EAP-SIM authentication / Supplicant

Geoffroy Arnoud garnoud at yahoo.co.uk
Tue Jul 22 14:07:54 CEST 2008 

Hi all,

I try to use FreeRADIUS to authenticate a wireless device using EAP-SIM.

Currently, my SIM card can be authenticated using a Cisco supplicant (eap-sim-draft-v5) with a Cisco Access Registrar RADIUS server (eap-sim-draft-v5) that gets SIM triplets from an ITP and a HLR simulator.

I extracted the triplets from the HLR and injected them into FreeRADIUS rlm_sim_files module.
I use another laptop, with centrino chipset with Intel EAP-SIM supplicant.

The FreeRADIUS server receives the EAP message and sends back a Challenge.
The supplicant answers to the challenge.
FreeRADIUS then sends back the same challenge.
The supplicant stops

I would like to know whether someone uses EAP-SIM, and which supplicant is used.

Regading RFC compliancy, I assume that FreeRADIUS is eap-sim-draft-v12 compliant (present in RFC directory).
The Intel supplicant can be RFC compliant.

Here is my config :

sites-enabled/default :

authorize {
        eap {
                ok = return
        }
        sim_files
}
authenticate {
        eap
}
preacct {
}
accounting {
}
session {
}
post-auth {
}
pre-proxy {
}
post-proxy {
}

************************
simtriplets.dat :

1102030405060708 at ims.mnc030.mcc102.3gppnetwork.org,00000000000000000000000000000000,01234567,89ABCDEFFEDCBA98
1102030405060708 at ims.mnc030.mcc102.3gppnetwork.org,00000000000000000000000000000000,01234567,89ABCDEFFEDCBA98
1102030405060708 at ims.mnc030.mcc102.3gppnetwork.org,00000000000000000000000000000000,01234567,89ABCDEFFEDCBA98

I know that triplets are identical, but it is the exact content of my HLR

************************
FreeRADIUS debug output :

rad_recv: Access-Request packet from host 10.67.141.66 port 1647, id=18, length=282
        User-Name = "1102030405060708 at ims.mnc030.mcc102.3gppnetwork.org"
        Framed-MTU = 1400
        Called-Station-Id = "001a.6cf3.fd90"
        Calling-Station-Id = "0013.ce0d.e627"
        Cisco-AVPair = "ssid=MySSID"
        Service-Type = Login-User
        Message-Authenticator = 0xc30522798ef5169cf5e0c3807650d0ca
        EAP-Message = 0x02010037013131303230333034303530363037303840696d732e6d6e633033302e6d63633130322e336770706e6574776f726b2e6f7267
        Cisco-NAS-Port = "611"
        NAS-Port = 611
        NAS-Identifier = "AP4"
        Proxy-State = 0x535347
        Proxy-State = 0x323234
        NAS-IP-Address = 10.67.106.62
        Event-Timestamp = "Jul 22 2008 07:58:15 GMT"
        NAS-Port-Type = Wireless-802.11
        WISPr-Location-Name = "unknown"
        Proxy-State = 0x3432
+- entering group authorize
  rlm_eap: EAP packet type response id 1 length 55
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
rlm_sim_files: authorized user/imsi 1102030405060708 at ims.mnc030.mcc102.3gppnetwork.org
rlm_sim_files: Adding EAP-Type: eap-sim
++[sim_files] returns ok
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: EAP Identity
  rlm_eap: processing type sim
  rlm_eap: Underlying EAP-Type set EAP ID to 23
++[eap] returns handled



Sending Access-Challenge of id 18 to 10.67.141.66 port 1647
        EAP-Message = 0x01170014120a00000f0200020001000011010100
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x9ef748f79ee05ae75aadbce935e2f4b8
        Proxy-State = 0x535347
        Proxy-State = 0x323234
        Proxy-State = 0x3432
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.





rad_recv: Access-Request packet from host 10.67.141.66 port 1647, id=19, length=333
        User-Name = "1102030405060708 at ims.mnc030.mcc102.3gppnetwork.org"
        Framed-MTU = 1400
        Called-Station-Id = "001a.6cf3.fd90"
        Calling-Station-Id = "0013.ce0d.e627"
        Cisco-AVPair = "ssid=MySSID"
        Service-Type = Login-User
        Message-Authenticator = 0xd4899c4bcc876e21712e13b045ea773f
        EAP-Message = 0x02170058120a00000e0e00323131303230333034303530363037303840696d732e6d6e633033302e6d63633130322e336770706e6574776f726b2e6f726700001001000107050000e05543a4f8463a935b25152720718715
        Cisco-NAS-Port = "611"
        NAS-Port = 611
        State = 0x9ef748f79ee05ae75aadbce935e2f4b8
        NAS-Identifier = "AP4"
        Proxy-State = 0x535347
        Proxy-State = 0x323235
        NAS-IP-Address = 10.67.106.62
        Event-Timestamp = "Jul 22 2008 07:58:15 GMT"
        NAS-Port-Type = Wireless-802.11
        WISPr-Location-Name = "unknown"
        Proxy-State = 0x3433
        
+- entering group authorize
  rlm_eap: EAP packet type response id 23 length 88
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated

rlm_sim_files: authorized user/imsi 1102030405060708 at ims.mnc030.mcc102.3gppnetwork.org
rlm_sim_files: Adding EAP-Type: eap-sim
++[sim_files] returns ok
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/sim
  rlm_eap: processing type sim
+++> EAP-sim decoded packet:
        User-Name = "1102030405060708 at ims.mnc030.mcc102.3gppnetwork.org"
        Framed-MTU = 1400
        Called-Station-Id = "001a.6cf3.fd90"
        Calling-Station-Id = "0013.ce0d.e627"
        Cisco-AVPair = "ssid=MySSID"
        Service-Type = Login-User
        Message-Authenticator = 0xd4899c4bcc876e21712e13b045ea773f
        EAP-Message = 0x02170058120a00000e0e00323131303230333034303530363037303840696d732e6d6e633033302e6d63633130322e336770706e6574776f726b2e6f726700001001000107050000e05543a4f8463a935b25152720718715
        Cisco-NAS-Port = "611"
        NAS-Port = 611
        State = 0x9ef748f79ee05ae75aadbce935e2f4b8
        NAS-Identifier = "AP4"
        Proxy-State = 0x535347
        Proxy-State = 0x323235
        NAS-IP-Address = 10.67.106.62
        Event-Timestamp = "Jul 22 2008 07:58:15 GMT"
        NAS-Port-Type = Wireless-802.11
        WISPr-Location-Name = "unknown"
        Proxy-State = 0x3433
        EAP-Type = SIM
        EAP-Sim-Subtype = Start
        EAP-Sim-IDENTITY = 0x00323131303230333034303530363037303840696d732e6d6e633033302e6d63633130322e336770706e6574776f726b2e6f72670000
        EAP-Sim-SELECTED_VERSION = 0x0001
        EAP-Sim-NONCE_MT = 0x0000e05543a4f8463a935b25152720718715
  rlm_eap: Underlying EAP-Type set EAP ID to 24
++[eap] returns handled


Sending Access-Challenge of id 19 to 10.67.141.66 port 1647
        EAP-Message = 0x01180050120b0000010d00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000b05000045eec452c1f4a185a68788b07e757a52
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x9ef748f79fef5ae75aadbce935e2f4b8
        Proxy-State = 0x535347
        Proxy-State = 0x323235
        Proxy-State = 0x3433
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.


**********************

Thanks in advance for any feedback.

Geoff.


      _____________________________________________________________________________ 
Envoyez avec Yahoo! Mail. Une boite mail plus intelligente http://mail.yahoo.fr

More information about the Freeradius-Users mailing list