EAP-SIM authentication failed
Yann R. Moupinda
yannm1 at hotmail.com
Thu Nov 15 17:46:49 CET 2012
Hi guys,
i'm still trying to authenticate a EAP SIM Client with
the Freeraduis 3.0.0. By Using the Nokia E51 and E52, the eap-sim
authentication process just stops after the raduis has sent the "
EAP-REQUEST, SIM-CHALLENGE" (containing AT_RAND and AT_MAC) message (see
log info.).
I did some changes in the in the " eapsimlib.c" regarding the AT_IDENTITY by using the patch 'commit cfd61d24b99022eb613054bbf7e0da4fa3af1bde' but the result didn't change.
I decided to change the Client. I downloaded and installed
Xsupplicant 2.2.3.553 on my windows XP. This is a software capable to be
used as EAP-SIM Client. I didn't change anything on the server side.
This time Xsupplicant replys with a " EAP-RESPONSE, SIM-CHALLENGE"
(containing AT_MAC) after recieving the " EAP-REQUEST, SIM-CHALLENGE"
(containing AT_RAND and AT_MAC). The Freeradius Server recieves the "
EAP-RESPONSE, SIM-CHALLENGE" (containing AT_MAC), says that the received
MAC doesn't match and breaks the authentication process with a "access
reject"
Here the log messages with Nokia:
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /var/run/radiusd/radiusd.sock
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Opening new proxy address * port 1814
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.10.212 port 48077, id=19, length=308
Service-Type = Framed-User
Framed-MTU = 1400
User-Name = "1901700000000653 at wlan.mnc070.mcc901.3gppnetwork.org"
NAS-Port-Id = "ap_hotspot"
NAS-Port-Type = Wireless-802.11
Acct-Session-Id = "82500003"
Acct-Multi-Session-Id = "00-0C-42-64-41-9D-A8-7E-33-3E-9C-5B-82-50-00-00-00-00-00-03"
Calling-Station-Id = "A8-7E-33-3E-9C-5B"
Called-Station-Id = "00-0C-42-64-41-9D:YANN"
EAP-Message = 0x02010038013139303137303030303030303036353340776c616e2e6d6e633037302e6d63633930312e336770706e6574776f726b2e6f7267
Message-Authenticator = 0x429b263e5293fadbae0a13f28dad2775
NAS-Identifier = "MT_Yann"
NAS-IP-Address = 192.168.10.212
(0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(0) group authorize {
(0) - entering group authorize {...}
(0) [preprocess] = ok
(0) [chap] = noop
(0) auth_log : expand: %{Packet-Src-IP-Address} -> 192.168.10.212
(0)
auth_log : expand:
/var/log/radiusd/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
-> /var/log/radiusd/radacct/192.168.10.212/auth-detail-20121108
(0)
auth_log :
/var/log/radiusd/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/radiusd/radacct/192.168.10.212/auth-detail-20121108
(0) auth_log : expand: %t -> Thu Nov 8 14:20:05 2012
(0) [auth_log] = ok
(0) [mschap] = noop
(0) [digest] = noop
(0)
suffix : Looking up realm "wlan.mnc070.mcc901.3gppnetwork.org" for
User-Name = "1901700000000653 at wlan.mnc070.mcc901.3gppnetwork.org"
(0) suffix : Found realm "~.*.3gppnetwork.org$"
(0) suffix : Adding Stripped-User-Name = "1901700000000653"
(0) suffix : Adding Realm = "wlan.mnc070.mcc901.3gppnetwork.org"
(0) suffix : Authentication realm is LOCAL.
(0) [suffix] = ok
rlm_sim_files: authorized user/imsi 1901700000000653
rlm_sim_files: Adding EAP-Type: eap-sim
(0) [sim_files] = ok
(0) eap : EAP packet type response id 1 length 56
(0) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(0) [eap] = ok
(0) Found Auth-Type = EAP
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0) group authenticate {
(0) - entering group authenticate {...}
(0) eap : EAP Identity
(0) eap : processing type sim
(0) eap : Underlying EAP-Type set EAP ID to 133
(0) [eap] = handled
Sending Access-Challenge of id 19 to 192.168.10.212 port 48077
EAP-Message = 0x01850014120a00000f0200020001000011010100
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x077b668807fe746db0e5f555c7ca40d2
(0) Finished request 0.
Waking up in 0.3 seconds.
rad_recv: Access-Request packet from host 192.168.10.212 port 41383, id=20, length=358
Service-Type = Framed-User
Framed-MTU = 1400
User-Name = "1901700000000653 at wlan.mnc070.mcc901.3gppnetwork.org"
State = 0x077b668807fe746db0e5f555c7ca40d2
NAS-Port-Id = "ap_hotspot"
NAS-Port-Type = Wireless-802.11
Acct-Session-Id = "82500003"
Acct-Multi-Session-Id = "00-0C-42-64-41-9D-A8-7E-33-3E-9C-5B-82-50-00-00-00-00-00-03"
Calling-Station-Id = "A8-7E-33-3E-9C-5B"
Called-Station-Id = "00-0C-42-64-41-9D:YANN"
EAP-Message =
0x02850058120a000007050000be65a474dc99300354fdd97e5176bbc5100100010e0e00333139303137303030303030303036353340776c616e2e6d6e633037302e6d63633930312e336770706e6574776f726b2e6f726700
Message-Authenticator = 0x07c87b76cd6232ca08dc4529913d5cac
NAS-Identifier = "MT_Yann"
NAS-IP-Address = 192.168.10.212
(1) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(1) group authorize {
(1) - entering group authorize {...}
(1) [preprocess] = ok
(1) [chap] = noop
(1) auth_log : expand: %{Packet-Src-IP-Address} -> 192.168.10.212
(1)
auth_log : expand:
/var/log/radiusd/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
-> /var/log/radiusd/radacct/192.168.10.212/auth-detail-20121108
(1)
auth_log :
/var/log/radiusd/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/radiusd/radacct/192.168.10.212/auth-detail-20121108
(1) auth_log : expand: %t -> Thu Nov 8 14:20:05 2012
(1) [auth_log] = ok
(1) [mschap] = noop
(1) [digest] = noop
(1)
suffix : Looking up realm "wlan.mnc070.mcc901.3gppnetwork.org" for
User-Name = "1901700000000653 at wlan.mnc070.mcc901.3gppnetwork.org"
(1) suffix : Found realm "~.*.3gppnetwork.org$"
(1) suffix : Adding Stripped-User-Name = "1901700000000653"
(1) suffix : Adding Realm = "wlan.mnc070.mcc901.3gppnetwork.org"
(1) suffix : Authentication realm is LOCAL.
(1) [suffix] = ok
rlm_sim_files: authorized user/imsi 1901700000000653
rlm_sim_files: Adding EAP-Type: eap-sim
(1) [sim_files] = ok
(1) eap : EAP packet type response id 133 length 88
(1) eap : No EAP Start, assuming it's an on-going EAP conversation
(1) [eap] = updated
(1) [files] = noop
(1) [expiration] = noop
(1) [logintime] = noop
(1) pap : WARNING! No "known good" password found for the user. Authentication may fail because of this.
(1) [pap] = noop
(1) Found Auth-Type = EAP
(1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(1) group authenticate {
(1) - entering group authenticate {...}
(1) eap : Request found, released from the list
(1) eap : EAP/sim
(1) eap : processing type sim
+++> EAP-sim decoded packet:
Service-Type = Framed-User
Framed-MTU = 1400
User-Name = "1901700000000653 at wlan.mnc070.mcc901.3gppnetwork.org"
State = 0x077b668807fe746db0e5f555c7ca40d2
NAS-Port-Id = "ap_hotspot"
NAS-Port-Type = Wireless-802.11
Acct-Session-Id = "82500003"
Acct-Multi-Session-Id = "00-0C-42-64-41-9D-A8-7E-33-3E-9C-5B-82-50-00-00-00-00-00-03"
Calling-Station-Id = "A8-7E-33-3E-9C-5B"
Called-Station-Id = "00-0C-42-64-41-9D:YANN"
EAP-Message =
0x02850058120a000007050000be65a474dc99300354fdd97e5176bbc5100100010e0e00333139303137303030303030303036353340776c616e2e6d6e633037302e6d63633930312e336770706e6574776f726b2e6f726700
Message-Authenticator = 0x07c87b76cd6232ca08dc4529913d5cac
NAS-Identifier = "MT_Yann"
NAS-IP-Address = 192.168.10.212
Stripped-User-Name = "1901700000000653"
Realm = "wlan.mnc070.mcc901.3gppnetwork.org"
EAP-Type = SIM
EAP-Sim-Subtype = Start
EAP-Sim-NONCE_MT = 0x0000be65a474dc99300354fdd97e5176bbc5
EAP-Sim-SELECTED_VERSION = 0x0001
EAP-Sim-IDENTITY = 0x3139303137303030303030303036353340776c616e2e6d6e633037302e6d63633930312e336770706e6574776f726b2e6f7267
(1) eap : Underlying EAP-Type set EAP ID to 134
(1) [eap] = handled
Sending Access-Challenge of id 20 to 192.168.10.212 port 41383
EAP-Message =
0x01860050120b0000010d00000123456789abcdef0123456789abcdef658719018376aab4d2a5ccde7a21b6510123456789abcdef0123456789abcdff0b050000217a0ab3b008a413f570885bca13bbe8
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x077b668806fd746db0e5f555c7ca40d2
(1) Finished request 1.
Going to the next request
Waking up in 0.3 seconds.
Waking up in 4.6 seconds.
(0) Cleaning up request packet ID 19 with timestamp +14
(1) Cleaning up request packet ID 20 with timestamp +14
Ready to process requests.
<---------------------->
Here the log messages by using Xsupplicant:
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /var/run/radiusd.sock
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Opening new proxy address * port 1814
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.10.212 port 34456, id=63, length=238
Service-Type = Framed-User
Framed-MTU = 1400
User-Name = "1901700000000653"
NAS-Port-Id = "ap_hotspot"
NAS-Port-Type = Wireless-802.11
Acct-Session-Id = "82900026"
Acct-Multi-Session-Id = "00-0C-42-64-41-9D-00-16-6F-BB-2D-CE-82-90-00-00-00-00-00-26"
Calling-Station-Id = "00-16-6F-BB-2D-CE"
Called-Station-Id = "00-0C-42-64-41-9D:YANN"
EAP-Message = 0x020100150131393031373030303030303030363533
Message-Authenticator = 0x653921257bd23ec322ee3b4924d32751
NAS-Identifier = "MT_Yann"
NAS-IP-Address = 192.168.10.212
(0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(0) group authorize {
(0) - entering group authorize {...}
(0) [preprocess] = ok
(0) [chap] = noop
(0) auth_log : expand: %{Packet-Src-IP-Address} -> 192.168.10.212
(0)
auth_log : expand:
/var/log/radiusd/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
-> /var/log/radiusd/radacct/192.168.10.212/auth-detail-20121114
(0)
auth_log :
/var/log/radiusd/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/radiusd/radacct/192.168.10.212/auth-detail-20121114
(0) auth_log : expand: %t -> Wed Nov 14 17:30:30 2012
(0) [auth_log] = ok
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix : No '@' in User-Name = "1901700000000653", looking up realm NULL
(0) suffix : No such realm "NULL"
(0) [suffix] = noop
rlm_sim_files: authorized user/imsi 1901700000000653
rlm_sim_files: Adding EAP-Type: eap-sim
(0) [sim_files] = ok
(0) eap : EAP packet type response id 1 length 21
(0) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(0) [eap] = ok
(0) Found Auth-Type = EAP
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0) group authenticate {
(0) - entering group authenticate {...}
(0) eap : EAP Identity
(0) eap : processing type sim
(0) eap : Underlying EAP-Type set EAP ID to 38
(0) [eap] = handled
Sending Access-Challenge of id 63 to 192.168.10.212 port 34456
EAP-Message = 0x01260014120a00000f0200020001000011010100
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5b17c53a5b31d7c6686a4d2738ee4ab7
(0) Finished request 0.
Waking up in 0.3 seconds.
rad_recv: Access-Request packet from host 192.168.10.212 port 57441, id=64, length=267
Service-Type = Framed-User
Framed-MTU = 1400
User-Name = "1901700000000653"
State = 0x5b17c53a5b31d7c6686a4d2738ee4ab7
NAS-Port-Id = "ap_hotspot"
NAS-Port-Type = Wireless-802.11
Acct-Session-Id = "82900026"
Acct-Multi-Session-Id = "00-0C-42-64-41-9D-00-16-6F-BB-2D-CE-82-90-00-00-00-00-00-26"
Calling-Station-Id = "00-16-6F-BB-2D-CE"
Called-Station-Id = "00-0C-42-64-41-9D:YANN"
EAP-Message = 0x02260020120a001b07050000a8605e360593e63583c864b6051046f410010001
Message-Authenticator = 0x0133a5fba265cea77256e0b429f11c02
NAS-Identifier = "MT_Yann"
NAS-IP-Address = 192.168.10.212
(1) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(1) group authorize {
(1) - entering group authorize {...}
(1) [preprocess] = ok
(1) [chap] = noop
(1) auth_log : expand: %{Packet-Src-IP-Address} -> 192.168.10.212
(1)
auth_log : expand:
/var/log/radiusd/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
-> /var/log/radiusd/radacct/192.168.10.212/auth-detail-20121114
(1)
auth_log :
/var/log/radiusd/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/radiusd/radacct/192.168.10.212/auth-detail-20121114
(1) auth_log : expand: %t -> Wed Nov 14 17:30:30 2012
(1) [auth_log] = ok
(1) [mschap] = noop
(1) [digest] = noop
(1) suffix : No '@' in User-Name = "1901700000000653", looking up realm NULL
(1) suffix : No such realm "NULL"
(1) [suffix] = noop
rlm_sim_files: authorized user/imsi 1901700000000653
rlm_sim_files: Adding EAP-Type: eap-sim
(1) [sim_files] = ok
(1) eap : EAP packet type response id 38 length 32
(1) eap : No EAP Start, assuming it's an on-going EAP conversation
(1) [eap] = updated
(1) [files] = noop
(1) [expiration] = noop
(1) [logintime] = noop
(1) pap : WARNING! No "known good" password found for the user. Authentication may fail because of this.
(1) [pap] = noop
(1) Found Auth-Type = EAP
(1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(1) group authenticate {
(1) - entering group authenticate {...}
(1) eap : Request found, released from the list
(1) eap : EAP/sim
(1) eap : processing type sim
+++> EAP-sim decoded packet:
Service-Type = Framed-User
Framed-MTU = 1400
User-Name = "1901700000000653"
State = 0x5b17c53a5b31d7c6686a4d2738ee4ab7
NAS-Port-Id = "ap_hotspot"
NAS-Port-Type = Wireless-802.11
Acct-Session-Id = "82900026"
Acct-Multi-Session-Id = "00-0C-42-64-41-9D-00-16-6F-BB-2D-CE-82-90-00-00-00-00-00-26"
Calling-Station-Id = "00-16-6F-BB-2D-CE"
Called-Station-Id = "00-0C-42-64-41-9D:YANN"
EAP-Message = 0x02260020120a001b07050000a8605e360593e63583c864b6051046f410010001
Message-Authenticator = 0x0133a5fba265cea77256e0b429f11c02
NAS-Identifier = "MT_Yann"
NAS-IP-Address = 192.168.10.212
EAP-Type = SIM
EAP-Sim-Subtype = Start
EAP-Sim-NONCE_MT = 0x0000a8605e360593e63583c864b6051046f4
EAP-Sim-SELECTED_VERSION = 0x0001
(1) eap : Underlying EAP-Type set EAP ID to 39
(1) [eap] = handled
Sending Access-Challenge of id 64 to 192.168.10.212 port 57441
EAP-Message =
0x01270050120b0000010d0000db1f1a922a6044b1ac9193596d34b701a20fd51626bd4f24b91755d927101729eeb85a0437da4ea4ab99cfbc1c439ce40b05000016397dc340ea5e69ab39925507ad8438
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5b17c53a5a30d7c6686a4d2738ee4ab7
(1) Finished request 1.
Waking up in 0.2 seconds.
rad_recv: Access-Request packet from host 192.168.10.212 port 36917, id=65, length=263
Service-Type = Framed-User
Framed-MTU = 1400
User-Name = "1901700000000653"
State = 0x5b17c53a5a30d7c6686a4d2738ee4ab7
NAS-Port-Id = "ap_hotspot"
NAS-Port-Type = Wireless-802.11
Acct-Session-Id = "82900026"
Acct-Multi-Session-Id = "00-0C-42-64-41-9D-00-16-6F-BB-2D-CE-82-90-00-00-00-00-00-26"
Calling-Station-Id = "00-16-6F-BB-2D-CE"
Called-Station-Id = "00-0C-42-64-41-9D:YANN"
EAP-Message = 0x0227001c120b00170b0500007f86aeaeded71ccd418687567f8f8eb3
Message-Authenticator = 0xf263cce3cc9890197ca080b7f4629af2
NAS-Identifier = "MT_Yann"
NAS-IP-Address = 192.168.10.212
(2) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(2) group authorize {
(2) - entering group authorize {...}
(2) [preprocess] = ok
(2) [chap] = noop
(2) auth_log : expand: %{Packet-Src-IP-Address} -> 192.168.10.212
(2)
auth_log : expand:
/var/log/radiusd/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
-> /var/log/radiusd/radacct/192.168.10.212/auth-detail-20121114
(2)
auth_log :
/var/log/radiusd/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/radiusd/radacct/192.168.10.212/auth-detail-20121114
(2) auth_log : expand: %t -> Wed Nov 14 17:30:30 2012
(2) [auth_log] = ok
(2) [mschap] = noop
(2) [digest] = noop
(2) suffix : No '@' in User-Name = "1901700000000653", looking up realm NULL
(2) suffix : No such realm "NULL"
(2) [suffix] = noop
rlm_sim_files: authorized user/imsi 1901700000000653
rlm_sim_files: Adding EAP-Type: eap-sim
(2) [sim_files] = ok
(2) eap : EAP packet type response id 39 length 28
(2) eap : No EAP Start, assuming it's an on-going EAP conversation
(2) [eap] = updated
(2) [files] = noop
(2) [expiration] = noop
(2) [logintime] = noop
(2) pap : WARNING! No "known good" password found for the user. Authentication may fail because of this.
(2) [pap] = noop
(2) Found Auth-Type = EAP
(2) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(2) group authenticate {
(2) - entering group authenticate {...}
(2) eap : Request found, released from the list
(2) eap : EAP/sim
(2) eap : processing type sim
calculated MAC (05248e0d_917db8e0_55e8b312_b489d982_20c54ef4) did not match
(2) eap : Handler failed in EAP/sim
(2) eap : Failed in EAP select
(2) [eap] = invalid
(2) Failed to authenticate the user.
(2) Using Post-Auth-Type Reject
(2) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(2) group REJECT {
(2) - entering group REJECT {...}
(2) attr_filter.access_reject : expand: %{User-Name} -> 1901700000000653
(2) attr_filter.access_reject : Matched entry DEFAULT at line 11
(2) [attr_filter.access_reject] = updated
(2) Finished request 2.
Waking up in 0.2 seconds.
rad_recv: Access-Request packet from host 192.168.10.212 port 36917, id=65, length=263
Discarding duplicate request from client bipsbk port 36917 - ID: 65 due to unfinished request 2
Waking up in 0.6 seconds.
rad_recv: Access-Request packet from host 192.168.10.212 port 36917, id=65, length=263
Discarding duplicate request from client bipsbk port 36917 - ID: 65 due to delayed reject 2
Waking up in 0.4 seconds.
(2) Sending delayed reject
Sending Access-Reject of id 65 to 192.168.10.212 port 36917
EAP-Message = 0x04270004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
Has
anyone an idea why the MAC not matches although Client and Server are
using the same algorithm version (Version 1 mentioned in AT_VERSION_LIST
from Server and in AT_SELECTED_VERSION from client) ?
Best regards
Yann
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20121115/35e2aedf/attachment-0001.html>
More information about the Freeradius-Users
mailing list