Problems with EAP-SIM in Freeradius 2.2.5
Dear all, I am using freeradius-server-2.2.5 and trying to authenticate via EAP-SIM. I have been successed to authenticate radeapclient command, but i am facing issue when authenticate directly through wireless AP. Also, i know nothing about RAND, SRES, and KC come from (I just put from example). Here my configs in general: //===================================================== $cat sites-enabled/default authorize { ... sim_files eap { ok = return } ... } $cat modules/sim_files sim_files { simtriplets = "/usr/local/etc/raddb/simtriplets.txt" } $cat eap.conf eap { default_eap_type = md5 ... sim{ } ... } $cat users eapsim Auth-Type := EAP, EAP-Type := SIM EAP-Sim-Rand1 = 0x3bcd1234abcd1234abcd1234abcd1234, EAP-Sim-SRES1 = 0x1234abcd, EAP-Sim-KC1 = 0x0211223344556677, EAP-Sim-Rand2 = 0x1cd1234abcd1234abcd1234abcd1234a, EAP-Sim-SRES2 = 0x434abcd1, EAP-Sim-KC2 = 0x1051324354657687, EAP-Sim-Rand3 = 0x6d1234abcd1234abcd1234abcd1234ab, EAP-Sim-SRES3 = 0x74abcd12, EAP-Sim-KC3 = 0x30815263748596a7 1510891403414997@wlan.mnc089.mcc510.3gppnetwork.org Auth-Type := EAP, EAP-Type := SIM EAP-Sim-Rand1 = 0xabcd1234abcd1234abcd1234abcd1234, EAP-Sim-SRES1 = 0x1234abcd, EAP-Sim-KC1 = 0x0011223344556677, EAP-Sim-Rand2 = 0xbcd1234abcd1234abcd1234abcd1234a, EAP-Sim-SRES2 = 0x234abcd1, EAP-Sim-KC2 = 0x1021324354657687, EAP-Sim-Rand3 = 0xcd1234abcd1234abcd1234abcd1234ab, EAP-Sim-SRES3 = 0x34abcd12, EAP-Sim-KC3 = 0x30415263748596a7 $cat userTest.txt User-Name = "eapsim" NAS-IP-Address = 167.205.106.132 EAP-Code = Response EAP-Type-Identity = "eapsim" Message-Authenticator = 0 NAS-Port = 0 EAP-Sim-Rand1 = 0xabcd1234abcd1234abcd1234abcd1234 EAP-Sim-Rand2 = 0xbcd1234abcd1234abcd1234abcd1234a EAP-Sim-Rand3 = 0xcd1234abcd1234abcd1234abcd1234ab EAP-Sim-Sres1 = 0x1234abcd EAP-Sim-Sres2 = 0x234abcd1 EAP-Sim-Sres3 = 0x34abcd12 EAP-Sim-KC1 = 0x0011223344556677 EAP-Sim-KC2 = 0x1021324354657687 EAP-Sim-KC3 = 0x30415263748596a7 //===================================================== When i used radeapclient command with "eapsim" user , radius successed to process authentication request as EAP-SIM type. The response look like this: //===================================================== rad_recv: Access-Request packet from host 167.205.106.132 port 56442, id=47, length=71 User-Name = "eapsim" NAS-IP-Address = 167.205.106.132 Message-Authenticator = 0xb0930a41b716e833198358390655050f NAS-Port = 0 EAP-Message = 0x022e000b0165617073696d # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "eapsim", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop rlm_sim_files: insufficient number of challenges for imsi eapsim: 0 ++[sim_files] = notfound [eap] EAP packet type response id 46 length 11 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [files] users: Matched entry eapsim at line 19 ++[files] = ok ++[expiration] = noop ++[logintime] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group authenticate { [eap] EAP Identity [eap] processing type sim [eap] Underlying EAP-Type set EAP ID to 16 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 47 to 167.205.106.132 port 56442 EAP-Message = 0x01100014120a00000f0200020001000011010100 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc6547d30c6446f127cd7e08c493991e0 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 167.205.106.132 port 56442, id=48, length=122 User-Name = "eapsim" NAS-IP-Address = 167.205.106.132 Message-Authenticator = 0x5e44f7a8af1436fc182dfe07d246066c NAS-Port = 0 EAP-Message = 0x0210002c120a00001001000107050000ebc943da73322d4543182bc6b26c42670e03000665617073696d0000 State = 0xc6547d30c6446f127cd7e08c493991e0 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "eapsim", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop rlm_sim_files: insufficient number of challenges for imsi eapsim: 0 ++[sim_files] = notfound [eap] EAP packet type response id 16 length 44 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [files] users: Matched entry eapsim at line 19 ++[files] = ok ++[expiration] = noop ++[logintime] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/sim [eap] processing type sim +++> EAP-sim decoded packet: User-Name = "eapsim" NAS-IP-Address = 167.205.106.132 Message-Authenticator = 0x5e44f7a8af1436fc182dfe07d246066c NAS-Port = 0 EAP-Message = 0x0210002c120a00001001000107050000ebc943da73322d4543182bc6b26c42670e03000665617073696d0000 State = 0xc6547d30c6446f127cd7e08c493991e0 EAP-Type = SIM EAP-Sim-Subtype = Start EAP-Sim-SELECTED_VERSION = 0x0001 EAP-Sim-NONCE_MT = 0x0000ebc943da73322d4543182bc6b26c4267 EAP-Sim-IDENTITY = 0x65617073696d [eap] Underlying EAP-Type set EAP ID to 17 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 48 to 167.205.106.132 port 56442 EAP-Message = 0x01110050120b0000010d0000abcd1234abcd1234abcd1234abcd1234bcd1234abcd1234abcd1234abcd1234acd1234abcd1234abcd1234abcd1234ab0b0500002d7b51f8b367f40f16e8b89d57123ce0 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc6547d30c7456f127cd7e08c493991e0 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 167.205.106.132 port 56442, id=49, length=106 User-Name = "eapsim" NAS-IP-Address = 167.205.106.132 Message-Authenticator = 0x33d47bbba410cf01893cfd0c317909b3 NAS-Port = 0 State = 0xc6547d30c7456f127cd7e08c493991e0 EAP-Message = 0x0211001c120b00000b050000bf27a73ac93ccba4f39579f5fed9512e # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "eapsim", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop rlm_sim_files: insufficient number of challenges for imsi eapsim: 0 ++[sim_files] = notfound [eap] EAP packet type response id 17 length 28 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [files] users: Matched entry eapsim at line 19 ++[files] = ok ++[expiration] = noop ++[logintime] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/sim [eap] processing type sim MAC check succeed [eap] Underlying EAP-Type set EAP ID to 18 [eap] Freeing handler ++[eap] = ok +} # group authenticate = ok # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default +group post-auth { ++[exec] = noop +} # group post-auth = noop Sending Access-Accept of id 49 to 167.205.106.132 port 56442 MS-MPPE-Recv-Key = 0x5e7f230e35ec87f3f23b86766b439c56eb66d3a5e8906f47fe0ff862d0acf30b MS-MPPE-Send-Key = 0x75d58187e0a44e5c8486ddb077dc76e39b5dc2b85d717d7dbb2da179672da6fc EAP-Message = 0x03120004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "eapsim" Finished request 2. //===================================================== But, when I used my phone which connected to AP with EAP-SIM auth, radius failed to process Access-Request packet as EAP-SIM type. The response like this: //===================================================== rad_recv: Access-Request packet from host 167.205.9.194 port 1074, id=11, length=254 User-Name = "1510891403414997@wlan.mnc089.mcc510.3gppnetwork.org" Calling-Station-Id = "00-08-22-18-2D-32" NAS-IP-Address = 167.205.9.194 NAS-Port = 1 Called-Station-Id = "54-3D-37-BF-57-A8:testBYOD" Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = "54-3D-37-BF-57-A8" Connect-Info = "CONNECT 802.11g/n" EAP-Message = 0x02bd000c120e000016010000 State = 0x2c5813a42de50175b779b50df25ca388 Vendor-25053-Attr-3 = 0x7465737442594f44 Message-Authenticator = 0x2637ed577421a19f485bd3b88a7fa5ca # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] Looking up realm "wlan.mnc089.mcc510.3gppnetwork.org" for User-Name = "1510891403414997@wlan.mnc089.mcc510.3gppnetwork.org" [suffix] No such realm "wlan.mnc089.mcc510.3gppnetwork.org" ++[suffix] = noop rlm_sim_files: insufficient number of challenges for imsi 1510891403414997@wlan.mnc089.mcc510.3gppnetwork.org: 0 ++[sim_files] = notfound [eap] EAP packet type response id 189 length 12 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [files] users: Matched entry 1510891403414997@wlan.mnc089.mcc510.3gppnetwork.org at line 52 ++[files] = ok ++[expiration] = noop ++[logintime] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/sim [eap] processing type sim Client says error. Stopping! [eap] Handler failed in EAP/sim [eap] Failed in EAP select ++[eap] = invalid +} # group authenticate = invalid Failed to authenticate the user. Using Post-Auth-Type REJECT # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group REJECT { [attr_filter.access_reject] expand: %{User-Name} -> 1510891403414997@wlan.mnc089.mcc510.3gppnetwork.org attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated Delaying reject of request 9 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 9 Sending Access-Reject of id 11 to 167.205.9.194 port 1074 EAP-Message = 0x04bd0004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.5 seconds. //===================================================== It seem radius not recognize this packet as EAP-SIM (even it not try to decode packet). I dont know if there something missing in my config. Anyone can help, please? Regards, Rizal Muhammad Nur
rizal.m.nur@arc.itb.ac.id wrote:
I am using freeradius-server-2.2.5 and trying to authenticate via EAP-SIM. I have been successed to authenticate radeapclient command, but i am facing issue when authenticate directly through wireless AP. Also, i know nothing about RAND, SRES, and KC come from (I just put from example).
That's a problem. Those fields are the SIM credentials. They're used to authenticate the user. If you don't have the correct values, the user will be rejected. Alan DeKok.
rizal.m.nur@arc.itb.ac.id wrote:
I am using freeradius-server-2.2.5 and trying to authenticate via EAP-SIM. I have been successed to authenticate radeapclient command, but i am facing issue when authenticate directly through wireless AP. Also, i know nothing about RAND, SRES, and KC come from (I just put from example).
That's a problem. Those fields are the SIM credentials. They're used to authenticate the user.
If you don't have the correct values, the user will be rejected.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thanks for your reply, I curious why EAP-Message from phone was detected as EAP-SIM type but can't be handled/decoded
... [eap] Request found, released from the list [eap] EAP/sim [eap] processing type sim Client says error. Stopping! [eap] Handler failed in EAP/sim [eap] Failed in EAP select ++[eap] = invalid +} # group authenticate = invalid ...
meanwhile from radeapclient command it run smoothly
... [eap] Request found, released from the list [eap] EAP/sim [eap] processing type sim +++> EAP-sim decoded packet: User-Name = "eapsim" NAS-IP-Address = 167.205.106.132 ...
I dont think its because value of RAND, SRES, and KC. I tried to test using false RAND, SRES, and KC before with radeapclient command, and then server still be able to process it as EAP-SIM, although it just end with Access-Challenge reply (not Access-Accept). //===================================================== $cat userTest.txt User-Name = "eapsim" NAS-IP-Address = 167.205.106.132 EAP-Code = Response EAP-Type-Identity = "eapsim" Message-Authenticator = 0 NAS-Port = 0 EAP-Sim-Rand1 = 0x1111111111111111abcd1234abcd1234 EAP-Sim-Rand2 = 0x2222222222222222bcd1234abcd1234a EAP-Sim-Rand3 = 0x3333333333333333cd1234abcd1234ab EAP-Sim-Sres1 = 0x44444444 EAP-Sim-Sres2 = 0x55555555 EAP-Sim-Sres3 = 0x66666666 EAP-Sim-KC1 = 0x7777777777777777 EAP-Sim-KC2 = 0x8888888888888888 EAP-Sim-KC3 = 0x9999999999999999 $cat users eapsim Auth-Type := EAP, EAP-Type := SIM EAP-Sim-Rand1 = 0xabcd1234abcd1234abcd1234abcd1234, EAP-Sim-SRES1 = 0x1234abcd, EAP-Sim-KC1 = 0x0011223344556677, EAP-Sim-Rand2 = 0xbcd1234abcd1234abcd1234abcd1234a, EAP-Sim-SRES2 = 0x234abcd1, EAP-Sim-KC2 = 0x1021324354657687, EAP-Sim-Rand3 = 0xcd1234abcd1234abcd1234abcd1234ab, EAP-Sim-SRES3 = 0x34abcd12, EAP-Sim-KC3 = 0x30415263748596a7 //===================================================== Here, server response with false RAND, SRES, and KC //===================================================== rad_recv: Access-Request packet from host 167.205.106.132 port 38499, id=95, length=71 User-Name = "eapsim" NAS-IP-Address = 167.205.106.132 Message-Authenticator = 0xdb74750282296eb039bc4867d0e64c78 NAS-Port = 0 EAP-Message = 0x025e000b0165617073696d # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "eapsim", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop rlm_sim_files: insufficient number of challenges for imsi eapsim: 0 ++[sim_files] = notfound [eap] EAP packet type response id 94 length 11 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [files] users: Matched entry eapsim at line 27 ++[files] = ok ++[expiration] = noop ++[logintime] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group authenticate { [eap] EAP Identity [eap] processing type sim [eap] Underlying EAP-Type set EAP ID to 101 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 95 to 167.205.106.132 port 38499 EAP-Message = 0x01650014120a00000f0200020001000011010100 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x8aac07b98ac915e45f9495fd3c62bc18 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 167.205.106.132 port 38499, id=96, length=122 User-Name = "eapsim" NAS-IP-Address = 167.205.106.132 Message-Authenticator = 0x900599aa3a6c928959ba7fdc549e8c34 NAS-Port = 0 EAP-Message = 0x0265002c120a00001001000107050000e9c6e0e9aff6855077e6a86e85ad77770e03000665617073696d0000 State = 0x8aac07b98ac915e45f9495fd3c62bc18 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "eapsim", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop rlm_sim_files: insufficient number of challenges for imsi eapsim: 0 ++[sim_files] = notfound [eap] EAP packet type response id 101 length 44 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [files] users: Matched entry eapsim at line 27 ++[files] = ok ++[expiration] = noop ++[logintime] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/sim [eap] processing type sim +++> EAP-sim decoded packet: User-Name = "eapsim" NAS-IP-Address = 167.205.106.132 Message-Authenticator = 0x900599aa3a6c928959ba7fdc549e8c34 NAS-Port = 0 EAP-Message = 0x0265002c120a00001001000107050000e9c6e0e9aff6855077e6a86e85ad77770e03000665617073696d0000 State = 0x8aac07b98ac915e45f9495fd3c62bc18 EAP-Type = SIM EAP-Sim-Subtype = Start EAP-Sim-SELECTED_VERSION = 0x0001 EAP-Sim-NONCE_MT = 0x0000e9c6e0e9aff6855077e6a86e85ad7777 EAP-Sim-IDENTITY = 0x65617073696d [eap] Underlying EAP-Type set EAP ID to 102 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 96 to 167.205.106.132 port 38499 EAP-Message = 0x01660050120b0000010d0000abcd1234abcd1234abcd1234abcd1234bcd1234abcd1234abcd1234abcd1234acd1234abcd1234abcd1234abcd1234ab0b050000cd268139f462060bea6f15dc5801cb36 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x8aac07b98bca15e45f9495fd3c62bc18 //===================================================== -- Rizal Muhammad Nur
rizal.m.nur@arc.itb.ac.id wrote:
I curious why EAP-Message from phone was detected as EAP-SIM type but can't be handled/decoded
The EAP-Message attribute contains an EAP packet. That packet contains a type, which is EAP-SIM. The *rest* of the data in the EAP-Message is data specific to EAP-SIM. That data may be malformed, or contain the wrong authentication information.
I dont think its because value of RAND, SRES, and KC.
Yes, it is because of those values. They serve a similar purpose to the password supplied by the user. They're used to calculate the EAP-SIM authentication data.
I tried to test using false RAND, SRES, and KC before with radeapclient command, and then server still be able to process it as EAP-SIM, although it just end with Access-Challenge reply (not Access-Accept).
Because EAP-SIM involves multiple challenges. If the client doesn't like the response from the server, it stops talking to the server. This is what you're seeing. Alan DeKok.
On 05.10.2014 6:02, Alan DeKok wrote:
rizal.m.nur@arc.itb.ac.id wrote:
I tried to test using false RAND, SRES, and KC before with radeapclient command, and then server still be able to process it as EAP-SIM, although it just end with Access-Challenge reply (not Access-Accept).
Because EAP-SIM involves multiple challenges. If the client doesn't like the response from the server, it stops talking to the server. This is what you're seeing.
You should read at least three GSM triplets (RAND, SRES, Kc) from your test SIM card. You can do that by using PC/SC compatible smart-card reader and agsm2 program (http://sourceforge.net/projects/agsm).
participants (3)
-
Alan DeKok -
Iliya Peregoudov -
rizal.m.nur@arc.itb.ac.id