eap_sim: State = 0x1646e217171cf09d214aa497303ba7f5 (2) eap_sim: Aruba-Essid-Name = "Test EAP-SIM" (2) eap_sim: Aruba-Location-Id = "00:0b:86:ee:02:68" (2) eap_sim: Aruba-AP-Group = "instant-EE:02:68" (2) eap_sim: Message-Authenticator = 0xa4a1ade2eae64052c6f0aa2ecc3ea908 (2) eap_sim: Event-Timestamp = "Mar 22 2018 20:34:34 UTC" (2) eap_sim: EAP-Type = SIM (2) eap_sim: EAP-Sim-Subtype = Start (2) eap_sim: EAP-Sim-SELECTED_VERSION = 0x0001 (2) eap_sim: EAP-Sim-NONCE_MT = 0x000043cdc6794d84b18456e0fe40aee0d7e2 (2) eap_sim: EAP-Sim-IDENTITY = 0x00333139303137303030303030323032343040776c616e2e6d6e633037302e6d63633930312e336770706e6574776f726b2e6f726700 (2) eap: Sending EAP Request (code 1) ID 91 length 80 (2) eap: EAP session adding &reply:State = 0x1646e217141df09d (2) [eap] = handled (2) } # authenticate = handled (2) Using Post-Auth-Type Challenge (2) Post-Auth-Type sub-section not found. Ignoring. (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (2) Sent Access-Challenge Id 110 from 192.168.20.17:1812 to 192.168.20.19:54927 length 0 (2) EAP-Message = 0x015b0050120b0000010d00005e56fc4d1cb798dd53c4191e157472ac7711b7949ea67837276197a3bfc10561db249cea25f603d22e193aa1ae792b200b050000e2a774c8fd253915e0e4dfe1d832709e (2) Message-Authenticator = 0x00000000000000000000000000000000 (2) State = 0x1646e217141df09d214aa497303ba7f5 (2) Finished request Waking up in 4.9 seconds. (3) Received Access-Request Id 111 from 192.168.20.19:54927 to 192.168.20.17:1812 length 265 (3) User-Name = "1901700000020240@wlan.mnc070.mcc901.3gppnetwork.org" (3) NAS-IP-Address = 192.168.20.19 (3) NAS-Port = 0 (3) NAS-Identifier = "192.168.20.19" (3) NAS-Port-Type = Wireless-802.11 (3) Calling-Station-Id = "c0eefb5acc11" (3) Called-Station-Id = "000b86ee0268" (3) Service-Type = Login-User (3) Framed-MTU = 1100 (3) EAP-Message = 0x025b000c120e000016010000 (3) State = 0x1646e217141df09d214aa497303ba7f5 (3) Aruba-Essid-Name = "Test EAP-SIM" (3) Aruba-Location-Id = "00:0b:86:ee:02:68" (3) Aruba-AP-Group = "instant-EE:02:68" (3) Message-Authenticator = 0xf23c8af6d4ad1d8640f4ad602564c6bb (3) session-state: No cached attributes (3) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (3) authorize { (3) policy filter_username { (3) if (&User-Name) { (3) if (&User-Name) -> TRUE (3) if (&User-Name) { (3) if (&User-Name =~ / /) { (3) if (&User-Name =~ / /) -> FALSE (3) if (&User-Name =~ /@[^@]*@/ ) { (3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (3) if (&User-Name =~ /\.\./ ) { (3) if (&User-Name =~ /\.\./ ) -> FALSE (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (3) if (&User-Name =~ /\.$/) { (3) if (&User-Name =~ /\.$/) -> FALSE (3) if (&User-Name =~ /@\./) { (3) if (&User-Name =~ /@\./) -> FALSE (3) } # if (&User-Name) = notfound (3) } # policy filter_username = notfound (3) [preprocess] = ok (3) [chap] = noop (3) [mschap] = noop (3) [digest] = noop (3) suffix: Checking for suffix after "@" (3) suffix: Looking up realm "wlan.mnc070.mcc901.3gppnetwork.org" for User-Name = "1901700000020240@wlan.mnc070.mcc901.3gppnetwork.org" (3) suffix: No such realm "wlan.mnc070.mcc901.3gppnetwork.org" (3) [suffix] = noop (3) eap: Peer sent EAP Response (code 2) ID 91 length 12 (3) eap: No EAP Start, assuming it's an on-going EAP conversation (3) [eap] = updated (3) files: users: Matched entry 1901700000020240@wlan.mnc070.mcc901.3gppnetwork.org at line 96 (3) [files] = ok (3) if (User-Name =~ /^[0-9]+/) { (3) if (User-Name =~ /^[0-9]+/) -> TRUE (3) if (User-Name =~ /^[0-9]+/) { (3) update reply { (3) EXPAND %{control:EAP-Sim-Rand1} (3) --> 0x5e56fc4d1cb798dd53c4191e157472ac (3) &EAP-Sim-Rand1 := 0x5e56fc4d1cb798dd53c4191e157472ac (3) EXPAND %{control:EAP-Sim-Rand2} (3) --> 0x7711b7949ea67837276197a3bfc10561 (3) &EAP-Sim-Rand2 := 0x7711b7949ea67837276197a3bfc10561 (3) EXPAND %{control:EAP-Sim-Rand3} (3) --> 0xdb249cea25f603d22e193aa1ae792b20 (3) &EAP-Sim-Rand3 := 0xdb249cea25f603d22e193aa1ae792b20 (3) EXPAND %{control:EAP-Sim-SRES1} (3) --> 0x47c9aae3 (3) &EAP-Sim-SRES1 := 0x47c9aae3 (3) EXPAND %{control:EAP-Sim-SRES2} (3) --> 0x7112acb0 (3) &EAP-Sim-SRES2 := 0x7112acb0 (3) EXPAND %{control:EAP-Sim-SRES3} (3) --> 0x12d89ed9 (3) &EAP-Sim-SRES3 := 0x12d89ed9 (3) EXPAND %{control:EAP-Sim-KC1} (3) --> 0x44fb0ab88d208400 (3) &EAP-Sim-KC1 := 0x44fb0ab88d208400 (3) EXPAND %{control:EAP-Sim-KC2} (3) --> 0x9135bb2807184400 (3) &EAP-Sim-KC2 := 0x9135bb2807184400 (3) EXPAND %{control:EAP-Sim-KC3} (3) --> 0x783fa135bbb97000 (3) &EAP-Sim-KC3 := 0x783fa135bbb97000 (3) } # update reply = noop (3) } # if (User-Name =~ /^[0-9]+/) = noop (3) [expiration] = noop (3) [logintime] = noop (3) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (3) pap: WARNING: Authentication will fail unless a "known good" password is available (3) [pap] = noop (3) } # authorize = updated (3) Found Auth-Type = eap (3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (3) authenticate { (3) eap: Expiring EAP session with state 0x1646e217141df09d (3) eap: Finished EAP session with state 0x1646e217141df09d (3) eap: Previous EAP request found for state 0x1646e217141df09d, released from the list (3) eap: Peer sent packet with method EAP SIM (18) (3) eap: Calling submodule eap_sim to process data (3) eap: ERROR: Failed continuing EAP SIM (18) session. EAP sub-module failed (3) eap: Sending EAP Failure (code 4) ID 91 length 4 (3) eap: Failed in EAP select (3) [eap] = invalid (3) } # authenticate = invalid (3) Failed to authenticate the user (3) Using Post-Auth-Type Reject (3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (3) Post-Auth-Type REJECT { (3) attr_filter.access_reject: EXPAND %{User-Name} (3) attr_filter.access_reject: --> 1901700000020240@wlan.mnc070.mcc901.3gppnetwork.org (3) attr_filter.access_reject: Matched entry DEFAULT at line 11 (3) [attr_filter.access_reject] = updated (3) [eap] = noop (3) policy remove_reply_message_if_eap { (3) if (&reply:EAP-Message && &reply:Reply-Message) { (3) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (3) else { (3) [noop] = noop (3) } # else = noop (3) } # policy remove_reply_message_if_eap = noop (3) } # Post-Auth-Type REJECT = updated (3) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (3) Sending delayed response (3) Sent Access-Reject Id 111 from 192.168.20.17:1812 to 192.168.20.19:54927 length 44 (3) EAP-Message = 0x045b0004 (3) Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.6 seconds. (0) Cleaning up request packet ID 108 with timestamp +14 (1) Cleaning up request packet ID 109 with timestamp +14 (2) Cleaning up request packet ID 110 with timestamp +14 Waking up in 0.2 seconds. (3) Cleaning up request packet ID 111 with timestamp +14 Ready to process requests -- François
On Mar 22, 2018, at 8:58 PM, François Vergès <misterpaco21@gmail.com> wrote:
Hello Everyone,
I have setup freeradius in my lab environment to authenticate an Android cell phone using EAP-SIM and a SIM card.
Use eapol_test and a usb smart card reader, then you can get proper debug output. Alternatively try v4 HEAD. I wouldn't use it for production deployments but it might at least hint what's wrong. -Arran
On Mar 22, 2018, at 4:58 PM, François Vergès <misterpaco21@gmail.com> wrote:
I have setup freeradius in my lab environment to authenticate an Android cell phone using EAP-SIM and a SIM card.
Performing a packet capture over the Wi-Fi, I was able to realize that the phone receive the EAP-SIM challenge request but doesn't reply with a EAP-SIM Challenge response. Instead, it replies with a EAP-SIM Client-Error (0). I can also see the RAND values in the EAP-SIM Challenge Request packet.
I have used this script to generate the triplets (RAND, SRES and KC) using the Ki number of the SIM card: https://github.com/skelsec/COMP128/blob/master/COMP128.py
Hmm... use 3.0.16, and set EAP-SIM-Ki. The server will create the triplets automatically: # 'users' file 1901700000020240@wlan.mnc070.mcc901.3gppnetwork.org EAP-SIM-Ki := 0xabcdef0123... # 'users' file Alan DeKok.
Thank you Arran and thank you Alan for the quick responses. I was able to install 3.0.16 and test it tonight as I don't have a smart card reader on hand at the moment. The installation worked and I edited the users file as follow: 1901700000020240@wlan.mnc070.mcc901.3gppnetwork.org EAP-SIM-Ki := 0xCA0B.........B, EAP-Sim-Algo-Version := 1 I had to add the "EAP-Sim-Algo-Version" attribute according to what the logs were telling me. I tested from the Android phone after that and was able to connect if the EAP-Sim-Algo-Version attribute was equal to 1. Is this attribute the version of EAP-SIM or the version of COMP128? The android phone connected but I can still see the following error in the logs (see full logs below): (3) eap_sim: ERROR: Failed decoding EAP-SIM packet: Do you have an idea why? Thank you again for your help. Here are the full logs: (0) Received Access-Request Id 166 from 192.168.20.19:54927 to 192.168.20.17:1812 length 291 (0) User-Name = "1901700000020240@wlan.mnc070.mcc901.3gppnetwork.org" (0) NAS-IP-Address = 192.168.20.19 (0) NAS-Port = 0 (0) NAS-Identifier = "192.168.20.19" (0) NAS-Port-Type = Wireless-802.11 (0) Calling-Station-Id = "c0eefb5acc11" (0) Called-Station-Id = "000b86ee0268" (0) Service-Type = Login-User (0) Framed-MTU = 1100 (0) EAP-Message = 0x02010038013139303137303030303030323032343040776c616e2e6d6e633037302e6d63633930312e336770706e6574776f726b2e6f7267 (0) Aruba-Essid-Name = "Test EAP-SIM" (0) Aruba-Location-Id = "00:0b:86:ee:02:68" (0) Aruba-AP-Group = "instant-EE:02:68" (0) Message-Authenticator = 0xa7d1d164a9fed5e7816fba1c9cdbf270 (0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: Looking up realm "wlan.mnc070.mcc901.3gppnetwork.org" for User-Name = "1901700000020240@wlan.mnc070.mcc901.3gppnetwork.org" (0) suffix: No such realm "wlan.mnc070.mcc901.3gppnetwork.org" (0) [suffix] = noop (0) eap: Peer sent EAP Response (code 2) ID 1 length 56 (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = eap (0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (0) authenticate { (0) eap: Peer sent packet with method EAP Identity (1) (0) eap: Calling submodule eap_md5 to process data (0) eap_md5: Issuing MD5 Challenge (0) eap: Sending EAP Request (code 1) ID 2 length 22 (0) eap: EAP session adding &reply:State = 0x73d0173773d21381 (0) [eap] = handled (0) } # authenticate = handled (0) Using Post-Auth-Type Challenge (0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (0) Challenge { ... } # empty sub-section is ignored (0) Sent Access-Challenge Id 166 from 192.168.20.17:1812 to 192.168.20.19:54927 length 0 (0) EAP-Message = 0x010200160410b76b7cfc5c8795d66b2cc27e9ef326cc (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0x73d0173773d213813979a7a15dbcab87 (0) Finished request Waking up in 4.9 seconds. (1) Received Access-Request Id 167 from 192.168.20.19:54927 to 192.168.20.17:1812 length 259 (1) User-Name = "1901700000020240@wlan.mnc070.mcc901.3gppnetwork.org" (1) NAS-IP-Address = 192.168.20.19 (1) NAS-Port = 0 (1) NAS-Identifier = "192.168.20.19" (1) NAS-Port-Type = Wireless-802.11 (1) Calling-Station-Id = "c0eefb5acc11" (1) Called-Station-Id = "000b86ee0268" (1) Service-Type = Login-User (1) Framed-MTU = 1100 (1) EAP-Message = 0x020200060312 (1) State = 0x73d0173773d213813979a7a15dbcab87 (1) Aruba-Essid-Name = "Test EAP-SIM" (1) Aruba-Location-Id = "00:0b:86:ee:02:68" (1) Aruba-AP-Group = "instant-EE:02:68" (1) Message-Authenticator = 0x88355e717976da933abc319d0bc4504d (1) session-state: No cached attributes (1) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (1) authorize { (1) policy filter_username { (1) if (&User-Name) { (1) if (&User-Name) -> TRUE (1) if (&User-Name) { (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@[^@]*@/ ) { (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # if (&User-Name) = notfound (1) } # policy filter_username = notfound (1) [preprocess] = ok (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix: Checking for suffix after "@" (1) suffix: Looking up realm "wlan.mnc070.mcc901.3gppnetwork.org" for User-Name = "1901700000020240@wlan.mnc070.mcc901.3gppnetwork.org" (1) suffix: No such realm "wlan.mnc070.mcc901.3gppnetwork.org" (1) [suffix] = noop (1) eap: Peer sent EAP Response (code 2) ID 2 length 6 (1) eap: No EAP Start, assuming it's an on-going EAP conversation (1) [eap] = updated (1) files: users: Matched entry 1901700000020240@wlan.mnc070.mcc901.3gppnetwork.org at line 3 (1) [files] = ok (1) if (User-Name =~ /^[0-9]+/) { (1) if (User-Name =~ /^[0-9]+/) -> TRUE (1) if (User-Name =~ /^[0-9]+/) { (1) update reply { (1) EXPAND %{control:EAP-Sim-Ki} (1) --> 0xca0b8d177406d08cbfbed48b832f72db (1) &EAP-Sim-Ki := 0xca0b8d177406d08cbfbed48b832f72db (1) EXPAND %{control:EAP-Sim-Algo-Version} (1) --> 1 (1) &EAP-Sim-Algo-Version := 1 (1) } # update reply = noop (1) } # if (User-Name =~ /^[0-9]+/) = noop (1) [expiration] = noop (1) [logintime] = noop (1) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (1) pap: WARNING: Authentication will fail unless a "known good" password is available (1) [pap] = noop (1) } # authorize = updated (1) Found Auth-Type = eap (1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (1) authenticate { (1) eap: Expiring EAP session with state 0x73d0173773d21381 (1) eap: Finished EAP session with state 0x73d0173773d21381 (1) eap: Previous EAP request found for state 0x73d0173773d21381, released from the list (1) eap: Peer sent packet with method EAP NAK (3) (1) eap: Found mutually acceptable type SIM (18) (1) eap: Calling submodule eap_sim to process data (1) eap_sim: Generated following triplets for round 0: (1) eap_sim: RAND : 0x5d61f008d4ac1c144f1dddc8a931c907 (1) eap_sim: SRES : 0xdedf6955 (1) eap_sim: Kc : 0x0b4525c2f63d1000 (1) eap_sim: Generated following triplets for round 1: (1) eap_sim: RAND : 0x7890541386f3cf2d14f3adfd2626ae11 (1) eap_sim: SRES : 0xfc1d1efa (1) eap_sim: Kc : 0x0ab936f3b77bc400 (1) eap_sim: Generated following triplets for round 2: (1) eap_sim: RAND : 0x4073342dbfe58bc6129a7cb2341c599f (1) eap_sim: SRES : 0xc24d23f8 (1) eap_sim: Kc : 0x90c7b3cfbb6f5400 (1) eap: Sending EAP Request (code 1) ID 52 length 20 (1) eap: EAP session adding &reply:State = 0x73d0173772e40581 (1) [eap] = handled (1) } # authenticate = handled (1) Using Post-Auth-Type Challenge (1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (1) Challenge { ... } # empty sub-section is ignored (1) Sent Access-Challenge Id 167 from 192.168.20.17:1812 to 192.168.20.19:54927 length 0 (1) EAP-Message = 0x01340014120a00000f0200020001000011010100 (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0x73d0173772e405813979a7a15dbcab87 (1) Finished request Waking up in 4.9 seconds. (2) Received Access-Request Id 168 from 192.168.20.19:54927 to 192.168.20.17:1812 length 341 (2) User-Name = "1901700000020240@wlan.mnc070.mcc901.3gppnetwork.org" (2) NAS-IP-Address = 192.168.20.19 (2) NAS-Port = 0 (2) NAS-Identifier = "192.168.20.19" (2) NAS-Port-Type = Wireless-802.11 (2) Calling-Station-Id = "c0eefb5acc11" (2) Called-Station-Id = "000b86ee0268" (2) Service-Type = Login-User (2) Framed-MTU = 1100 (2) EAP-Message = 0x02340058120a00001001000107050000c3a7a7644e1d2568557e2ba3629074d40e0e00333139303137303030303030323032343040776c616e2e6d6e633037302e6d63633930312e336770706e6574776f726b2e6f726700 (2) State = 0x73d0173772e405813979a7a15dbcab87 (2) Aruba-Essid-Name = "Test EAP-SIM" (2) Aruba-Location-Id = "00:0b:86:ee:02:68" (2) Aruba-AP-Group = "instant-EE:02:68" (2) Message-Authenticator = 0x81000bffb4c1c22f932980b64985a2ce (2) session-state: No cached attributes (2) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (2) authorize { (2) policy filter_username { (2) if (&User-Name) { (2) if (&User-Name) -> TRUE (2) if (&User-Name) { (2) if (&User-Name =~ / /) { (2) if (&User-Name =~ / /) -> FALSE (2) if (&User-Name =~ /@[^@]*@/ ) { (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (2) if (&User-Name =~ /\.\./ ) { (2) if (&User-Name =~ /\.\./ ) -> FALSE (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (2) if (&User-Name =~ /\.$/) { (2) if (&User-Name =~ /\.$/) -> FALSE (2) if (&User-Name =~ /@\./) { (2) if (&User-Name =~ /@\./) -> FALSE (2) } # if (&User-Name) = notfound (2) } # policy filter_username = notfound (2) [preprocess] = ok (2) [chap] = noop (2) [mschap] = noop (2) [digest] = noop (2) suffix: Checking for suffix after "@" (2) suffix: Looking up realm "wlan.mnc070.mcc901.3gppnetwork.org" for User-Name = "1901700000020240@wlan.mnc070.mcc901.3gppnetwork.org" (2) suffix: No such realm "wlan.mnc070.mcc901.3gppnetwork.org" (2) [suffix] = noop (2) eap: Peer sent EAP Response (code 2) ID 52 length 88 (2) eap: No EAP Start, assuming it's an on-going EAP conversation (2) [eap] = updated (2) files: users: Matched entry 1901700000020240@wlan.mnc070.mcc901.3gppnetwork.org at line 3 (2) [files] = ok (2) if (User-Name =~ /^[0-9]+/) { (2) if (User-Name =~ /^[0-9]+/) -> TRUE (2) if (User-Name =~ /^[0-9]+/) { (2) update reply { (2) EXPAND %{control:EAP-Sim-Ki} (2) --> 0xca0b8d177406d08cbfbed48b832f72db (2) &EAP-Sim-Ki := 0xca0b8d177406d08cbfbed48b832f72db (2) EXPAND %{control:EAP-Sim-Algo-Version} (2) --> 1 (2) &EAP-Sim-Algo-Version := 1 (2) } # update reply = noop (2) } # if (User-Name =~ /^[0-9]+/) = noop (2) [expiration] = noop (2) [logintime] = noop (2) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (2) pap: WARNING: Authentication will fail unless a "known good" password is available (2) [pap] = noop (2) } # authorize = updated (2) Found Auth-Type = eap (2) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (2) authenticate { (2) eap: Expiring EAP session with state 0x73d0173772e40581 (2) eap: Finished EAP session with state 0x73d0173772e40581 (2) eap: Previous EAP request found for state 0x73d0173772e40581, released from the list (2) eap: Peer sent packet with method EAP SIM (18) (2) eap: Calling submodule eap_sim to process data (2) eap_sim: EAP-SIM decoded packet (2) eap_sim: User-Name = " 1901700000020240@wlan.mnc070.mcc901.3gppnetwork.org" (2) eap_sim: NAS-IP-Address = 192.168.20.19 (2) eap_sim: NAS-Port = 0 (2) eap_sim: NAS-Identifier = "192.168.20.19" (2) eap_sim: NAS-Port-Type = Wireless-802.11 (2) eap_sim: Calling-Station-Id = "c0eefb5acc11" (2) eap_sim: Called-Station-Id = "000b86ee0268" (2) eap_sim: Service-Type = Login-User (2) eap_sim: Framed-MTU = 1100 (2) eap_sim: EAP-Message = 0x02340058120a00001001000107050000c3a7a7644e1d2568557e2ba3629074d40e0e00333139303137303030303030323032343040776c616e2e6d6e633037302e6d63633930312e336770706e6574776f726b2e6f726700 (2) eap_sim: State = 0x73d0173772e405813979a7a15dbcab87 (2) eap_sim: Aruba-Essid-Name = "Test EAP-SIM" (2) eap_sim: Aruba-Location-Id = "00:0b:86:ee:02:68" (2) eap_sim: Aruba-AP-Group = "instant-EE:02:68" (2) eap_sim: Message-Authenticator = 0x81000bffb4c1c22f932980b64985a2ce (2) eap_sim: Event-Timestamp = "Mar 23 2018 02:15:16 UTC" (2) eap_sim: EAP-Type = SIM (2) eap_sim: EAP-Sim-Subtype = Start (2) eap_sim: EAP-Sim-SELECTED_VERSION = 0x0001 (2) eap_sim: EAP-Sim-NONCE_MT = 0x0000c3a7a7644e1d2568557e2ba3629074d4 (2) eap_sim: EAP-Sim-IDENTITY = 0x00333139303137303030303030323032343040776c616e2e6d6e633037302e6d63633930312e336770706e6574776f726b2e6f726700 (2) eap: Sending EAP Request (code 1) ID 53 length 80 (2) eap: EAP session adding &reply:State = 0x73d0173771e50581 (2) [eap] = handled (2) } # authenticate = handled (2) Using Post-Auth-Type Challenge (2) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (2) Challenge { ... } # empty sub-section is ignored (2) Sent Access-Challenge Id 168 from 192.168.20.17:1812 to 192.168.20.19:54927 length 0 (2) EAP-Message = 0x01350050120b0000010d00005d61f008d4ac1c144f1dddc8a931c9077890541386f3cf2d14f3adfd2626ae114073342dbfe58bc6129a7cb2341c599f0b0500003d75b1bccfe08bd6ebedbff57c97cc7b (2) Message-Authenticator = 0x00000000000000000000000000000000 (2) State = 0x73d0173771e505813979a7a15dbcab87 (2) Finished request Waking up in 4.9 seconds. (3) Received Access-Request Id 169 from 192.168.20.19:54927 to 192.168.20.17:1812 length 281 (3) User-Name = "1901700000020240@wlan.mnc070.mcc901.3gppnetwork.org" (3) NAS-IP-Address = 192.168.20.19 (3) NAS-Port = 0 (3) NAS-Identifier = "192.168.20.19" (3) NAS-Port-Type = Wireless-802.11 (3) Calling-Station-Id = "c0eefb5acc11" (3) Called-Station-Id = "000b86ee0268" (3) Service-Type = Login-User (3) Framed-MTU = 1100 (3) EAP-Message = 0x0235001c120b00000b050000135081247e24e3f87495a46f128a6e84 (3) State = 0x73d0173771e505813979a7a15dbcab87 (3) Aruba-Essid-Name = "Test EAP-SIM" (3) Aruba-Location-Id = "00:0b:86:ee:02:68" (3) Aruba-AP-Group = "instant-EE:02:68" (3) Message-Authenticator = 0x6018a954af3ed8f82d4a20ff64a5479a (3) session-state: No cached attributes (3) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (3) authorize { (3) policy filter_username { (3) if (&User-Name) { (3) if (&User-Name) -> TRUE (3) if (&User-Name) { (3) if (&User-Name =~ / /) { (3) if (&User-Name =~ / /) -> FALSE (3) if (&User-Name =~ /@[^@]*@/ ) { (3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (3) if (&User-Name =~ /\.\./ ) { (3) if (&User-Name =~ /\.\./ ) -> FALSE (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (3) if (&User-Name =~ /\.$/) { (3) if (&User-Name =~ /\.$/) -> FALSE (3) if (&User-Name =~ /@\./) { (3) if (&User-Name =~ /@\./) -> FALSE (3) } # if (&User-Name) = notfound (3) } # policy filter_username = notfound (3) [preprocess] = ok (3) [chap] = noop (3) [mschap] = noop (3) [digest] = noop (3) suffix: Checking for suffix after "@" (3) suffix: Looking up realm "wlan.mnc070.mcc901.3gppnetwork.org" for User-Name = "1901700000020240@wlan.mnc070.mcc901.3gppnetwork.org" (3) suffix: No such realm "wlan.mnc070.mcc901.3gppnetwork.org" (3) [suffix] = noop (3) eap: Peer sent EAP Response (code 2) ID 53 length 28 (3) eap: No EAP Start, assuming it's an on-going EAP conversation (3) [eap] = updated (3) files: users: Matched entry 1901700000020240@wlan.mnc070.mcc901.3gppnetwork.org at line 3 (3) [files] = ok (3) if (User-Name =~ /^[0-9]+/) { (3) if (User-Name =~ /^[0-9]+/) -> TRUE (3) if (User-Name =~ /^[0-9]+/) { (3) update reply { (3) EXPAND %{control:EAP-Sim-Ki} (3) --> 0xca0b8d177406d08cbfbed48b832f72db (3) &EAP-Sim-Ki := 0xca0b8d177406d08cbfbed48b832f72db (3) EXPAND %{control:EAP-Sim-Algo-Version} (3) --> 1 (3) &EAP-Sim-Algo-Version := 1 (3) } # update reply = noop (3) } # if (User-Name =~ /^[0-9]+/) = noop (3) [expiration] = noop (3) [logintime] = noop (3) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (3) pap: WARNING: Authentication will fail unless a "known good" password is available (3) [pap] = noop (3) } # authorize = updated (3) Found Auth-Type = eap (3) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (3) authenticate { (3) eap: Expiring EAP session with state 0x73d0173771e50581 (3) eap: Finished EAP session with state 0x73d0173771e50581 (3) eap: Previous EAP request found for state 0x73d0173771e50581, released from the list (3) eap: Peer sent packet with method EAP SIM (18) (3) eap: Calling submodule eap_sim to process data (3) eap_sim: MAC check succeed (3) eap_sim: ERROR: Failed decoding EAP-SIM packet: (3) eap: Sending EAP Success (code 3) ID 54 length 4 (3) eap: Freeing handler (3) [eap] = ok (3) } # authenticate = ok (3) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default (3) post-auth { (3) update { (3) No attributes updated (3) } # update = noop (3) [exec] = noop (3) policy remove_reply_message_if_eap { (3) if (&reply:EAP-Message && &reply:Reply-Message) { (3) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (3) else { (3) [noop] = noop (3) } # else = noop (3) } # policy remove_reply_message_if_eap = noop (3) } # post-auth = noop (3) Sent Access-Accept Id 169 from 192.168.20.17:1812 to 192.168.20.19:54927 length 0 (3) MS-MPPE-Recv-Key = 0x85ef573bb6603286724f0d6de5265eee5d0db5c58fc485b8a9100f64129facc3 (3) MS-MPPE-Send-Key = 0x2902f8530f324889e267b510c983ad40c9bed2c96ade0151830735299abcde9a (3) EAP-Message = 0x03360004 (3) Message-Authenticator = 0x00000000000000000000000000000000 (3) User-Name = "1901700000020240@wlan.mnc070.mcc901.3gppnetwork.org" (3) Finished request Waking up in 4.6 seconds. (0) Cleaning up request packet ID 166 with timestamp +18 (1) Cleaning up request packet ID 167 with timestamp +18 (2) Cleaning up request packet ID 168 with timestamp +18 Waking up in 0.2 seconds. (3) Cleaning up request packet ID 169 with timestamp +18 Ready to process requests On Thu, Mar 22, 2018 at 6:19 PM, Alan DeKok <aland@deployingradius.com> wrote:
On Mar 22, 2018, at 4:58 PM, François Vergès <misterpaco21@gmail.com> wrote:
I have setup freeradius in my lab environment to authenticate an Android cell phone using EAP-SIM and a SIM card.
Performing a packet capture over the Wi-Fi, I was able to realize that
the
phone receive the EAP-SIM challenge request but doesn't reply with a EAP-SIM Challenge response. Instead, it replies with a EAP-SIM Client-Error (0). I can also see the RAND values in the EAP-SIM Challenge Request packet.
I have used this script to generate the triplets (RAND, SRES and KC) using the Ki number of the SIM card: https://github.com/skelsec/COMP128/blob/master/COMP128.py
Hmm... use 3.0.16, and set EAP-SIM-Ki. The server will create the triplets automatically:
# 'users' file
1901700000020240@wlan.mnc070.mcc901.3gppnetwork.org EAP-SIM-Ki := 0xabcdef0123...
# 'users' file
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
-- *François Vergès* *Tel*: +1 514 475-5305 *Email*: francoisverges@gmail.com
On Mar 22, 2018, at 10:28 PM, François Vergès <francoisverges@gmail.com> wrote:
Thank you Arran and thank you Alan for the quick responses.
I was able to install 3.0.16 and test it tonight as I don't have a smart card reader on hand at the moment.
The installation worked and I edited the users file as follow: 1901700000020240@wlan.mnc070.mcc901.3gppnetwork.org EAP-SIM-Ki := 0xCA0B.........B, EAP-Sim-Algo-Version := 1
I had to add the "EAP-Sim-Algo-Version" attribute according to what the logs were telling me.
OK.
I tested from the Android phone after that and was able to connect if the EAP-Sim-Algo-Version attribute was equal to 1. Is this attribute the version of EAP-SIM or the version of COMP128?
It's the algorithm used for SIM.
The android phone connected but I can still see the following error in the logs (see full logs below): (3) eap_sim: ERROR: Failed decoding EAP-SIM packet:
Do you have an idea why?
Looks to be a spurious error. I'll fix it. Alan DeKok.
Thank you Alan! I can also confirm that I was able to connect from both an Android (6.0.1) and iOS (11.2.6) phone using 2 different SIM cards. The exact same packets were exchanged over the Wi-Fi. I have also tested with both Aruba and Cisco AP (even thought it doesn't really matter here). Best Regards, On Fri, Mar 23, 2018 at 11:16 AM, Alan DeKok <aland@deployingradius.com> wrote:
On Mar 22, 2018, at 10:28 PM, François Vergès <francoisverges@gmail.com> wrote:
Thank you Arran and thank you Alan for the quick responses.
I was able to install 3.0.16 and test it tonight as I don't have a smart card reader on hand at the moment.
The installation worked and I edited the users file as follow: 1901700000020240@wlan.mnc070.mcc901.3gppnetwork.org EAP-SIM-Ki := 0xCA0B.........B, EAP-Sim-Algo-Version := 1
I had to add the "EAP-Sim-Algo-Version" attribute according to what the logs were telling me.
OK.
I tested from the Android phone after that and was able to connect if the EAP-Sim-Algo-Version attribute was equal to 1. Is this attribute the version of EAP-SIM or the version of COMP128?
It's the algorithm used for SIM.
The android phone connected but I can still see the following error in the logs (see full logs below): (3) eap_sim: ERROR: Failed decoding EAP-SIM packet:
Do you have an idea why?
Looks to be a spurious error. I'll fix it.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
-- *François Vergès* *Tel*: +1 514 475-5305 *Email*: francoisverges@gmail.com
participants (4)
-
Alan DeKok -
Arran Cudbard-Bell -
François Vergès -
François Vergès