EAP-SIM on 2.2.0

Francois Gaudreault fgaudreault at inverse.ca
Wed Sep 12 17:00:03 CEST 2012


Hi,

> No idea; I'm not familiar with EAP-SIM. But the EAP-Message seemed
> obviously too short for that stage of a challenge/response auth, so I
> glanced at the RFC for the encoding.
>
> Maybe you've got a permissions problem on whatever datastore the SIM
> secrets are in?
Nope, I even tried with 777 just in case, but it was 644 which should be 
enough.

Here is the trace with the same client as 2.1.12, but on 2.2.0. The last 
trace we had was indeed with another SIM.

rad_recv: Access-Request packet from host 10.0.0.24 port 1051, id=105, 
length=298
	User-Name = "IMSI at wlan.mnc720.mcc302.3gppnetwork.org"
	Calling-Station-Id = "5C-59-48-ED-C4-96"
	NAS-IP-Address = 10.0.0.24
	NAS-Port = 1
	Called-Station-Id = "50-A7-33-31-CF-B8:PacketFence-Ruckus"
	Service-Type = Framed-User
	Framed-MTU = 1400
	NAS-Port-Type = Wireless-802.11
	NAS-Identifier = "50-A7-33-31-CF-B8"
	Connect-Info = "CONNECT 802.11g"
	EAP-Message = 
0x02000038013133303237323033303539333439353340776c616e2e6d6e633732302e6d63633330322e336770706e6574776f726b2e6f7267
	Vendor-25053-Attr-3 = 0x5061636b657446656e63652d5275636b7573
	Message-Authenticator = 0x3254b54e86799aa4dbfd92f4eac2bbab
server packetfence {
# Executing section authorize from file 
/usr/local/pf/raddb/sites-enabled/packetfence
+- entering group authorize {...}
[suffix] Looking up realm "wlan.mnc720.mcc302.3gppnetwork.org" for 
User-Name = "IMSI at wlan.mnc720.mcc302.3gppnetwork.org"
[suffix] No such realm "wlan.mnc720.mcc302.3gppnetwork.org"
++[suffix] returns noop
++[preprocess] returns ok
rlm_sim_files: authorized user/imsi IMSI at wlan.mnc720.mcc302.3gppnetwork.org
rlm_sim_files: Adding EAP-Type: eap-sim
++[sim_files] returns ok
[eap] EAP packet type response id 0 length 56
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
rlm_perl: Added pair NAS-Port-Type = Wireless-802.11
rlm_perl: Added pair Service-Type = Framed-User
rlm_perl: Added pair Called-Station-Id = 
50-A7-33-31-CF-B8:PacketFence-Ruckus
rlm_perl: Added pair Calling-Station-Id = 5C-59-48-ED-C4-96
rlm_perl: Added pair Message-Authenticator = 
0x3254b54e86799aa4dbfd92f4eac2bbab
rlm_perl: Added pair Vendor-25053-Attr-3 = 
0x5061636b657446656e63652d5275636b7573
rlm_perl: Added pair User-Name = IMSI at wlan.mnc720.mcc302.3gppnetwork.org
rlm_perl: Added pair NAS-Identifier = 50-A7-33-31-CF-B8
rlm_perl: Added pair EAP-Message = 
0x02000038013133303237323033303539333439353340776c616e2e6d6e633732302e6d63633330322e336770706e6574776f726b2e6f7267
rlm_perl: Added pair Connect-Info = CONNECT 802.11g
rlm_perl: Added pair EAP-Type = Identity
rlm_perl: Added pair NAS-IP-Address = 10.0.0.24
rlm_perl: Added pair NAS-Port = 1
rlm_perl: Added pair Framed-MTU = 1400
rlm_perl: Added pair EAP-Sim-Rand3 = 0x658719018376aab4d2a5ccde7a21b651
rlm_perl: Added pair EAP-Sim-Rand2 = 0x12314312514145bbdede1d3a5d7d8d81
rlm_perl: Added pair EAP-Sim-SRES1 = 0x4b0bd392
rlm_perl: Added pair EAP-Sim-SRES2 = 0x3fde44f1
rlm_perl: Added pair EAP-Sim-KC1 = 0x838482d6086d5505
rlm_perl: Added pair EAP-Sim-Rand1 = 0x512317ac521bade521831aa3a3a51231
rlm_perl: Added pair EAP-Sim-KC3 = 0x9f62a11a186fb409
rlm_perl: Added pair EAP-Sim-KC2 = 0xb9ea43fb85bca1a1
rlm_perl: Added pair EAP-Sim-SRES3 = 0x1ed3946d
rlm_perl: Added pair Auth-Type = EAP
rlm_perl: Added pair EAP-Type = SIM
++[packetfence] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/pf/raddb/sites-enabled/packetfence
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type sim
[eap] Underlying EAP-Type set EAP ID to 216
++[eap] returns handled
} # server packetfence
Sending Access-Challenge of id 105 to 10.0.0.24 port 1051
	EAP-Message = 0x01d80014120a00000f0200020001000011010100
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x031a0cc303c21e1dddf19e8563de7dbd
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.0.24 port 1051, id=106, 
length=348
	User-Name = "IMSI at wlan.mnc720.mcc302.3gppnetwork.org"
	Calling-Station-Id = "5C-59-48-ED-C4-96"
	NAS-IP-Address = 10.0.0.24
	NAS-Port = 1
	Called-Station-Id = "50-A7-33-31-CF-B8:PacketFence-Ruckus"
	Service-Type = Framed-User
	Framed-MTU = 1400
	NAS-Port-Type = Wireless-802.11
	NAS-Identifier = "50-A7-33-31-CF-B8"
	Connect-Info = "CONNECT 802.11g"
	EAP-Message = 
0x02d80058120a00000e0e00333133303237323033303539333439353340776c616e2e6d6e633732302e6d63633330322e336770706e6574776f726b2e6f72670010010001070500008e1f8f320c33aee4baf5b36f1a9a5ef6
	State = 0x031a0cc303c21e1dddf19e8563de7dbd
	Vendor-25053-Attr-3 = 0x5061636b657446656e63652d5275636b7573
	Message-Authenticator = 0xa6f31db6bfe9f1ae785521d4d8a9b63b
server packetfence {
# Executing section authorize from file 
/usr/local/pf/raddb/sites-enabled/packetfence
+- entering group authorize {...}
[suffix] Looking up realm "wlan.mnc720.mcc302.3gppnetwork.org" for 
User-Name = "IMSI at wlan.mnc720.mcc302.3gppnetwork.org"
[suffix] No such realm "wlan.mnc720.mcc302.3gppnetwork.org"
++[suffix] returns noop
++[preprocess] returns ok
rlm_sim_files: authorized user/imsi IMSI at wlan.mnc720.mcc302.3gppnetwork.org
rlm_sim_files: Adding EAP-Type: eap-sim
++[sim_files] returns ok
[eap] EAP packet type response id 216 length 88
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
rlm_perl: Added pair NAS-Port-Type = Wireless-802.11
rlm_perl: Added pair Service-Type = Framed-User
rlm_perl: Added pair State = 0x031a0cc303c21e1dddf19e8563de7dbd
rlm_perl: Added pair Called-Station-Id = 
50-A7-33-31-CF-B8:PacketFence-Ruckus
rlm_perl: Added pair Calling-Station-Id = 5C-59-48-ED-C4-96
rlm_perl: Added pair Message-Authenticator = 
0xa6f31db6bfe9f1ae785521d4d8a9b63b
rlm_perl: Added pair Vendor-25053-Attr-3 = 
0x5061636b657446656e63652d5275636b7573
rlm_perl: Added pair User-Name = IMSI at wlan.mnc720.mcc302.3gppnetwork.org
rlm_perl: Added pair NAS-Identifier = 50-A7-33-31-CF-B8
rlm_perl: Added pair EAP-Message = 
0x02d80058120a00000e0e00333133303237323033303539333439353340776c616e2e6d6e633732302e6d63633330322e336770706e6574776f726b2e6f72670010010001070500008e1f8f320c33aee4baf5b36f1a9a5ef6
rlm_perl: Added pair Connect-Info = CONNECT 802.11g
rlm_perl: Added pair EAP-Type = SIM
rlm_perl: Added pair NAS-IP-Address = 10.0.0.24
rlm_perl: Added pair NAS-Port = 1
rlm_perl: Added pair Framed-MTU = 1400
rlm_perl: Added pair EAP-Sim-Rand3 = 0x658719018376aab4d2a5ccde7a21b651
rlm_perl: Added pair EAP-Sim-Rand2 = 0x12314312514145bbdede1d3a5d7d8d81
rlm_perl: Added pair EAP-Sim-SRES1 = 0x4b0bd392
rlm_perl: Added pair EAP-Sim-SRES2 = 0x3fde44f1
rlm_perl: Added pair EAP-Sim-KC1 = 0x838482d6086d5505
rlm_perl: Added pair EAP-Sim-Rand1 = 0x512317ac521bade521831aa3a3a51231
rlm_perl: Added pair EAP-Sim-KC3 = 0x9f62a11a186fb409
rlm_perl: Added pair EAP-Sim-KC2 = 0xb9ea43fb85bca1a1
rlm_perl: Added pair EAP-Sim-SRES3 = 0x1ed3946d
rlm_perl: Added pair Auth-Type = EAP
rlm_perl: Added pair EAP-Type = SIM
++[packetfence] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/pf/raddb/sites-enabled/packetfence
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/sim
[eap] processing type sim
+++> EAP-sim decoded packet:
	NAS-Port-Type = Wireless-802.11
	Service-Type = Framed-User
	State = 0x031a0cc303c21e1dddf19e8563de7dbd
	Called-Station-Id = "50-A7-33-31-CF-B8:PacketFence-Ruckus"
	Calling-Station-Id = "5C-59-48-ED-C4-96"
	Message-Authenticator = 0xa6f31db6bfe9f1ae785521d4d8a9b63b
	Vendor-25053-Attr-3 = 0x5061636b657446656e63652d5275636b7573
	User-Name = "IMSI at wlan.mnc720.mcc302.3gppnetwork.org"
	NAS-Identifier = "50-A7-33-31-CF-B8"
	EAP-Message = 
0x02d80058120a00000e0e00333133303237323033303539333439353340776c616e2e6d6e633732302e6d63633330322e336770706e6574776f726b2e6f72670010010001070500008e1f8f320c33aee4baf5b36f1a9a5ef6
	Connect-Info = "CONNECT 802.11g"
	EAP-Type = SIM
	NAS-IP-Address = 10.0.0.24
	NAS-Port = 1
	Framed-MTU = 1400
	EAP-Sim-Subtype = Start
	EAP-Sim-IDENTITY = 
0x00333133303237323033303539333439353340776c616e2e6d6e633732302e6d63633330322e336770706e6574776f726b2e6f726700
	EAP-Sim-SELECTED_VERSION = 0x0001
	EAP-Sim-NONCE_MT = 0x00008e1f8f320c33aee4baf5b36f1a9a5ef6
[eap] Underlying EAP-Type set EAP ID to 217
++[eap] returns handled
} # server packetfence
Sending Access-Challenge of id 106 to 10.0.0.24 port 1051
	EAP-Message = 
0x01d90050120b0000010d0000512317ac521bade521831aa3a3a5123112314312514145bbdede1d3a5d7d8d81658719018376aab4d2a5ccde7a21b6510b050000a95a21b1166856cd87afaafbc3e27593
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x031a0cc302c31e1dddf19e8563de7dbd
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.0.24 port 1051, id=107, 
length=272
	User-Name = "IMSI at wlan.mnc720.mcc302.3gppnetwork.org"
	Calling-Station-Id = "5C-59-48-ED-C4-96"
	NAS-IP-Address = 10.0.0.24
	NAS-Port = 1
	Called-Station-Id = "50-A7-33-31-CF-B8:PacketFence-Ruckus"
	Service-Type = Framed-User
	Framed-MTU = 1400
	NAS-Port-Type = Wireless-802.11
	NAS-Identifier = "50-A7-33-31-CF-B8"
	Connect-Info = "CONNECT 802.11g"
	EAP-Message = 0x02d9000c120e000016010000
	State = 0x031a0cc302c31e1dddf19e8563de7dbd
	Vendor-25053-Attr-3 = 0x5061636b657446656e63652d5275636b7573
	Message-Authenticator = 0x9d4a9f0d542a77b968ea642f201db204
server packetfence {
# Executing section authorize from file 
/usr/local/pf/raddb/sites-enabled/packetfence
+- entering group authorize {...}
[suffix] Looking up realm "wlan.mnc720.mcc302.3gppnetwork.org" for 
User-Name = "IMSI at wlan.mnc720.mcc302.3gppnetwork.org"
[suffix] No such realm "wlan.mnc720.mcc302.3gppnetwork.org"
++[suffix] returns noop
++[preprocess] returns ok
rlm_sim_files: authorized user/imsi IMSI at wlan.mnc720.mcc302.3gppnetwork.org
rlm_sim_files: Adding EAP-Type: eap-sim
++[sim_files] returns ok
[eap] EAP packet type response id 217 length 12
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
rlm_perl: Added pair NAS-Port-Type = Wireless-802.11
rlm_perl: Added pair Service-Type = Framed-User
rlm_perl: Added pair State = 0x031a0cc302c31e1dddf19e8563de7dbd
rlm_perl: Added pair Called-Station-Id = 
50-A7-33-31-CF-B8:PacketFence-Ruckus
rlm_perl: Added pair Calling-Station-Id = 5C-59-48-ED-C4-96
rlm_perl: Added pair Message-Authenticator = 
0x9d4a9f0d542a77b968ea642f201db204
rlm_perl: Added pair Vendor-25053-Attr-3 = 
0x5061636b657446656e63652d5275636b7573
rlm_perl: Added pair User-Name = IMSI at wlan.mnc720.mcc302.3gppnetwork.org
rlm_perl: Added pair NAS-Identifier = 50-A7-33-31-CF-B8
rlm_perl: Added pair EAP-Message = 0x02d9000c120e000016010000
rlm_perl: Added pair Connect-Info = CONNECT 802.11g
rlm_perl: Added pair EAP-Type = SIM
rlm_perl: Added pair NAS-IP-Address = 10.0.0.24
rlm_perl: Added pair NAS-Port = 1
rlm_perl: Added pair Framed-MTU = 1400
rlm_perl: Added pair EAP-Sim-Rand3 = 0x658719018376aab4d2a5ccde7a21b651
rlm_perl: Added pair EAP-Sim-Rand2 = 0x12314312514145bbdede1d3a5d7d8d81
rlm_perl: Added pair EAP-Sim-SRES1 = 0x4b0bd392
rlm_perl: Added pair EAP-Sim-SRES2 = 0x3fde44f1
rlm_perl: Added pair EAP-Sim-KC1 = 0x838482d6086d5505
rlm_perl: Added pair EAP-Sim-Rand1 = 0x512317ac521bade521831aa3a3a51231
rlm_perl: Added pair EAP-Sim-KC3 = 0x9f62a11a186fb409
rlm_perl: Added pair EAP-Sim-KC2 = 0xb9ea43fb85bca1a1
rlm_perl: Added pair EAP-Sim-SRES3 = 0x1ed3946d
rlm_perl: Added pair Auth-Type = EAP
rlm_perl: Added pair EAP-Type = SIM
++[packetfence] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/pf/raddb/sites-enabled/packetfence
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/sim
[eap] processing type sim
[eap] Handler failed in EAP/sim
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
} # server packetfence
Using Post-Auth-Type REJECT
# Executing group from file /usr/local/pf/raddb/sites-enabled/packetfence
+- entering group REJECT {...}
[attr_filter.access_reject] 	expand: %{User-Name} -> 
IMSI at wlan.mnc720.mcc302.3gppnetwork.org
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 3 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 3
Sending Access-Reject of id 107 to 10.0.0.24 port 1051
	EAP-Message = 0x04d90004
	Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.4 seconds.

Thanks!


-- 
Francois Gaudreault, ing. jr
fgaudreault at inverse.ca  ::  +1.514.447.4918 (x130) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)


More information about the Freeradius-Users mailing list