EAP-SIM on freeradius-server-2.1.12

GNUbie gnubie at gmail.com
Tue Feb 14 01:49:48 CET 2012


Hello all,

What am I missing in my current setup that I am getting such errors?
Why is it that it can't find the triplets when in fact it's there?

Basically, the major changes I made on the configuration files are as follows:

[ /usr/local/etc/raddb/radiusd.conf ]

user = radiusd
group = radiusd

modules {
  sim_files {
    simtriplets = "/usr/local/etc/raddb/simtriplets.dat"
  }
...
...
...
}

[ /usr/local/etc/raddb/clients.conf ]

client 172.17.1.0 {
  ipaddr = 172.17.1.0
  netmask = 24
  secret = qwerty
  shortname = eap-sim
}

[ /usr/local/etc/raddb/eap.conf ]

  eap {
    sim {
    }
    default_eap_type = sim
    ...
    ...
    ...
  }

[ /usr/local/etc/raddb/sites-enabled/default ]

authorize {
  ...
  ...
  ...
  sim_files
  eap {
    ok = return
  }
  ...
  ...
  ...
}

The contents of the /usr/local/etc/raddb/simtriplets.dat file has the
format of "IMSI,RAND,SRES,KC" without the quotes:

354162120787078,C97024E532E340a1A1C4DE24DA001CA6,CBe30a81,988c8753D4197800
354162120787078,38E1F9E16B6E4ee6A785072241E8FF43,9Bcd3f54,F56fb487C1359c00
354162120787078,8254442AD6CB47a29ABC530391DDE402,7054a123,806894125A715800
354162120787078,7CA9CE3C148D43e09EBCC40D0AF8048B,A290d514,A2983885440dc400
354162120787078,391DDF50B644482fAE46F091B1D6AA1C,7968b608,875d2af9E883d800
354162120787078,E244EC5344CF4df1A83E54AB7E399670,F9122829,FB2763c02Cbfac00

I also tried in my testing to add 1 on every IMSI but with no luck.

# sed -i 's/^/1/g' /usr/local/etc/raddb/simtriplets.dat

And lastly, the rlm_eap_sim and rlm_sim_files modules are in place.

# ls -l /usr/local/lib/*sim*
lrwxrwxrwx 1 root root    14 Feb 13 21:19
/usr/local/lib/rlm_eap_sim-2.1.12.la -> rlm_eap_sim.la
-rwxr-xr-x 1 root root 35972 Feb 13 21:19 /usr/local/lib/rlm_eap_sim-2.1.12.so
-rw-r--r-- 1 root root 48340 Feb 13 21:19 /usr/local/lib/rlm_eap_sim.a
-rwxr-xr-x 1 root root   932 Feb 13 21:19 /usr/local/lib/rlm_eap_sim.la
lrwxrwxrwx 1 root root    21 Feb 13 21:19
/usr/local/lib/rlm_eap_sim.so -> rlm_eap_sim-2.1.12.so
lrwxrwxrwx 1 root root    16 Feb 13 21:19
/usr/local/lib/rlm_sim_files-2.1.12.la -> rlm_sim_files.la
-rwxr-xr-x 1 root root 35331 Feb 13 21:19 /usr/local/lib/rlm_sim_files-2.1.12.so
-rw-r--r-- 1 root root 46534 Feb 13 21:19 /usr/local/lib/rlm_sim_files.a
-rwxr-xr-x 1 root root   910 Feb 13 21:19 /usr/local/lib/rlm_sim_files.la
lrwxrwxrwx 1 root root    23 Feb 13 21:19
/usr/local/lib/rlm_sim_files.so -> rlm_sim_files-2.1.12.so

Can anyone from this community help me how to solve my problem?

Thank you in advance.

Regards,

GNUbie


On Tue, Feb 14, 2012 at 12:26 AM, GNUbie <gnubie at gmail.com> wrote:
> Hello all,
>
> I configured manually ($  ./configure --with-modules="rlm_sim"
> --with-modules="rlm_sim_files" && make) and installed (# make install)
> the freeradius-server-2.1.12 from the upstream on the CentOS 5.7
> x86_64 machine. Then I configured the following configuration files:
>
> - /usr/local/etc/raddb/radiusd.conf
> - /usr/local/etc/raddb/clients.conf
> - /usr/local/etc/raddb/eap.conf
> - /usr/local/etc/raddb/sites-enabled/default
>
> And lastly, I created the /usr/local/etc/raddb/simtriplets.dat with
> six (6) triplets (just to make sure though AFAIK 3 is enough) for a
> single IMSI.
>
> Then, I executed the command "# /usr/local/sbin/radiusd -X -d
> /usr/local/etc/raddb" and tried testing directly from my iPhone4, I
> got the below snippet of the stdout logs:
>
> - - - < s n i p > - - -
> rad_recv: Access-Request packet from host 172.17.1.110 port 2048,
> id=120, length=249
>        User-Name = "3be855ae7a8607c7f at wlan.mnc001.mcc525.3gppnetwork.org"
>        NAS-IP-Address = 172.17.1.110
>        NAS-Port = 0
>        Called-Station-Id = "0E-19-BE-80-71-00:eap-sim"
>        Calling-Station-Id = "5C-59-48-67-C7-A5"
>        Framed-MTU = 1400
>        NAS-Port-Type = Wireless-802.11
>        Connect-Info = "CONNECT 11Mbps 802.11b"
>        EAP-Message =
> 0x0200003901336265383535616537613836303763376640776c616e2e6d6e633030312e6d63633532352e336770706e6574776f726b2e6f7267
>        Message-Authenticator = 0xdef1645477a2ba0f9a9371f0a9eea8b7
> # Executing section authorize from file
> /usr/local/etc/raddb/sites-enabled/default
> +- entering group authorize {...}
> ++[preprocess] returns ok
> [auth_log]      expand:
> /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
> -> /usr/local/var/log/radius/radacct/172.17.1.110/auth-detail-20120213
> [auth_log] /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
> expands to /usr/local/var/log/radius/radacct/172.17.1.110/auth-detail-20120213
> [auth_log]      expand: %t -> Mon Feb 13 23:48:18 2012
> ++[auth_log] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> ++[digest] returns noop
> [suffix] Looking up realm "wlan.mnc001.mcc525.3gppnetwork.org" for
> User-Name = "3be855ae7a8607c7f at wlan.mnc001.mcc525.3gppnetwork.org"
> [suffix] No such realm "wlan.mnc001.mcc525.3gppnetwork.org"
> ++[suffix] returns noop
> rlm_sim_files: insufficient number of challenges for imsi
> 3be855ae7a8607c7f at wlan.mnc001.mcc525.3gppnetwork.org: 0
> ++[sim_files] returns notfound
> [eap] EAP packet type response id 0 length 57
> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] returns updated
> ++[files] returns noop
> ++[expiration] returns noop
> ++[logintime] returns noop
> [pap] WARNING! No "known good" password found for the user.
> Authentication may fail because of this.
> ++[pap] returns noop
> Found Auth-Type = EAP
> # Executing group from file /usr/local/etc/raddb/sites-enabled/default
> +- entering group authenticate {...}
> [eap] EAP Identity
> [eap] processing type sim
>   can not initiate sim, no RAND1 attribute
> [eap] Default EAP type sim failed in initiate
> [eap] Failed in EAP select
> ++[eap] returns invalid
> Failed to authenticate the user.
> Login incorrect:
> [3be855ae7a8607c7f at wlan.mnc001.mcc525.3gppnetwork.org] (from client
> eap-sim port 0 cli 5C-59-48-67-C7-A5)
> Using Post-Auth-Type Reject
> # Executing group from file /usr/local/etc/raddb/sites-enabled/default
> +- entering group REJECT {...}
> [attr_filter.access_reject]     expand: %{User-Name} ->
> 3be855ae7a8607c7f at wlan.mnc001.mcc525.3gppnetwork.org
> attr_filter: Matched entry DEFAULT at line 11
> ++[attr_filter.access_reject] returns updated
> Delaying reject of request 0 for 1 seconds
> Going to the next request
> Waking up in 0.9 seconds.
> Sending delayed reject for request 0
> Sending Access-Reject of id 120 to 172.17.1.110 port 2048
>        EAP-Message = 0x04000004
>        Message-Authenticator = 0x00000000000000000000000000000000
> Waking up in 4.9 seconds.
> Cleaning up request 0 ID 120 with timestamp +13
> Ready to process requests.
> - - - < s n i p > - - -
>
> Based on the above logs, below are the (3) lines that I'm not sure how
> to address them:
>
> [suffix] No such realm "wlan.mnc001.mcc525.3gppnetwork.org"
>
> rlm_sim_files: insufficient number of challenges for imsi
> 3be855ae7a8607c7f at wlan.mnc001.mcc525.3gppnetwork.org: 0
> ++[sim_files] returns notfound
>
> [pap] WARNING! No "known good" password found for the user.
> Authentication may fail because of this.
>
> [eap] processing type sim
>   can not initiate sim, no RAND1 attribute
> [eap] Default EAP type sim failed in initiate
> [eap] Failed in EAP select
> ++[eap] returns invalid
> Failed to authenticate the user.
> Login incorrect:
> [3be855ae7a8607c7f at wlan.mnc001.mcc525.3gppnetwork.org] (from client
> eap-sim port 0 cli 5C-59-48-67-C7-A5)
>
> Please advice on how am I going to proceed from here. Thank you in advance.
>
> Regards,
>
> GNUbie




More information about the Freeradius-Users mailing list