EAP-SIM on freeradius-server-2.1.12
Iliya Peregoudov
iperegudov at cboss.ru
Fri Feb 17 07:53:28 CET 2012
> rlm_sim_files: insufficient number of challenges for imsi
> 3a370f920c4275853 at wlan.mnc005.mcc525.3gppnetwork.org: 0
> ++[sim_files] returns notfound
You have triplets for 3be855ae7a8607c7f identity in the simtriplets.dat.
But there 3a370f920c4275853 identity in RADIUS request. So sim_files
module is unable to find triplets for requested identity.
You can add realm wlan.mnc001.mcc525.3gppnetwork.org as your server's
locally served realm to get it stripped:
# raddb/proxy.conf
realm wlan.mnc001.mcc525.3gppnetwork.org {
# no home servers so this is locally served realm
}
After that you can put identities into simtriplets.dat without realm.
But I think that iPhone generates new random Pseudonym identity for each
authentication attempt. So you will be out of luck to guess it.
In fact the rlm_eap_sim is badly broken. It want triplets to be known
before it request permanent identity from the peer. It should first send
EAP-Request/SIM/Start(AT_PERMANENT_ID_REQ, AT_VERSION_LIST) message to
the peer. When EAP-Response/SIM/Start(AT_IDENTITY, AT_NONCE) is received
from the peer permanent identity should be extracted from AT_IDENTITY
attribute and triplets should be found for this permanent identity.
All the tests in freeradius sources assume that permanent identity is
sent in EAP-Response/Identity message. Nokia phones do that that way.
iPhone does not.
GNUbie wrote:
> Hello all,
>
> I have tried inserting the value of the User-Name attribute I am
> getting from my Access-Request into the
> /usr/local/etc/raddb/simtriplets.dat file:
>
> # sed -i 's/^/3be855ae7a8607c7f at wlan.mnc001.mcc525.3gppnetwork.org,/g'
> /usr/local/etc/raddb/simtriplets.dat
>
> and I ended up the below contents of my
> /usr/local/etc/raddb/simtriplets.dat file:
>
> 3be855ae7a8607c7f at wlan.mnc001.mcc525.3gppnetwork.org,1354162120787078,C97024E532E340a1A1C4DE24DA001CA6,CBe30a81,988c8753D4197800
> 3be855ae7a8607c7f at wlan.mnc001.mcc525.3gppnetwork.org,1354162120787078,38E1F9E16B6E4ee6A785072241E8FF43,9Bcd3f54,F56fb487C1359c00
> 3be855ae7a8607c7f at wlan.mnc001.mcc525.3gppnetwork.org,1354162120787078,8254442AD6CB47a29ABC530391DDE402,7054a123,806894125A715800
> 3be855ae7a8607c7f at wlan.mnc001.mcc525.3gppnetwork.org,1354162120787078,7CA9CE3C148D43e09EBCC40D0AF8048B,A290d514,A2983885440dc400
> 3be855ae7a8607c7f at wlan.mnc001.mcc525.3gppnetwork.org,1354162120787078,391DDF50B644482fAE46F091B1D6AA1C,7968b608,875d2af9E883d800
> 3be855ae7a8607c7f at wlan.mnc001.mcc525.3gppnetwork.org,1354162120787078,E244EC5344CF4df1A83E54AB7E399670,F9122829,FB2763c02Cbfac00
>
> Then when I executed the command "# /usr/local/sbin/radiusd -X -d
> /usr/local/etc/raddb" and tested on my iPhone4, I got a different
> results in my stdout logs:
>
> - - - < s n i p > - - -
> rad_recv: Access-Request packet from host 172.17.1.110 port 2048,
> id=16, length=249
> User-Name = "3a370f920c4275853 at wlan.mnc005.mcc525.3gppnetwork.org"
> NAS-IP-Address = 172.17.1.110
> NAS-Port = 0
> Called-Station-Id = "0E-19-BE-80-71-00:eap-sim"
> Calling-Station-Id = "60-FA-CD-75-96-46"
> Framed-MTU = 1400
> NAS-Port-Type = Wireless-802.11
> Connect-Info = "CONNECT 11Mbps 802.11b"
> EAP-Message =
> 0x0200003901336133373066393230633432373538353340776c616e2e6d6e633030352e6d63633532352e336770706e6574776f726b2e6f7267
> Message-Authenticator = 0x7bccc626cc4f91df718b039a143b7c64
> # Executing section authorize from file
> /usr/local/etc/raddb/sites-enabled/default
> +- entering group authorize {...}
> ++[preprocess] returns ok
> [auth_log] expand:
> /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
> -> /usr/local/var/log/radius/radacct/172.17.1.110/auth-detail-20120214
> [auth_log] /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
> expands to /usr/local/var/log/radius/radacct/172.17.1.110/auth-detail-20120214
> [auth_log] expand: %t -> Tue Feb 14 14:12:42 2012
> ++[auth_log] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> ++[digest] returns noop
> [suffix] Looking up realm "wlan.mnc005.mcc525.3gppnetwork.org" for
> User-Name = "3a370f920c4275853 at wlan.mnc005.mcc525.3gppnetwork.org"
> [suffix] No such realm "wlan.mnc005.mcc525.3gppnetwork.org"
> ++[suffix] returns noop
> rlm_sim_files: insufficient number of challenges for imsi
> 3a370f920c4275853 at wlan.mnc005.mcc525.3gppnetwork.org: 0
> ++[sim_files] returns notfound
> [eap] EAP packet type response id 0 length 57
> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] returns updated
> ++[files] returns noop
> ++[expiration] returns noop
> ++[logintime] returns noop
> [pap] WARNING! No "known good" password found for the user.
> Authentication may fail because of this.
> ++[pap] returns noop
> Found Auth-Type = EAP
> # Executing group from file /usr/local/etc/raddb/sites-enabled/default
> +- entering group authenticate {...}
> [eap] EAP Identity
> [eap] processing type sim
> can not initiate sim, no RAND1 attribute
> [eap] Default EAP type sim failed in initiate
> [eap] Failed in EAP select
> ++[eap] returns invalid
> Failed to authenticate the user.
> Login incorrect:
> [3a370f920c4275853 at wlan.mnc005.mcc525.3gppnetwork.org] (from client
> eap-sim port 0 cli 60-FA-CD-75-96-46)
> Using Post-Auth-Type Reject
> # Executing group from file /usr/local/etc/raddb/sites-enabled/default
> +- entering group REJECT {...}
> [attr_filter.access_reject] expand: %{User-Name} ->
> 3a370f920c4275853 at wlan.mnc005.mcc525.3gppnetwork.org
> attr_filter: Matched entry DEFAULT at line 11
> ++[attr_filter.access_reject] returns updated
> Delaying reject of request 0 for 1 seconds
> Going to the next request
> Waking up in 0.9 seconds.
> rad_recv: Access-Request packet from host 172.17.1.110 port 2048,
> id=17, length=249
> User-Name = "3be855ae7a8607c7f at wlan.mnc001.mcc525.3gppnetwork.org"
> NAS-IP-Address = 172.17.1.110
> NAS-Port = 0
> Called-Station-Id = "0E-19-BE-80-71-00:eap-sim"
> Calling-Station-Id = "5C-59-48-67-C7-A5"
> Framed-MTU = 1400
> NAS-Port-Type = Wireless-802.11
> Connect-Info = "CONNECT 11Mbps 802.11b"
> EAP-Message =
> 0x0200003901336265383535616537613836303763376640776c616e2e6d6e633030312e6d63633532352e336770706e6574776f726b2e6f7267
> Message-Authenticator = 0xb65adf77dff68958fe2559c807599ea8
> # Executing section authorize from file
> /usr/local/etc/raddb/sites-enabled/default
> +- entering group authorize {...}
> ++[preprocess] returns ok
> [auth_log] expand:
> /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
> -> /usr/local/var/log/radius/radacct/172.17.1.110/auth-detail-20120214
> [auth_log] /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
> expands to /usr/local/var/log/radius/radacct/172.17.1.110/auth-detail-20120214
> [auth_log] expand: %t -> Tue Feb 14 14:12:43 2012
> ++[auth_log] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> ++[digest] returns noop
> [suffix] Looking up realm "wlan.mnc001.mcc525.3gppnetwork.org" for
> User-Name = "3be855ae7a8607c7f at wlan.mnc001.mcc525.3gppnetwork.org"
> [suffix] No such realm "wlan.mnc001.mcc525.3gppnetwork.org"
> ++[suffix] returns noop
> rlm_sim_files: authorized user/imsi
> 3be855ae7a8607c7f at wlan.mnc001.mcc525.3gppnetwork.org
> rlm_sim_files: Adding EAP-Type: eap-sim
> ++[sim_files] returns ok
> [eap] EAP packet type response id 0 length 57
> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] returns updated
> ++[files] returns noop
> ++[expiration] returns noop
> ++[logintime] returns noop
> [pap] WARNING! No "known good" password found for the user.
> Authentication may fail because of this.
> ++[pap] returns noop
> Found Auth-Type = EAP
> # Executing group from file /usr/local/etc/raddb/sites-enabled/default
> +- entering group authenticate {...}
> [eap] EAP Identity
> [eap] processing type sim
> eap-sim chal1 is not 8-bytes: 8
> eap-sim chal2 is not 8-bytes: 8
> eap-sim chal3 is not 8-bytes: 8
> can not initiate sim, missing attributes
> [eap] Default EAP type sim failed in initiate
> [eap] Failed in EAP select
> ++[eap] returns invalid
> Failed to authenticate the user.
> Login incorrect:
> [3be855ae7a8607c7f at wlan.mnc001.mcc525.3gppnetwork.org] (from client
> eap-sim port 0 cli 5C-59-48-67-C7-A5)
> Using Post-Auth-Type Reject
> # Executing group from file /usr/local/etc/raddb/sites-enabled/default
> +- entering group REJECT {...}
> [attr_filter.access_reject] expand: %{User-Name} ->
> 3be855ae7a8607c7f at wlan.mnc001.mcc525.3gppnetwork.org
> attr_filter: Matched entry DEFAULT at line 11
> ++[attr_filter.access_reject] returns updated
> Delaying reject of request 1 for 1 seconds
> Going to the next request
> Sending delayed reject for request 0
> Sending Access-Reject of id 16 to 172.17.1.110 port 2048
> EAP-Message = 0x04000004
> Message-Authenticator = 0x00000000000000000000000000000000
> Waking up in 0.9 seconds.
> Sending delayed reject for request 1
> Sending Access-Reject of id 17 to 172.17.1.110 port 2048
> EAP-Message = 0x04000004
> Message-Authenticator = 0x00000000000000000000000000000000
> Waking up in 4.0 seconds.
> Cleaning up request 0 ID 16 with timestamp +36
> Waking up in 0.9 seconds.
> rad_recv: Access-Request packet from host 172.17.1.110 port 2048,
> id=18, length=249
> User-Name = "3be855ae7a8607c7f at wlan.mnc001.mcc525.3gppnetwork.org"
> NAS-IP-Address = 172.17.1.110
> NAS-Port = 0
> Called-Station-Id = "0E-19-BE-80-71-00:eap-sim"
> Calling-Station-Id = "5C-59-48-67-C7-A5"
> Framed-MTU = 1400
> NAS-Port-Type = Wireless-802.11
> Connect-Info = "CONNECT 11Mbps 802.11b"
> EAP-Message =
> 0x0200003901336265383535616537613836303763376640776c616e2e6d6e633030312e6d63633532352e336770706e6574776f726b2e6f7267
> Message-Authenticator = 0xcc735ddce45c3ef048dae4dca03cbba0
> # Executing section authorize from file
> /usr/local/etc/raddb/sites-enabled/default
> +- entering group authorize {...}
> ++[preprocess] returns ok
> [auth_log] expand:
> /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
> -> /usr/local/var/log/radius/radacct/172.17.1.110/auth-detail-20120214
> [auth_log] /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
> expands to /usr/local/var/log/radius/radacct/172.17.1.110/auth-detail-20120214
> [auth_log] expand: %t -> Tue Feb 14 14:12:49 2012
> ++[auth_log] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> ++[digest] returns noop
> [suffix] Looking up realm "wlan.mnc001.mcc525.3gppnetwork.org" for
> User-Name = "3be855ae7a8607c7f at wlan.mnc001.mcc525.3gppnetwork.org"
> [suffix] No such realm "wlan.mnc001.mcc525.3gppnetwork.org"
> ++[suffix] returns noop
> rlm_sim_files: authorized user/imsi
> 3be855ae7a8607c7f at wlan.mnc001.mcc525.3gppnetwork.org
> rlm_sim_files: Adding EAP-Type: eap-sim
> ++[sim_files] returns ok
> [eap] EAP packet type response id 0 length 57
> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] returns updated
> ++[files] returns noop
> ++[expiration] returns noop
> ++[logintime] returns noop
> [pap] WARNING! No "known good" password found for the user.
> Authentication may fail because of this.
> ++[pap] returns noop
> Found Auth-Type = EAP
> # Executing group from file /usr/local/etc/raddb/sites-enabled/default
> +- entering group authenticate {...}
> [eap] EAP Identity
> [eap] processing type sim
> eap-sim chal1 is not 8-bytes: 8
> eap-sim chal2 is not 8-bytes: 8
> eap-sim chal3 is not 8-bytes: 8
> can not initiate sim, missing attributes
> [eap] Default EAP type sim failed in initiate
> [eap] Failed in EAP select
> ++[eap] returns invalid
> Failed to authenticate the user.
> Login incorrect:
> [3be855ae7a8607c7f at wlan.mnc001.mcc525.3gppnetwork.org] (from client
> eap-sim port 0 cli 5C-59-48-67-C7-A5)
> Using Post-Auth-Type Reject
> # Executing group from file /usr/local/etc/raddb/sites-enabled/default
> +- entering group REJECT {...}
> [attr_filter.access_reject] expand: %{User-Name} ->
> 3be855ae7a8607c7f at wlan.mnc001.mcc525.3gppnetwork.org
> attr_filter: Matched entry DEFAULT at line 11
> ++[attr_filter.access_reject] returns updated
> Delaying reject of request 2 for 1 seconds
> Going to the next request
> Waking up in 0.2 seconds.
> Cleaning up request 1 ID 17 with timestamp +37
> Waking up in 0.7 seconds.
> rad_recv: Access-Request packet from host 172.17.1.110 port 2048,
> id=19, length=249
> User-Name = "3a370f920c4275853 at wlan.mnc005.mcc525.3gppnetwork.org"
> NAS-IP-Address = 172.17.1.110
> NAS-Port = 0
> Called-Station-Id = "0E-19-BE-80-71-00:eap-sim"
> Calling-Station-Id = "60-FA-CD-75-96-46"
> Framed-MTU = 1400
> NAS-Port-Type = Wireless-802.11
> Connect-Info = "CONNECT 11Mbps 802.11b"
> EAP-Message =
> 0x0200003901336133373066393230633432373538353340776c616e2e6d6e633030352e6d63633532352e336770706e6574776f726b2e6f7267
> Message-Authenticator = 0x418901de84635c7925a56cfac38efb27
> # Executing section authorize from file
> /usr/local/etc/raddb/sites-enabled/default
> +- entering group authorize {...}
> ++[preprocess] returns ok
> [auth_log] expand:
> /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
> -> /usr/local/var/log/radius/radacct/172.17.1.110/auth-detail-20120214
> [auth_log] /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
> expands to /usr/local/var/log/radius/radacct/172.17.1.110/auth-detail-20120214
> [auth_log] expand: %t -> Tue Feb 14 14:12:50 2012
> ++[auth_log] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> ++[digest] returns noop
> [suffix] Looking up realm "wlan.mnc005.mcc525.3gppnetwork.org" for
> User-Name = "3a370f920c4275853 at wlan.mnc005.mcc525.3gppnetwork.org"
> [suffix] No such realm "wlan.mnc005.mcc525.3gppnetwork.org"
> ++[suffix] returns noop
> rlm_sim_files: insufficient number of challenges for imsi
> 3a370f920c4275853 at wlan.mnc005.mcc525.3gppnetwork.org: 0
> ++[sim_files] returns notfound
> [eap] EAP packet type response id 0 length 57
> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] returns updated
> ++[files] returns noop
> ++[expiration] returns noop
> ++[logintime] returns noop
> [pap] WARNING! No "known good" password found for the user.
> Authentication may fail because of this.
> ++[pap] returns noop
> Found Auth-Type = EAP
> # Executing group from file /usr/local/etc/raddb/sites-enabled/default
> +- entering group authenticate {...}
> [eap] EAP Identity
> [eap] processing type sim
> can not initiate sim, no RAND1 attribute
> [eap] Default EAP type sim failed in initiate
> [eap] Failed in EAP select
> ++[eap] returns invalid
> Failed to authenticate the user.
> Login incorrect:
> [3a370f920c4275853 at wlan.mnc005.mcc525.3gppnetwork.org] (from client
> eap-sim port 0 cli 60-FA-CD-75-96-46)
> Using Post-Auth-Type Reject
> # Executing group from file /usr/local/etc/raddb/sites-enabled/default
> +- entering group REJECT {...}
> [attr_filter.access_reject] expand: %{User-Name} ->
> 3a370f920c4275853 at wlan.mnc005.mcc525.3gppnetwork.org
> attr_filter: Matched entry DEFAULT at line 11
> ++[attr_filter.access_reject] returns updated
> Delaying reject of request 3 for 1 seconds
> Going to the next request
> Waking up in 0.2 seconds.
> Sending delayed reject for request 2
> Sending Access-Reject of id 18 to 172.17.1.110 port 2048
> EAP-Message = 0x04000004
> Message-Authenticator = 0x00000000000000000000000000000000
> Waking up in 0.7 seconds.
> Sending delayed reject for request 3
> Sending Access-Reject of id 19 to 172.17.1.110 port 2048
> EAP-Message = 0x04000004
> Message-Authenticator = 0x00000000000000000000000000000000
> Waking up in 4.2 seconds.
> Cleaning up request 2 ID 18 with timestamp +43
> Waking up in 0.7 seconds.
> Cleaning up request 3 ID 19 with timestamp +44
> Ready to process requests.
> - - - < s n i p > - - -
>
> Lastly, do I need to have a MAP and/or HLR simulator on my system to
> test EAP-SIM authentication?
>
> Please advice on how am I going to move forward. Thank you in advance.
>
> Regards,
>
> GNUbie
>
> On Tue, Feb 14, 2012 at 8:49 AM, GNUbie <gnubie at gmail.com> wrote:
>> Hello all,
>>
>> What am I missing in my current setup that I am getting such errors?
>> Why is it that it can't find the triplets when in fact it's there?
>>
>> Basically, the major changes I made on the configuration files are as follows:
>>
>> [ /usr/local/etc/raddb/radiusd.conf ]
>>
>> user = radiusd
>> group = radiusd
>>
>> modules {
>> sim_files {
>> simtriplets = "/usr/local/etc/raddb/simtriplets.dat"
>> }
>> ...
>> ...
>> ...
>> }
>>
>> [ /usr/local/etc/raddb/clients.conf ]
>>
>> client 172.17.1.0 {
>> ipaddr = 172.17.1.0
>> netmask = 24
>> secret = qwerty
>> shortname = eap-sim
>> }
>>
>> [ /usr/local/etc/raddb/eap.conf ]
>>
>> eap {
>> sim {
>> }
>> default_eap_type = sim
>> ...
>> ...
>> ...
>> }
>>
>> [ /usr/local/etc/raddb/sites-enabled/default ]
>>
>> authorize {
>> ...
>> ...
>> ...
>> sim_files
>> eap {
>> ok = return
>> }
>> ...
>> ...
>> ...
>> }
>>
>> The contents of the /usr/local/etc/raddb/simtriplets.dat file has the
>> format of "IMSI,RAND,SRES,KC" without the quotes:
>>
>> 354162120787078,C97024E532E340a1A1C4DE24DA001CA6,CBe30a81,988c8753D4197800
>> 354162120787078,38E1F9E16B6E4ee6A785072241E8FF43,9Bcd3f54,F56fb487C1359c00
>> 354162120787078,8254442AD6CB47a29ABC530391DDE402,7054a123,806894125A715800
>> 354162120787078,7CA9CE3C148D43e09EBCC40D0AF8048B,A290d514,A2983885440dc400
>> 354162120787078,391DDF50B644482fAE46F091B1D6AA1C,7968b608,875d2af9E883d800
>> 354162120787078,E244EC5344CF4df1A83E54AB7E399670,F9122829,FB2763c02Cbfac00
>>
>> I also tried in my testing to add 1 on every IMSI but with no luck.
>>
>> # sed -i 's/^/1/g' /usr/local/etc/raddb/simtriplets.dat
>>
>> And lastly, the rlm_eap_sim and rlm_sim_files modules are in place.
>>
>> # ls -l /usr/local/lib/*sim*
>> lrwxrwxrwx 1 root root 14 Feb 13 21:19
>> /usr/local/lib/rlm_eap_sim-2.1.12.la -> rlm_eap_sim.la
>> -rwxr-xr-x 1 root root 35972 Feb 13 21:19 /usr/local/lib/rlm_eap_sim-2.1.12.so
>> -rw-r--r-- 1 root root 48340 Feb 13 21:19 /usr/local/lib/rlm_eap_sim.a
>> -rwxr-xr-x 1 root root 932 Feb 13 21:19 /usr/local/lib/rlm_eap_sim.la
>> lrwxrwxrwx 1 root root 21 Feb 13 21:19
>> /usr/local/lib/rlm_eap_sim.so -> rlm_eap_sim-2.1.12.so
>> lrwxrwxrwx 1 root root 16 Feb 13 21:19
>> /usr/local/lib/rlm_sim_files-2.1.12.la -> rlm_sim_files.la
>> -rwxr-xr-x 1 root root 35331 Feb 13 21:19 /usr/local/lib/rlm_sim_files-2.1.12.so
>> -rw-r--r-- 1 root root 46534 Feb 13 21:19 /usr/local/lib/rlm_sim_files.a
>> -rwxr-xr-x 1 root root 910 Feb 13 21:19 /usr/local/lib/rlm_sim_files.la
>> lrwxrwxrwx 1 root root 23 Feb 13 21:19
>> /usr/local/lib/rlm_sim_files.so -> rlm_sim_files-2.1.12.so
>>
>> Can anyone from this community help me how to solve my problem?
>>
>> Thank you in advance.
>>
>> Regards,
>>
>> GNUbie
>>
>>
>> On Tue, Feb 14, 2012 at 12:26 AM, GNUbie <gnubie at gmail.com> wrote:
>>> Hello all,
>>>
>>> I configured manually ($ ./configure --with-modules="rlm_sim"
>>> --with-modules="rlm_sim_files" && make) and installed (# make install)
>>> the freeradius-server-2.1.12 from the upstream on the CentOS 5.7
>>> x86_64 machine. Then I configured the following configuration files:
>>>
>>> - /usr/local/etc/raddb/radiusd.conf
>>> - /usr/local/etc/raddb/clients.conf
>>> - /usr/local/etc/raddb/eap.conf
>>> - /usr/local/etc/raddb/sites-enabled/default
>>>
>>> And lastly, I created the /usr/local/etc/raddb/simtriplets.dat with
>>> six (6) triplets (just to make sure though AFAIK 3 is enough) for a
>>> single IMSI.
>>>
>>> Then, I executed the command "# /usr/local/sbin/radiusd -X -d
>>> /usr/local/etc/raddb" and tried testing directly from my iPhone4, I
>>> got the below snippet of the stdout logs:
>>>
>>> - - - < s n i p > - - -
>>> rad_recv: Access-Request packet from host 172.17.1.110 port 2048,
>>> id=120, length=249
>>> User-Name = "3be855ae7a8607c7f at wlan.mnc001.mcc525.3gppnetwork.org"
>>> NAS-IP-Address = 172.17.1.110
>>> NAS-Port = 0
>>> Called-Station-Id = "0E-19-BE-80-71-00:eap-sim"
>>> Calling-Station-Id = "5C-59-48-67-C7-A5"
>>> Framed-MTU = 1400
>>> NAS-Port-Type = Wireless-802.11
>>> Connect-Info = "CONNECT 11Mbps 802.11b"
>>> EAP-Message =
>>> 0x0200003901336265383535616537613836303763376640776c616e2e6d6e633030312e6d63633532352e336770706e6574776f726b2e6f7267
>>> Message-Authenticator = 0xdef1645477a2ba0f9a9371f0a9eea8b7
>>> # Executing section authorize from file
>>> /usr/local/etc/raddb/sites-enabled/default
>>> +- entering group authorize {...}
>>> ++[preprocess] returns ok
>>> [auth_log] expand:
>>> /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
>>> -> /usr/local/var/log/radius/radacct/172.17.1.110/auth-detail-20120213
>>> [auth_log] /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
>>> expands to /usr/local/var/log/radius/radacct/172.17.1.110/auth-detail-20120213
>>> [auth_log] expand: %t -> Mon Feb 13 23:48:18 2012
>>> ++[auth_log] returns ok
>>> ++[chap] returns noop
>>> ++[mschap] returns noop
>>> ++[digest] returns noop
>>> [suffix] Looking up realm "wlan.mnc001.mcc525.3gppnetwork.org" for
>>> User-Name = "3be855ae7a8607c7f at wlan.mnc001.mcc525.3gppnetwork.org"
>>> [suffix] No such realm "wlan.mnc001.mcc525.3gppnetwork.org"
>>> ++[suffix] returns noop
>>> rlm_sim_files: insufficient number of challenges for imsi
>>> 3be855ae7a8607c7f at wlan.mnc001.mcc525.3gppnetwork.org: 0
>>> ++[sim_files] returns notfound
>>> [eap] EAP packet type response id 0 length 57
>>> [eap] No EAP Start, assuming it's an on-going EAP conversation
>>> ++[eap] returns updated
>>> ++[files] returns noop
>>> ++[expiration] returns noop
>>> ++[logintime] returns noop
>>> [pap] WARNING! No "known good" password found for the user.
>>> Authentication may fail because of this.
>>> ++[pap] returns noop
>>> Found Auth-Type = EAP
>>> # Executing group from file /usr/local/etc/raddb/sites-enabled/default
>>> +- entering group authenticate {...}
>>> [eap] EAP Identity
>>> [eap] processing type sim
>>> can not initiate sim, no RAND1 attribute
>>> [eap] Default EAP type sim failed in initiate
>>> [eap] Failed in EAP select
>>> ++[eap] returns invalid
>>> Failed to authenticate the user.
>>> Login incorrect:
>>> [3be855ae7a8607c7f at wlan.mnc001.mcc525.3gppnetwork.org] (from client
>>> eap-sim port 0 cli 5C-59-48-67-C7-A5)
>>> Using Post-Auth-Type Reject
>>> # Executing group from file /usr/local/etc/raddb/sites-enabled/default
>>> +- entering group REJECT {...}
>>> [attr_filter.access_reject] expand: %{User-Name} ->
>>> 3be855ae7a8607c7f at wlan.mnc001.mcc525.3gppnetwork.org
>>> attr_filter: Matched entry DEFAULT at line 11
>>> ++[attr_filter.access_reject] returns updated
>>> Delaying reject of request 0 for 1 seconds
>>> Going to the next request
>>> Waking up in 0.9 seconds.
>>> Sending delayed reject for request 0
>>> Sending Access-Reject of id 120 to 172.17.1.110 port 2048
>>> EAP-Message = 0x04000004
>>> Message-Authenticator = 0x00000000000000000000000000000000
>>> Waking up in 4.9 seconds.
>>> Cleaning up request 0 ID 120 with timestamp +13
>>> Ready to process requests.
>>> - - - < s n i p > - - -
>>>
>>> Based on the above logs, below are the (3) lines that I'm not sure how
>>> to address them:
>>>
>>> [suffix] No such realm "wlan.mnc001.mcc525.3gppnetwork.org"
>>>
>>> rlm_sim_files: insufficient number of challenges for imsi
>>> 3be855ae7a8607c7f at wlan.mnc001.mcc525.3gppnetwork.org: 0
>>> ++[sim_files] returns notfound
>>>
>>> [pap] WARNING! No "known good" password found for the user.
>>> Authentication may fail because of this.
>>>
>>> [eap] processing type sim
>>> can not initiate sim, no RAND1 attribute
>>> [eap] Default EAP type sim failed in initiate
>>> [eap] Failed in EAP select
>>> ++[eap] returns invalid
>>> Failed to authenticate the user.
>>> Login incorrect:
>>> [3be855ae7a8607c7f at wlan.mnc001.mcc525.3gppnetwork.org] (from client
>>> eap-sim port 0 cli 5C-59-48-67-C7-A5)
>>>
>>> Please advice on how am I going to proceed from here. Thank you in advance.
>>>
>>> Regards,
>>>
>>> GNUbie
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6269 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120217/c92c9bed/attachment.bin>
More information about the Freeradius-Users
mailing list