EAP-SIM Error "Failed continuing EAP SIM (18) session. EAP sub-module failed"
Hi, I am new here and here is my problem: I am using FreeRADIUS version 3.0.4 and I am working on configure the FreeRADIUS as a local RADIUS server in hotspot2.0 network. I am now in trouble with EAP-SIM authentication. I have configure the EAP-SIM in the file eap under /mods-enabled, and change the order of "eap" after "files" in authorize part in the file default under /sites-enabled. I have tested the EAP-SIM using radeapclient successfully. I tested EAP-TTLS with MSCHAPv2 authentication in my experimental network successfully which use an username and password. Everything seems going well until I tested the EAP-SIM in the hotspot2.0 network. I tested the EAP-SIM authentication using a real smartphone with a SIM card in which I specified an Ki by myself. The AP(the NAI of RADIUS) is a hostspot2.0-supported wireless access point running hostapd on it. and when I try to access the network through AP I got ERROR "Failed continuing EAP SIM (18) session. EAP sub-module failed". Here is my configurations and debug output In users file my account is: 1208930000000001@wlan.mnc093.mcc208.3gppnetwork.org EAP-Type := SIM, EAP-Sim-KI := 0x8baf473f2f8fd09487cccbd7097c6862, EAP-Sim-Algo-Version := 1 Here is the radiusd -X debug output when I require to access the network: (6) Received Access-Request Id 20 from 192.168.0.129:45017 to 192.168.0.200:1812 length 249 (6) User-Name = "1208930000000001@wlan.mnc093.mcc208.3gppnetwork.org" (6) NAS-IP-Address = 192.168.0.129 (6) Called-Station-Id = "00-14-D5-91-C0-FD:hs20" (6) NAS-Port-Type = Wireless-802.11 (6) NAS-Port = 1 (6) Calling-Station-Id = "68-3E-34-9B-32-C7" (6) Connect-Info = "CONNECT 54Mbps 802.11g" (6) Framed-MTU = 1400 (6) EAP-Message = 0x02330038013132303839333030303030303030303140776c616e2e6d6e633039332e6d63633230382e336770706e6574776f726b2e6f7267 (6) HS20-AP-Version = 1 (6) Message-Authenticator = 0x440d0fe99fb6058bc76eb93698cf224d (6) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (6) authorize { (6) policy filter_username { (6) if (&User-Name) { (6) if (&User-Name) -> TRUE (6) if (&User-Name) { (6) if (&User-Name =~ / /) { (6) if (&User-Name =~ / /) -> FALSE (6) if (&User-Name =~ /@[^@]*@/ ) { (6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (6) if (&User-Name =~ /\.\./ ) { (6) if (&User-Name =~ /\.\./ ) -> FALSE (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (6) if (&User-Name =~ /\.$/) { (6) if (&User-Name =~ /\.$/) -> FALSE (6) if (&User-Name =~ /@\./) { (6) if (&User-Name =~ /@\./) -> FALSE (6) } # if (&User-Name) = notfound (6) } # policy filter_username = notfound (6) [preprocess] = ok (6) [chap] = noop (6) [mschap] = noop (6) [digest] = noop (6) suffix: Checking for suffix after "@" (6) suffix: Looking up realm "wlan.mnc093.mcc208.3gppnetwork.org" for User-Name = "1208930000000001@wlan.mnc093.mcc208.3gppnetwork.org" (6) suffix: No such realm "wlan.mnc093.mcc208.3gppnetwork.org" (6) [suffix] = noop (6) files: users: Matched entry 1208930000000001@wlan.mnc093.mcc208.3gppnetwork.org at line 3 (6) [files] = ok (6) eap: Peer sent EAP Response (code 2) ID 51 length 56c (6) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (6) [eap] = ok (6) } # authorize = ok (6) Found Auth-Type = eap (6) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (6) authenticate { (6) eap: Peer sent packet with method EAP Identity (1) (6) eap: Calling submodule eap_sim to process data (6) eap_sim: Generated following triplets for round 0: (6) eap_sim: RAND : 0x872b74dc0e5582cdd217f486e088008e (6) eap_sim: SRES : 0x2d989648 (6) eap_sim: Kc : 0xff85b4f6889f9800 (6) eap_sim: Generated following triplets for round 1: (6) eap_sim: RAND : 0xf3fe491aaf74d6b894e94af1ada52ca6 (6) eap_sim: SRES : 0x056b09ed (6) eap_sim: Kc : 0xdbf228d55f6fcc00 (6) eap_sim: Generated following triplets for round 2: (6) eap_sim: RAND : 0xaf2c073cb54b1861ee429fe7a3e3f60b (6) eap_sim: SRES : 0xe1445dc1 (6) eap_sim: Kc : 0x65a776abc0f43c00 (6) eap: Sending EAP Request (code 1) ID 180 length 20 (6) eap: EAP session adding &reply:State = 0x14c723b2147331b1 (6) [eap] = handled (6) } # authenticate = handled (6) Using Post-Auth-Type Challenge (6) Post-Auth-Type sub-section not found. Ignoring. (6) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (6) Sent Access-Challenge Id 20 from 192.168.0.200:1812 to 192.168.0.129:45017 length 0 (6) EAP-Message = 0x01b40014120a00000f0200020001000011010100 (6) Message-Authenticator = 0x00000000000000000000000000000000 (6) State = 0x14c723b2147331b1a0c3c29e8d6db7ba (6) Finished request Waking up in 4.9 seconds. (7) Received Access-Request Id 21 from 192.168.0.129:45017 to 192.168.0.200:1812 length 299 (7) User-Name = "1208930000000001@wlan.mnc093.mcc208.3gppnetwork.org" (7) NAS-IP-Address = 192.168.0.129 (7) Called-Station-Id = "00-14-D5-91-C0-FD:hs20" (7) NAS-Port-Type = Wireless-802.11 (7) NAS-Port = 1 (7) Calling-Station-Id = "68-3E-34-9B-32-C7" (7) Connect-Info = "CONNECT 54Mbps 802.11g" (7) Framed-MTU = 1400 (7) EAP-Message = 0x02b40058120a000007050000ef994301bfa74fda8473e5ce391e2bc5100100010e0e00333132303839333030303030303030303140776c616e2e6d6e633039332e6d63633230382e336770706e6574776f726b2e6f726700 (7) State = 0x14c723b2147331b1a0c3c29e8d6db7ba (7) HS20-AP-Version = 1 (7) Message-Authenticator = 0xd9cb8b33b442579671f1b5ebe828ff41 (7) session-state: No cached attributes (7) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (7) authorize { (7) policy filter_username { (7) if (&User-Name) { (7) if (&User-Name) -> TRUE (7) if (&User-Name) { (7) if (&User-Name =~ / /) { (7) if (&User-Name =~ / /) -> FALSE (7) if (&User-Name =~ /@[^@]*@/ ) { (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (7) if (&User-Name =~ /\.\./ ) { (7) if (&User-Name =~ /\.\./ ) -> FALSE (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (7) if (&User-Name =~ /\.$/) { (7) if (&User-Name =~ /\.$/) -> FALSE (7) if (&User-Name =~ /@\./) { (7) if (&User-Name =~ /@\./) -> FALSE (7) } # if (&User-Name) = notfound (7) } # policy filter_username = notfound (7) [preprocess] = ok (7) [chap] = noop (7) [mschap] = noop (7) [digest] = noop (7) suffix: Checking for suffix after "@" (7) suffix: Looking up realm "wlan.mnc093.mcc208.3gppnetwork.org" for User-Name = "1208930000000001@wlan.mnc093.mcc208.3gppnetwork.org" (7) suffix: No such realm "wlan.mnc093.mcc208.3gppnetwork.org" (7) [suffix] = noop (7) files: users: Matched entry 1208930000000001@wlan.mnc093.mcc208.3gppnetwork.org at line 3 (7) [files] = ok (7) eap: Peer sent EAP Response (code 2) ID 180 length 88 (7) eap: No EAP Start, assuming it's an on-going EAP conversation (7) [eap] = updated (7) [expiration] = noop (7) [logintime] = noop (7) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (7) pap: WARNING: Authentication will fail unless a "known good" password is available (7) [pap] = noop (7) } # authorize = updated (7) Found Auth-Type = eap (7) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (7) authenticate { (7) eap: Expiring EAP session with state 0x14c723b2147331b1 (7) eap: Finished EAP session with state 0x14c723b2147331b1 (7) eap: Previous EAP request found for state 0x14c723b2147331b1, released from the list (7) eap: Peer sent packet with method EAP SIM (18) (7) eap: Calling submodule eap_sim to process data (7) eap_sim: EAP-SIM decoded packet (7) eap_sim: User-Name = "1208930000000001@wlan.mnc093.mcc208.3gppnetwork.org" (7) eap_sim: NAS-IP-Address = 192.168.0.129 (7) eap_sim: Called-Station-Id = "00-14-D5-91-C0-FD:hs20" (7) eap_sim: NAS-Port-Type = Wireless-802.11 (7) eap_sim: NAS-Port = 1 (7) eap_sim: Calling-Station-Id = "68-3E-34-9B-32-C7" (7) eap_sim: Connect-Info = "CONNECT 54Mbps 802.11g" (7) eap_sim: Framed-MTU = 1400 (7) eap_sim: EAP-Message = 0x02b40058120a000007050000ef994301bfa74fda8473e5ce391e2bc5100100010e0e00333132303839333030303030303030303140776c616e2e6d6e633039332e6d63633230382e336770706e6574776f726b2e6f726700 (7) eap_sim: State = 0x14c723b2147331b1a0c3c29e8d6db7ba (7) eap_sim: HS20-AP-Version = 1 (7) eap_sim: Message-Authenticator = 0xd9cb8b33b442579671f1b5ebe828ff41 (7) eap_sim: Event-Timestamp = "May 13 2016 14:52:36 CST" (7) eap_sim: EAP-Type = SIM (7) eap_sim: EAP-Sim-Subtype = Start (7) eap_sim: EAP-Sim-NONCE_MT = 0x0000ef994301bfa74fda8473e5ce391e2bc5 (7) eap_sim: EAP-Sim-SELECTED_VERSION = 0x0001 (7) eap_sim: EAP-Sim-IDENTITY = 0x00333132303839333030303030303030303140776c616e2e6d6e633039332e6d63633230382e336770706e6574776f726b2e6f726700 (7) eap: Sending EAP Request (code 1) ID 181 length 80 (7) eap: EAP session adding &reply:State = 0x14c723b2157231b1 (7) [eap] = handled (7) } # authenticate = handled (7) Using Post-Auth-Type Challenge (7) Post-Auth-Type sub-section not found. Ignoring. (7) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (7) Sent Access-Challenge Id 21 from 192.168.0.200:1812 to 192.168.0.129:45017 length 0 (7) EAP-Message = 0x01b50050120b0000010d0000872b74dc0e5582cdd217f486e088008ef3fe491aaf74d6b894e94af1ada52ca6af2c073cb54b1861ee429fe7a3e3f60b0b0500006ccc60941e49dc60ae915c9edba32357 (7) Message-Authenticator = 0x00000000000000000000000000000000 (7) State = 0x14c723b2157231b1a0c3c29e8d6db7ba (7) Finished request Waking up in 4.9 seconds. (8) Received Access-Request Id 22 from 192.168.0.129:45017 to 192.168.0.200:1812 length 223 (8) User-Name = "1208930000000001@wlan.mnc093.mcc208.3gppnetwork.org" (8) NAS-IP-Address = 192.168.0.129 (8) Called-Station-Id = "00-14-D5-91-C0-FD:hs20" (8) NAS-Port-Type = Wireless-802.11 (8) NAS-Port = 1 (8) Calling-Station-Id = "68-3E-34-9B-32-C7" (8) Connect-Info = "CONNECT 54Mbps 802.11g" (8) Framed-MTU = 1400 (8) EAP-Message = 0x02b5000c120e000016010000 (8) State = 0x14c723b2157231b1a0c3c29e8d6db7ba (8) HS20-AP-Version = 1 (8) Message-Authenticator = 0x602535e3fc71889877b3e8ff37557d10 (8) session-state: No cached attributes (8) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (8) authorize { (8) policy filter_username { (8) if (&User-Name) { (8) if (&User-Name) -> TRUE (8) if (&User-Name) { (8) if (&User-Name =~ / /) { (8) if (&User-Name =~ / /) -> FALSE (8) if (&User-Name =~ /@[^@]*@/ ) { (8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (8) if (&User-Name =~ /\.\./ ) { (8) if (&User-Name =~ /\.\./ ) -> FALSE (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (8) if (&User-Name =~ /\.$/) { (8) if (&User-Name =~ /\.$/) -> FALSE (8) if (&User-Name =~ /@\./) { (8) if (&User-Name =~ /@\./) -> FALSE (8) } # if (&User-Name) = notfound (8) } # policy filter_username = notfound (8) [preprocess] = ok (8) [chap] = noop (8) [mschap] = noop (8) [digest] = noop (8) suffix: Checking for suffix after "@" (8) suffix: Looking up realm "wlan.mnc093.mcc208.3gppnetwork.org" for User-Name = "1208930000000001@wlan.mnc093.mcc208.3gppnetwork.org" (8) suffix: No such realm "wlan.mnc093.mcc208.3gppnetwork.org" (8) [suffix] = noop (8) files: users: Matched entry 1208930000000001@wlan.mnc093.mcc208.3gppnetwork.org at line 3 (8) [files] = ok (8) eap: Peer sent EAP Response (code 2) ID 181 length 12 (8) eap: No EAP Start, assuming it's an on-going EAP conversation (8) [eap] = updated (8) [expiration] = noop (8) [logintime] = noop (8) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (8) pap: WARNING: Authentication will fail unless a "known good" password is available (8) [pap] = noop (8) } # authorize = updated (8) Found Auth-Type = eap (8) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (8) authenticate { (8) eap: Expiring EAP session with state 0x14c723b2157231b1 (8) eap: Finished EAP session with state 0x14c723b2157231b1 (8) eap: Previous EAP request found for state 0x14c723b2157231b1, released from the list (8) eap: Peer sent packet with method EAP SIM (18) (8) eap: Calling submodule eap_sim to process data (8) eap: ERROR: Failed continuing EAP SIM (18) session. EAP sub-module failed (8) eap: Sending EAP Failure (code 4) ID 181 length 4 (8) eap: Failed in EAP select (8) [eap] = invalid (8) } # authenticate = invalid (8) Failed to authenticate the user (8) Using Post-Auth-Type Reject (8) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (8) Post-Auth-Type REJECT { (8) attr_filter.access_reject: EXPAND %{User-Name} (8) attr_filter.access_reject: --> 1208930000000001@wlan.mnc093.mcc208.3gppnetwork.org (8) attr_filter.access_reject: Matched entry DEFAULT at line 11 (8) [attr_filter.access_reject] = updated (8) [eap] = noop (8) policy remove_reply_message_if_eap { (8) if (&reply:EAP-Message && &reply:Reply-Message) { (8) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (8) else { (8) [noop] = noop (8) } # else = noop (8) } # policy remove_reply_message_if_eap = noop (8) } # Post-Auth-Type REJECT = updated (8) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (8) Sending delayed response (8) Sent Access-Reject Id 22 from 192.168.0.200:1812 to 192.168.0.129:45017 length 44 (8) EAP-Message = 0x04b50004 (8) Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.6 seconds. (6) Cleaning up request packet ID 20 with timestamp +61 (7) Cleaning up request packet ID 21 with timestamp +61 Waking up in 0.3 seconds. (8) Cleaning up request packet ID 22 with timestamp +61 It seems that my radius server failed in calling EAP SIM module to process the MAC Challenge response. Anyone gets some ideas? Since the log gets only one line ERROR, I can't tell what's going wrong. Thank you for your attention and if any information is required to locate my error I am very pleased to offer my configuration and logs. Li Zhaoxing Beijing University of Posts and Telecommunications
On May 13, 2016, at 3:43 AM, Li Zhaoxing <fxlizhaoxing@163.com> wrote:
Hi, I am new here and here is my problem: I am using FreeRADIUS version 3.0.4
You should probably upgrade.
and I am working on configure the FreeRADIUS as a local RADIUS server in hotspot2.0 network. I am now in trouble with EAP-SIM authentication. I have configure the EAP-SIM in the file eap under /mods-enabled, and change the order of "eap" after "files" in authorize part in the file default under /sites-enabled. I have tested the EAP-SIM using radeapclient successfully.
OK, that's good.
I tested EAP-TTLS with MSCHAPv2 authentication in my experimental network successfully which use an username and password. Everything seems going well until I tested the EAP-SIM in the hotspot2.0 network.
That's unfortunate.
I tested the EAP-SIM authentication using a real smartphone with a SIM card in which I specified an Ki by myself. The AP(the NAI of RADIUS) is a hostspot2.0-supported wireless access point running hostapd on it. and when I try to access the network through AP I got ERROR "Failed continuing EAP SIM (18) session. EAP sub-module failed". Here is my configurations and debug output In users file my account is: 1208930000000001@wlan.mnc093.mcc208.3gppnetwork.org EAP-Type := SIM, EAP-Sim-KI := 0x8baf473f2f8fd09487cccbd7097c6862, EAP-Sim-Algo-Version := 1 Here is the radiusd -X debug output when I require to access the network: ...
(8) authenticate { (8) eap: Expiring EAP session with state 0x14c723b2157231b1 (8) eap: Finished EAP session with state 0x14c723b2157231b1 (8) eap: Previous EAP request found for state 0x14c723b2157231b1, released from the list (8) eap: Peer sent packet with method EAP SIM (18) (8) eap: Calling submodule eap_sim to process data (8) eap: ERROR: Failed continuing EAP SIM (18) session. EAP sub-module failed (8) eap: Sending EAP Failure (code 4) ID 181 length 4
That's not good. It would be nice to get a message as to *why* it failed. I've pushed some additional debug messages. Please try the v3.0.x branch from git: https://github.com/FreeRADIUS/freeradius-server/archive/v3.0.x.zip Alan DeKok.
participants (2)
-
Alan DeKok -
Li Zhaoxing