EAP-SIM authentication failed

Yann R. Moupinda yannm1 at hotmail.com
Tue Nov 6 11:55:00 CET 2012 

Hi guys,

for my thesis i need to realize a EAP-SIM Authentication testbed. I'm using a Nokia E52 with EAP-SIM, a MIKROTIK router as access point and FreeRADIUS 2.1.10 as Radius server. I have added the necessary commands in the clients.conf, radiusd.conf, eap.conf and default files in order to enable EAP-SIM Authentication on the FreeRADIUS and I've created a flat file ' simtriplets.dat ' that is used from the Radius during the authentication process.
By trying to access to the Wlan with the mobile phone (Nokia E52), i got the message that the authentication was unsuccessful. But by looking at the radius debug file, i cannot recognize any failure or messages like 'Access-Reject'. The debug file shows that radius got two ' Access-Request' packets from MIKROTIK router and it also sent two 'Access-Challenge' packets back to the router. It seems the radius is waiting for next requests and then the authentication process just ends up.
so my questions are:

-how many request packets are needed to complete the eap-sim authentication?
-what should I configure to get more than 2 Access-Request

here is the content of my debug file:

    .
    .
    .
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.10.212 port 38803, id=29, length=238
    Service-Type = Framed-User
    Framed-MTU = 1400
    User-Name = "1901700000000653"
    NAS-Port-Id = "ap_hotspot"
    NAS-Port-Type = Wireless-802.11
    Acct-Session-Id = "8220000e"
    Acct-Multi-Session-Id = "00-0C-42-64-41-9D-A8-7E-33-3E-9C-5B-82-20-00-00-00-00-00-0E"
    Calling-Station-Id = "A8-7E-33-3E-9C-5B"
    Called-Station-Id = "00-0C-42-64-41-9D:YANN"
    EAP-Message = 0x020100150131393031373030303030303030363533
    Message-Authenticator = 0xcf4e5f6429686cc260b16bd23d82489f
    NAS-Identifier = "MT_Yann"
    NAS-IP-Address = 192.168.10.212
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
rlm_sim_files: authorized user/imsi 1901700000000653 
rlm_sim_files: Adding EAP-Type: eap-sim
++[sim_files] returns ok
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "1901700000000653", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 21
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type sim
[eap] Underlying EAP-Type set EAP ID to 108
++[eap] returns handled
Sending Access-Challenge of id 29 to 192.168.10.212 port 38803
    EAP-Message = 0x016c0014120a00000f0200020001000011010100
    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0x870e2a6987623891aa6e49c2b1bcc9b6
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.10.212 port 50478, id=30, length=287
    Service-Type = Framed-User
    Framed-MTU = 1400
    User-Name = "1901700000000653"
    State = 0x870e2a6987623891aa6e49c2b1bcc9b6
    NAS-Port-Id = "ap_hotspot"
    NAS-Port-Type = Wireless-802.11
    Acct-Session-Id = "8220000e"
    Acct-Multi-Session-Id = "00-0C-42-64-41-9D-A8-7E-33-3E-9C-5B-82-20-00-00-00-00-00-0E"
    Calling-Station-Id = "A8-7E-33-3E-9C-5B"
    Called-Station-Id = "00-0C-42-64-41-9D:YANN"
    EAP-Message = 0x026c0034120a000007050000c27cfb1cfa7a257c9c89796e49bca230100100010e05001031393031373030303030303030363533
    Message-Authenticator = 0xc691af8b618d9da88f9e289557530f6f
    NAS-Identifier = "MT_Yann"
    NAS-IP-Address = 192.168.10.212
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
rlm_sim_files: authorized user/imsi 1901700000000653 
rlm_sim_files: Adding EAP-Type: eap-sim
++[sim_files] returns ok
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "1901700000000653", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 108 length 52
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/sim
[eap] processing type sim
+++> EAP-sim decoded packet:
    Service-Type = Framed-User
    Framed-MTU = 1400
    User-Name = "1901700000000653"
    State = 0x870e2a6987623891aa6e49c2b1bcc9b6
    NAS-Port-Id = "ap_hotspot"
    NAS-Port-Type = Wireless-802.11
    Acct-Session-Id = "8220000e"
    Acct-Multi-Session-Id = "00-0C-42-64-41-9D-A8-7E-33-3E-9C-5B-82-20-00-00-00-00-00-0E"
    Calling-Station-Id = "A8-7E-33-3E-9C-5B"
    Called-Station-Id = "00-0C-42-64-41-9D:YANN"
    EAP-Message = 0x026c0034120a000007050000c27cfb1cfa7a257c9c89796e49bca230100100010e05001031393031373030303030303030363533
    Message-Authenticator = 0xc691af8b618d9da88f9e289557530f6f
    NAS-Identifier = "MT_Yann"
    NAS-IP-Address = 192.168.10.212
    EAP-Type = SIM
    EAP-Sim-Subtype = Start
    EAP-Sim-NONCE_MT = 0x0000c27cfb1cfa7a257c9c89796e49bca230
    EAP-Sim-SELECTED_VERSION = 0x0001
    EAP-Sim-IDENTITY = 0x31393031373030303030303030363533
[eap] Underlying EAP-Type set EAP ID to 109
++[eap] returns handled
Sending Access-Challenge of id 30 to 192.168.10.212 port 50478
    EAP-Message = 0x016d0050120b0000010d00000123456789abcdef0123456789abcdef0123456789abcdef0123456789abcde00123456789abcdef0123456789abcd180b0500000bffb0f7777b066616d98519e625a531
    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0x870e2a6986633891aa6e49c2b1bcc9b6
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 29 with timestamp +17
Cleaning up request 1 ID 30 with timestamp +17
Ready to process requests.

Has anyone an idea why the authentication breaks up?

Thank you in advance.

Regards,

Yann



 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20121106/f37d4c27/attachment.html>

More information about the Freeradius-Users mailing list