EAP-SIM authentication failed

Yann R. Moupinda yannm1 at hotmail.com
Wed Nov 7 14:46:57 CET 2012


Hi guys,

Thanks for your help.

After reading your suggestions, i installed a new version of FreeRADIUS (FreeRADIUS 2.2.1).

I haven't worked with the the patch yet (i'm going to do that later) but, just to show what i got with the new version 2.2.1 and changing the content of the simtriplets.dat

1. case : simtriplets.dat looks like following (imsi,rand,sres,kc) (3 different rand...)

1901700000000653,0123456789abcdef0123456789abcdef,0227bc86,44168f1de9259000
1901700000000653,0123456789abcdef0123456789abcde0,725bb218,25903c082654b400
1901700000000653,0123456789abcdef0123456789abcd18,ed404256,bc871da6ae8edc00
1901700000000653,0123456789abcdef0123456789abcd88,6695bd6e,58788a55e9052000

i got the same failure than before: after sending the 2nd access challenge, the server is waiting for the 3rd access request and doesn't get anything --> authentication failed

    .
    .
    .
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.10.212 port 38803, id=29, length=238
    Service-Type = Framed-User
    Framed-MTU = 1400
    User-Name = "1901700000000653"
    NAS-Port-Id = "ap_hotspot"
    NAS-Port-Type = Wireless-802.11
    Acct-Session-Id = "8220000e"
    Acct-Multi-Session-Id = "00-0C-42-64-41-9D-A8-7E-33-3E-9C-5B-82-20-00-00-00-00-00-0E"
    Calling-Station-Id = "A8-7E-33-3E-9C-5B"
    Called-Station-Id = "00-0C-42-64-41-9D:YANN"
    EAP-Message = 0x020100150131393031373030303030303030363533
    Message-Authenticator = 0xcf4e5f6429686cc260b16bd23d82489f
    NAS-Identifier = "MT_Yann"
    NAS-IP-Address = 192.168.10.212
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
rlm_sim_files: authorized user/imsi 1901700000000653 
rlm_sim_files: Adding EAP-Type: eap-sim
++[sim_files] returns ok
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "1901700000000653", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 21
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type sim
[eap] Underlying EAP-Type set EAP ID to 108
++[eap] returns handled
Sending Access-Challenge of id 29 to 192.168.10.212 port 38803
    EAP-Message = 0x016c0014120a00000f0200020001000011010100
    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0x870e2a6987623891aa6e49c2b1bcc9b6
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.10.212 port 50478, id=30, length=287
    Service-Type = Framed-User
    Framed-MTU = 1400
    User-Name = "1901700000000653"
    State = 0x870e2a6987623891aa6e49c2b1bcc9b6
    NAS-Port-Id = "ap_hotspot"
    NAS-Port-Type = Wireless-802.11
    Acct-Session-Id = "8220000e"
    Acct-Multi-Session-Id = "00-0C-42-64-41-9D-A8-7E-33-3E-9C-5B-82-20-00-00-00-00-00-0E"
    Calling-Station-Id = "A8-7E-33-3E-9C-5B"
    Called-Station-Id = "00-0C-42-64-41-9D:YANN"
    EAP-Message = 0x026c0034120a000007050000c27cfb1cfa7a257c9c89796e49bca230100100010e05001031393031373030303030303030363533
    Message-Authenticator = 0xc691af8b618d9da88f9e289557530f6f
    NAS-Identifier = "MT_Yann"
    NAS-IP-Address = 192.168.10.212
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
rlm_sim_files: authorized user/imsi 1901700000000653 
rlm_sim_files: Adding EAP-Type: eap-sim
++[sim_files] returns ok
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "1901700000000653", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 108 length 52
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/sim
[eap] processing type sim
+++> EAP-sim decoded packet:
    Service-Type = Framed-User
    Framed-MTU = 1400
    User-Name = "1901700000000653"
    State = 0x870e2a6987623891aa6e49c2b1bcc9b6
    NAS-Port-Id = "ap_hotspot"
    NAS-Port-Type = Wireless-802.11
    Acct-Session-Id = "8220000e"
    Acct-Multi-Session-Id = "00-0C-42-64-41-9D-A8-7E-33-3E-9C-5B-82-20-00-00-00-00-00-0E"
    Calling-Station-Id = "A8-7E-33-3E-9C-5B"
    Called-Station-Id = "00-0C-42-64-41-9D:YANN"
    EAP-Message = 0x026c0034120a000007050000c27cfb1cfa7a257c9c89796e49bca230100100010e05001031393031373030303030303030363533
    Message-Authenticator = 0xc691af8b618d9da88f9e289557530f6f
    NAS-Identifier = "MT_Yann"
    NAS-IP-Address = 192.168.10.212
    EAP-Type = SIM
    EAP-Sim-Subtype = Start
    EAP-Sim-NONCE_MT = 0x0000c27cfb1cfa7a257c9c89796e49bca230
    EAP-Sim-SELECTED_VERSION = 0x0001
    EAP-Sim-IDENTITY = 0x31393031373030303030303030363533
[eap] Underlying EAP-Type set EAP ID to 109
++[eap] returns handled
Sending Access-Challenge of id 30 to 192.168.10.212 port 50478
    EAP-Message = 0x016d0050120b0000010d00000123456789abcdef0123456789abcdef0123456789abcdef0123456789abcde00123456789abcdef0123456789abcd180b0500000bffb0f7777b066616d98519e625a531
    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0x870e2a6986633891aa6e49c2b1bcc9b6
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 29 with timestamp +17
Cleaning up request 1 ID 30 with timestamp +17
Ready to process requests.

- - - - - - - - - - - - - - - - -- - - - - - - - - - - -



2. case : simtriplets.dat looks like following (imsi,rand,sres,kc) (3 times the same rand...)

1901700000000653,0123456789abcdef0123456789abcdef,0227bc86,44168f1de9259000
1901700000000653,0123456789abcdef0123456789abcdef,0227bc86,44168f1de9259000
1901700000000653,0123456789abcdef0123456789abcdef,0227bc86,44168f1de9259000

i got a failure (it's normal i think) but in this case, the client sent the third request, saying to stop the authentication process. 
So, in this case the client reacts of the second access challenge and in the first case (with diffrent data in the simtriplets.dat) it does't.

.
.
.
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.10.212 port 49529, id=6, length=308
    Service-Type = Framed-User
    Framed-MTU = 1400
    User-Name = "1901700000000653 at wlan.mnc070.mcc901.3gppnetwork.org"
    NAS-Port-Id = "ap_hotspot"
    NAS-Port-Type = Wireless-802.11
    Acct-Session-Id = "82400001"
    Acct-Multi-Session-Id = "00-0C-42-64-41-9D-A8-7E-33-3E-9C-5B-82-40-00-00-00-00-00-01"
    Calling-Station-Id = "A8-7E-33-3E-9C-5B"
    Called-Station-Id = "00-0C-42-64-41-9D:YANN"
    EAP-Message = 0x02010038013139303137303030303030303036353340776c616e2e6d6e633037302e6d63633930312e336770706e6574776f726b2e6f7267
    Message-Authenticator = 0xb66e4f2652fec781e4c71b6dbd20b389
    NAS-Identifier = "MT_Yann"
    NAS-IP-Address = 192.168.10.212
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] Looking up realm "wlan.mnc070.mcc901.3gppnetwork.org" for User-Name = "1901700000000653 at wlan.mnc070.mcc901.3gppnetwork.org"
[suffix] Found realm "~.*.3gppnetwork.org$"
[suffix] Adding Stripped-User-Name = "1901700000000653"
[suffix] Adding Realm = "wlan.mnc070.mcc901.3gppnetwork.org"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
rlm_sim_files: authorized user/imsi 1901700000000653 
rlm_sim_files: Adding EAP-Type: eap-sim
++[sim_files] returns ok
[eap] EAP packet type response id 1 length 56
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type sim
[eap] Underlying EAP-Type set EAP ID to 4
++[eap] returns handled
Sending Access-Challenge of id 6 to 192.168.10.212 port 49529
    EAP-Message = 0x01040014120a00000f0200020001000011010100
    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0xf69e9f4cf69a8d1d0990f37eaa6db462
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.10.212 port 34603, id=7, length=358
    Service-Type = Framed-User
    Framed-MTU = 1400
    User-Name = "1901700000000653 at wlan.mnc070.mcc901.3gppnetwork.org"
    State = 0xf69e9f4cf69a8d1d0990f37eaa6db462
    NAS-Port-Id = "ap_hotspot"
    NAS-Port-Type = Wireless-802.11
    Acct-Session-Id = "82400001"
    Acct-Multi-Session-Id = "00-0C-42-64-41-9D-A8-7E-33-3E-9C-5B-82-40-00-00-00-00-00-01"
    Calling-Station-Id = "A8-7E-33-3E-9C-5B"
    Called-Station-Id = "00-0C-42-64-41-9D:YANN"
    EAP-Message = 0x02040058120a00000705000097d3fd9e1c4410fa64112b4b80057c3d100100010e0e00333139303137303030303030303036353340776c616e2e6d6e633037302e6d63633930312e336770706e6574776f726b2e6f726700
    Message-Authenticator = 0x741ccd1cadf88aea68338a49b9e65500
    NAS-Identifier = "MT_Yann"
    NAS-IP-Address = 192.168.10.212
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] Looking up realm "wlan.mnc070.mcc901.3gppnetwork.org" for User-Name = "1901700000000653 at wlan.mnc070.mcc901.3gppnetwork.org"
[suffix] Found realm "~.*.3gppnetwork.org$"
[suffix] Adding Stripped-User-Name = "1901700000000653"
[suffix] Adding Realm = "wlan.mnc070.mcc901.3gppnetwork.org"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
rlm_sim_files: authorized user/imsi 1901700000000653 
rlm_sim_files: Adding EAP-Type: eap-sim
++[sim_files] returns ok
[eap] EAP packet type response id 4 length 88
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/sim
[eap] processing type sim
+++> EAP-sim decoded packet:
    Service-Type = Framed-User
    Framed-MTU = 1400
    User-Name = "1901700000000653 at wlan.mnc070.mcc901.3gppnetwork.org"
    State = 0xf69e9f4cf69a8d1d0990f37eaa6db462
    NAS-Port-Id = "ap_hotspot"
    NAS-Port-Type = Wireless-802.11
    Acct-Session-Id = "82400001"
    Acct-Multi-Session-Id = "00-0C-42-64-41-9D-A8-7E-33-3E-9C-5B-82-40-00-00-00-00-00-01"
    Calling-Station-Id = "A8-7E-33-3E-9C-5B"
    Called-Station-Id = "00-0C-42-64-41-9D:YANN"
    EAP-Message = 0x02040058120a00000705000097d3fd9e1c4410fa64112b4b80057c3d100100010e0e00333139303137303030303030303036353340776c616e2e6d6e633037302e6d63633930312e336770706e6574776f726b2e6f726700
    Message-Authenticator = 0x741ccd1cadf88aea68338a49b9e65500
    NAS-Identifier = "MT_Yann"
    NAS-IP-Address = 192.168.10.212
    Stripped-User-Name = "1901700000000653"
    Realm = "wlan.mnc070.mcc901.3gppnetwork.org"
    EAP-Type = SIM
    EAP-Sim-Subtype = Start
    EAP-Sim-NONCE_MT = 0x000097d3fd9e1c4410fa64112b4b80057c3d
    EAP-Sim-SELECTED_VERSION = 0x0001
    EAP-Sim-IDENTITY = 0x3139303137303030303030303036353340776c616e2e6d6e633037302e6d63633930312e336770706e6574776f726b2e6f7267
[eap] Underlying EAP-Type set EAP ID to 5
++[eap] returns handled
Sending Access-Challenge of id 7 to 192.168.10.212 port 34603
    EAP-Message = 0x01050050120b0000010d00000123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0b050000095b748dc49685f14ee126dd201a6787
    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0xf69e9f4cf79b8d1d0990f37eaa6db462
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.10.212 port 47748, id=8, length=282
    Service-Type = Framed-User
    Framed-MTU = 1400
    User-Name = "1901700000000653 at wlan.mnc070.mcc901.3gppnetwork.org"
    State = 0xf69e9f4cf79b8d1d0990f37eaa6db462
    NAS-Port-Id = "ap_hotspot"
    NAS-Port-Type = Wireless-802.11
    Acct-Session-Id = "82400001"
    Acct-Multi-Session-Id = "00-0C-42-64-41-9D-A8-7E-33-3E-9C-5B-82-40-00-00-00-00-00-01"
    Calling-Station-Id = "A8-7E-33-3E-9C-5B"
    Called-Station-Id = "00-0C-42-64-41-9D:YANN"
    EAP-Message = 0x0205000c120e000016010000
    Message-Authenticator = 0x67afd2e2a3861afd4c460375757d1fdd
    NAS-Identifier = "MT_Yann"
    NAS-IP-Address = 192.168.10.212
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] Looking up realm "wlan.mnc070.mcc901.3gppnetwork.org" for User-Name = "1901700000000653 at wlan.mnc070.mcc901.3gppnetwork.org"
[suffix] Found realm "~.*.3gppnetwork.org$"
[suffix] Adding Stripped-User-Name = "1901700000000653"
[suffix] Adding Realm = "wlan.mnc070.mcc901.3gppnetwork.org"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
rlm_sim_files: authorized user/imsi 1901700000000653 
rlm_sim_files: Adding EAP-Type: eap-sim
++[sim_files] returns ok
[eap] EAP packet type response id 5 length 12
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/sim
[eap] processing type sim
Client says error.  Stopping!
[eap] Handler failed in EAP/sim
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type REJECT
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> 1901700000000653 at wlan.mnc070.mcc901.3gppnetwork.org
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 2 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Request packet from host 192.168.10.212 port 47748, id=8, length=282
Waiting to send Access-Reject to client bips_bk port 47748 - ID: 8
Waking up in 0.6 seconds.
rad_recv: Access-Request packet from host 192.168.10.212 port 47748, id=8, length=282
Waiting to send Access-Reject to client bips_bk port 47748 - ID: 8
Waking up in 0.3 seconds.
Cleaning up request 0 ID 6 with timestamp +20
Cleaning up request 1 ID 7 with timestamp +20
Sending delayed reject for request 2
Sending Access-Reject of id 8 to 192.168.10.212 port 47748
    EAP-Message = 0x04050004
    Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 4.9 seconds.
Cleaning up request 2 ID 8 with timestamp +24
Ready to process requests.

- - - - - - - - - -- - - - - - - - - 

are there any extra requirements on the RAND number except that they must be 128 byte long ?

I'm trying to make another fix with the patch now.

Yann















 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20121107/04586fe4/attachment-0001.html>


More information about the Freeradius-Users mailing list