EAP-SIM on 2.2.0

Francois Gaudreault fgaudreault at inverse.ca
Tue Sep 11 22:28:24 CEST 2012


Hi,

On 2012-09-11 4:05 PM, Phil Mayers wrote:
> On 09/11/2012 07:49 PM, Francois Gaudreault wrote:
>> Hi,
>>
>> I am playing with EAP-SIM on 2.2.0, but I am facing an issue I cannot
>> even understand :S  Not because I don't want to, but the error messages
>> are not talking much.
>>
>> I did compute SRES/Kc for my SIM, but after the third triplet, I just
>> have:
>
> Don't trim the debug. Critical info is higher up - like the actual
> radius packet!
I always trim it the first time, I don't want to spam the planet in case 
the issue is simple :)  Here is the entire debug (with my IMSI trimmed):

rad_recv: Access-Request packet from host 10.0.0.24 port 1051, id=15, 
length=298
	User-Name = "IMSI at wlan.mnc720.mcc302.3gppnetwork.org"
	Calling-Station-Id = "5C-59-48-ED-C4-96"
	NAS-IP-Address = 10.0.0.24
	NAS-Port = 1
	Called-Station-Id = "50-A7-33-31-CF-B8:PacketFence-Ruckus"
	Service-Type = Framed-User
	Framed-MTU = 1400
	NAS-Port-Type = Wireless-802.11
	NAS-Identifier = "50-A7-33-31-CF-B8"
	Connect-Info = "CONNECT 802.11g"
	EAP-Message = 
0x02000038013133303237323034303434313338393040776c616e2e6d6e633732302e6d63633330322e336770706e6574776f726b2e6f7267
	Vendor-25053-Attr-3 = 0x5061636b657446656e63652d5275636b7573
	Message-Authenticator = 0x8a5c5a80c992696a2eb8b097b865b86f
server packetfence {
# Executing section authorize from file 
/usr/local/pf/raddb//sites-enabled/packetfence
+- entering group authorize {...}
[suffix] Looking up realm "wlan.mnc720.mcc302.3gppnetwork.org" for 
User-Name = "IMSI at wlan.mnc720.mcc302.3gppnetwork.org"
[suffix] No such realm "wlan.mnc720.mcc302.3gppnetwork.org"
++[suffix] returns noop
++[preprocess] returns ok
rlm_sim_files: authorized user/imsi IMSI at wlan.mnc720.mcc302.3gppnetwork.org
rlm_sim_files: Adding EAP-Type: eap-sim
++[sim_files] returns ok
[eap] EAP packet type response id 0 length 56
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
rlm_perl: Added pair NAS-Port-Type = Wireless-802.11
rlm_perl: Added pair Service-Type = Framed-User
rlm_perl: Added pair Called-Station-Id = 
50-A7-33-31-CF-B8:PacketFence-Ruckus
rlm_perl: Added pair Calling-Station-Id = 5C-59-48-ED-C4-96
rlm_perl: Added pair Message-Authenticator = 
0x8a5c5a80c992696a2eb8b097b865b86f
rlm_perl: Added pair Vendor-25053-Attr-3 = 
0x5061636b657446656e63652d5275636b7573
rlm_perl: Added pair User-Name = IMSI at wlan.mnc720.mcc302.3gppnetwork.org
rlm_perl: Added pair NAS-Identifier = 50-A7-33-31-CF-B8
rlm_perl: Added pair EAP-Message = 
0x02000038013133303237323034303434313338393040776c616e2e6d6e633732302e6d63633330322e336770706e6574776f726b2e6f7267
rlm_perl: Added pair Connect-Info = CONNECT 802.11g
rlm_perl: Added pair EAP-Type = Identity
rlm_perl: Added pair NAS-IP-Address = 10.0.0.24
rlm_perl: Added pair NAS-Port = 1
rlm_perl: Added pair Framed-MTU = 1400
rlm_perl: Added pair EAP-Sim-Rand3 = 0xff626ed6104164234aabebecafecafe3
rlm_perl: Added pair EAP-Sim-Rand2 = 0x771634015641aabcd4e5a2a3ab521242
rlm_perl: Added pair EAP-Sim-SRES1 = 0xa0a116fe
rlm_perl: Added pair EAP-Sim-SRES2 = 0xc891c365
rlm_perl: Added pair EAP-Sim-KC1 = 0x603c63ecd59340cb
rlm_perl: Added pair EAP-Sim-Rand1 = 0xab521824610aca27814bbde2810347a1
rlm_perl: Added pair EAP-Sim-KC3 = 0xa62f0f3aca277041
rlm_perl: Added pair EAP-Sim-KC2 = 0xbdaf3f47b1fc2520
rlm_perl: Added pair EAP-Sim-SRES3 = 0x6daeb494
rlm_perl: Added pair Auth-Type = EAP
rlm_perl: Added pair EAP-Type = SIM
++[packetfence] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/pf/raddb//sites-enabled/packetfence
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type sim
[eap] Underlying EAP-Type set EAP ID to 246
++[eap] returns handled
} # server packetfence
Sending Access-Challenge of id 15 to 10.0.0.24 port 1051
	EAP-Message = 0x01f60014120a00000f0200020001000011010100
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x8c646e1d8c927cd94949c1e5aaf22aa6
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.0.24 port 1051, id=16, 
length=348
	User-Name = "IMSI at wlan.mnc720.mcc302.3gppnetwork.org"
	Calling-Station-Id = "5C-59-48-ED-C4-96"
	NAS-IP-Address = 10.0.0.24
	NAS-Port = 1
	Called-Station-Id = "50-A7-33-31-CF-B8:PacketFence-Ruckus"
	Service-Type = Framed-User
	Framed-MTU = 1400
	NAS-Port-Type = Wireless-802.11
	NAS-Identifier = "50-A7-33-31-CF-B8"
	Connect-Info = "CONNECT 802.11g"
	EAP-Message = 
0x02f60058120a00000e0e00333133303237323034303434313338393040776c616e2e6d6e633732302e6d63633330322e336770706e6574776f726b2e6f72670010010001070500007ae3c3b294faa5fac85c9cdc58737c87
	State = 0x8c646e1d8c927cd94949c1e5aaf22aa6
	Vendor-25053-Attr-3 = 0x5061636b657446656e63652d5275636b7573
	Message-Authenticator = 0x88694e884a0ddf10baa7b004fb336f9a
server packetfence {
# Executing section authorize from file 
/usr/local/pf/raddb//sites-enabled/packetfence
+- entering group authorize {...}
[suffix] Looking up realm "wlan.mnc720.mcc302.3gppnetwork.org" for 
User-Name = "IMSI at wlan.mnc720.mcc302.3gppnetwork.org"
[suffix] No such realm "wlan.mnc720.mcc302.3gppnetwork.org"
++[suffix] returns noop
++[preprocess] returns ok
rlm_sim_files: authorized user/imsi IMSI at wlan.mnc720.mcc302.3gppnetwork.org
rlm_sim_files: Adding EAP-Type: eap-sim
++[sim_files] returns ok
[eap] EAP packet type response id 246 length 88
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
rlm_perl: Added pair NAS-Port-Type = Wireless-802.11
rlm_perl: Added pair Service-Type = Framed-User
rlm_perl: Added pair State = 0x8c646e1d8c927cd94949c1e5aaf22aa6
rlm_perl: Added pair Called-Station-Id = 
50-A7-33-31-CF-B8:PacketFence-Ruckus
rlm_perl: Added pair Calling-Station-Id = 5C-59-48-ED-C4-96
rlm_perl: Added pair Message-Authenticator = 
0x88694e884a0ddf10baa7b004fb336f9a
rlm_perl: Added pair Vendor-25053-Attr-3 = 
0x5061636b657446656e63652d5275636b7573
rlm_perl: Added pair User-Name = IMSI at wlan.mnc720.mcc302.3gppnetwork.org
rlm_perl: Added pair NAS-Identifier = 50-A7-33-31-CF-B8
rlm_perl: Added pair EAP-Message = 
0x02f60058120a00000e0e00333133303237323034303434313338393040776c616e2e6d6e633732302e6d63633330322e336770706e6574776f726b2e6f72670010010001070500007ae3c3b294faa5fac85c9cdc58737c87
rlm_perl: Added pair Connect-Info = CONNECT 802.11g
rlm_perl: Added pair EAP-Type = SIM
rlm_perl: Added pair NAS-IP-Address = 10.0.0.24
rlm_perl: Added pair NAS-Port = 1
rlm_perl: Added pair Framed-MTU = 1400
rlm_perl: Added pair EAP-Sim-Rand3 = 0xff626ed6104164234aabebecafecafe3
rlm_perl: Added pair EAP-Sim-Rand2 = 0x771634015641aabcd4e5a2a3ab521242
rlm_perl: Added pair EAP-Sim-SRES1 = 0xa0a116fe
rlm_perl: Added pair EAP-Sim-SRES2 = 0xc891c365
rlm_perl: Added pair EAP-Sim-KC1 = 0x603c63ecd59340cb
rlm_perl: Added pair EAP-Sim-Rand1 = 0xab521824610aca27814bbde2810347a1
rlm_perl: Added pair EAP-Sim-KC3 = 0xa62f0f3aca277041
rlm_perl: Added pair EAP-Sim-KC2 = 0xbdaf3f47b1fc2520
rlm_perl: Added pair EAP-Sim-SRES3 = 0x6daeb494
rlm_perl: Added pair Auth-Type = EAP
rlm_perl: Added pair EAP-Type = SIM
++[packetfence] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/pf/raddb//sites-enabled/packetfence
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/sim
[eap] processing type sim
+++> EAP-sim decoded packet:
	NAS-Port-Type = Wireless-802.11
	Service-Type = Framed-User
	State = 0x8c646e1d8c927cd94949c1e5aaf22aa6
	Called-Station-Id = "50-A7-33-31-CF-B8:PacketFence-Ruckus"
	Calling-Station-Id = "5C-59-48-ED-C4-96"
	Message-Authenticator = 0x88694e884a0ddf10baa7b004fb336f9a
	Vendor-25053-Attr-3 = 0x5061636b657446656e63652d5275636b7573
	User-Name = "IMSI at wlan.mnc720.mcc302.3gppnetwork.org"
	NAS-Identifier = "50-A7-33-31-CF-B8"
	EAP-Message = 
0x02f60058120a00000e0e00333133303237323034303434313338393040776c616e2e6d6e633732302e6d63633330322e336770706e6574776f726b2e6f72670010010001070500007ae3c3b294faa5fac85c9cdc58737c87
	Connect-Info = "CONNECT 802.11g"
	EAP-Type = SIM
	NAS-IP-Address = 10.0.0.24
	NAS-Port = 1
	Framed-MTU = 1400
	EAP-Sim-Subtype = Start
	EAP-Sim-IDENTITY = 
0x00333133303237323034303434313338393040776c616e2e6d6e633732302e6d63633330322e336770706e6574776f726b2e6f726700
	EAP-Sim-SELECTED_VERSION = 0x0001
	EAP-Sim-NONCE_MT = 0x00007ae3c3b294faa5fac85c9cdc58737c87
[eap] Underlying EAP-Type set EAP ID to 247
++[eap] returns handled
} # server packetfence
Sending Access-Challenge of id 16 to 10.0.0.24 port 1051
	EAP-Message = 
0x01f70050120b0000010d0000ab521824610aca27814bbde2810347a1771634015641aabcd4e5a2a3ab521242ff626ed6104164234aabebecafecafe30b0500002df305602586daa58dd2298a30c3716f
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x8c646e1d8d937cd94949c1e5aaf22aa6
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.0.24 port 1051, id=17, 
length=272
	User-Name = "IMSI0 at wlan.mnc720.mcc302.3gppnetwork.org"
	Calling-Station-Id = "5C-59-48-ED-C4-96"
	NAS-IP-Address = 10.0.0.24
	NAS-Port = 1
	Called-Station-Id = "50-A7-33-31-CF-B8:PacketFence-Ruckus"
	Service-Type = Framed-User
	Framed-MTU = 1400
	NAS-Port-Type = Wireless-802.11
	NAS-Identifier = "50-A7-33-31-CF-B8"
	Connect-Info = "CONNECT 802.11g"
	EAP-Message = 0x02f7000c120e000016010000
	State = 0x8c646e1d8d937cd94949c1e5aaf22aa6
	Vendor-25053-Attr-3 = 0x5061636b657446656e63652d5275636b7573
	Message-Authenticator = 0x047a99ca66948ebc4867a1fba43ac0ad
server packetfence {
# Executing section authorize from file 
/usr/local/pf/raddb//sites-enabled/packetfence
+- entering group authorize {...}
[suffix] Looking up realm "wlan.mnc720.mcc302.3gppnetwork.org" for 
User-Name = "IMSI at wlan.mnc720.mcc302.3gppnetwork.org"
[suffix] No such realm "wlan.mnc720.mcc302.3gppnetwork.org"
++[suffix] returns noop
++[preprocess] returns ok
rlm_sim_files: authorized user/imsi IMSI at wlan.mnc720.mcc302.3gppnetwork.org
rlm_sim_files: Adding EAP-Type: eap-sim
++[sim_files] returns ok
[eap] EAP packet type response id 247 length 12
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
rlm_perl: Added pair NAS-Port-Type = Wireless-802.11
rlm_perl: Added pair Service-Type = Framed-User
rlm_perl: Added pair State = 0x8c646e1d8d937cd94949c1e5aaf22aa6
rlm_perl: Added pair Called-Station-Id = 
50-A7-33-31-CF-B8:PacketFence-Ruckus
rlm_perl: Added pair Calling-Station-Id = 5C-59-48-ED-C4-96
rlm_perl: Added pair Message-Authenticator = 
0x047a99ca66948ebc4867a1fba43ac0ad
rlm_perl: Added pair Vendor-25053-Attr-3 = 
0x5061636b657446656e63652d5275636b7573
rlm_perl: Added pair User-Name = IMSI at wlan.mnc720.mcc302.3gppnetwork.org
rlm_perl: Added pair NAS-Identifier = 50-A7-33-31-CF-B8
rlm_perl: Added pair EAP-Message = 0x02f7000c120e000016010000
rlm_perl: Added pair Connect-Info = CONNECT 802.11g
rlm_perl: Added pair EAP-Type = SIM
rlm_perl: Added pair NAS-IP-Address = 10.0.0.24
rlm_perl: Added pair NAS-Port = 1
rlm_perl: Added pair Framed-MTU = 1400
rlm_perl: Added pair EAP-Sim-Rand3 = 0xff626ed6104164234aabebecafecafe3
rlm_perl: Added pair EAP-Sim-Rand2 = 0x771634015641aabcd4e5a2a3ab521242
rlm_perl: Added pair EAP-Sim-SRES1 = 0xa0a116fe
rlm_perl: Added pair EAP-Sim-SRES2 = 0xc891c365
rlm_perl: Added pair EAP-Sim-KC1 = 0x603c63ecd59340cb
rlm_perl: Added pair EAP-Sim-Rand1 = 0xab521824610aca27814bbde2810347a1
rlm_perl: Added pair EAP-Sim-KC3 = 0xa62f0f3aca277041
rlm_perl: Added pair EAP-Sim-KC2 = 0xbdaf3f47b1fc2520
rlm_perl: Added pair EAP-Sim-SRES3 = 0x6daeb494
rlm_perl: Added pair Auth-Type = EAP
rlm_perl: Added pair EAP-Type = SIM
++[packetfence] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/pf/raddb//sites-enabled/packetfence
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/sim
[eap] processing type sim
[eap] Handler failed in EAP/sim
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
} # server packetfence
Using Post-Auth-Type REJECT
# Executing group from file /usr/local/pf/raddb//sites-enabled/packetfence
+- entering group REJECT {...}
[attr_filter.access_reject] 	expand: %{User-Name} -> 
IMSI at wlan.mnc720.mcc302.3gppnetwork.org
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 2 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 2
Sending Access-Reject of id 17 to 10.0.0.24 port 1051
	EAP-Message = 0x04f70004
	Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 2.9 seconds.

-- 
Francois Gaudreault, ing. jr
fgaudreault at inverse.ca  ::  +1.514.447.4918 (x130) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)


More information about the Freeradius-Users mailing list