EAP-SIM on 2.2.0
Francois Gaudreault
fgaudreault at inverse.ca
Wed Sep 12 17:00:03 CEST 2012
Hi,
> No idea; I'm not familiar with EAP-SIM. But the EAP-Message seemed
> obviously too short for that stage of a challenge/response auth, so I
> glanced at the RFC for the encoding.
>
> Maybe you've got a permissions problem on whatever datastore the SIM
> secrets are in?
Nope, I even tried with 777 just in case, but it was 644 which should be
enough.
Here is the trace with the same client as 2.1.12, but on 2.2.0. The last
trace we had was indeed with another SIM.
rad_recv: Access-Request packet from host 10.0.0.24 port 1051, id=105,
length=298
User-Name = "IMSI at wlan.mnc720.mcc302.3gppnetwork.org"
Calling-Station-Id = "5C-59-48-ED-C4-96"
NAS-IP-Address = 10.0.0.24
NAS-Port = 1
Called-Station-Id = "50-A7-33-31-CF-B8:PacketFence-Ruckus"
Service-Type = Framed-User
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
NAS-Identifier = "50-A7-33-31-CF-B8"
Connect-Info = "CONNECT 802.11g"
EAP-Message =
0x02000038013133303237323033303539333439353340776c616e2e6d6e633732302e6d63633330322e336770706e6574776f726b2e6f7267
Vendor-25053-Attr-3 = 0x5061636b657446656e63652d5275636b7573
Message-Authenticator = 0x3254b54e86799aa4dbfd92f4eac2bbab
server packetfence {
# Executing section authorize from file
/usr/local/pf/raddb/sites-enabled/packetfence
+- entering group authorize {...}
[suffix] Looking up realm "wlan.mnc720.mcc302.3gppnetwork.org" for
User-Name = "IMSI at wlan.mnc720.mcc302.3gppnetwork.org"
[suffix] No such realm "wlan.mnc720.mcc302.3gppnetwork.org"
++[suffix] returns noop
++[preprocess] returns ok
rlm_sim_files: authorized user/imsi IMSI at wlan.mnc720.mcc302.3gppnetwork.org
rlm_sim_files: Adding EAP-Type: eap-sim
++[sim_files] returns ok
[eap] EAP packet type response id 0 length 56
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
rlm_perl: Added pair NAS-Port-Type = Wireless-802.11
rlm_perl: Added pair Service-Type = Framed-User
rlm_perl: Added pair Called-Station-Id =
50-A7-33-31-CF-B8:PacketFence-Ruckus
rlm_perl: Added pair Calling-Station-Id = 5C-59-48-ED-C4-96
rlm_perl: Added pair Message-Authenticator =
0x3254b54e86799aa4dbfd92f4eac2bbab
rlm_perl: Added pair Vendor-25053-Attr-3 =
0x5061636b657446656e63652d5275636b7573
rlm_perl: Added pair User-Name = IMSI at wlan.mnc720.mcc302.3gppnetwork.org
rlm_perl: Added pair NAS-Identifier = 50-A7-33-31-CF-B8
rlm_perl: Added pair EAP-Message =
0x02000038013133303237323033303539333439353340776c616e2e6d6e633732302e6d63633330322e336770706e6574776f726b2e6f7267
rlm_perl: Added pair Connect-Info = CONNECT 802.11g
rlm_perl: Added pair EAP-Type = Identity
rlm_perl: Added pair NAS-IP-Address = 10.0.0.24
rlm_perl: Added pair NAS-Port = 1
rlm_perl: Added pair Framed-MTU = 1400
rlm_perl: Added pair EAP-Sim-Rand3 = 0x658719018376aab4d2a5ccde7a21b651
rlm_perl: Added pair EAP-Sim-Rand2 = 0x12314312514145bbdede1d3a5d7d8d81
rlm_perl: Added pair EAP-Sim-SRES1 = 0x4b0bd392
rlm_perl: Added pair EAP-Sim-SRES2 = 0x3fde44f1
rlm_perl: Added pair EAP-Sim-KC1 = 0x838482d6086d5505
rlm_perl: Added pair EAP-Sim-Rand1 = 0x512317ac521bade521831aa3a3a51231
rlm_perl: Added pair EAP-Sim-KC3 = 0x9f62a11a186fb409
rlm_perl: Added pair EAP-Sim-KC2 = 0xb9ea43fb85bca1a1
rlm_perl: Added pair EAP-Sim-SRES3 = 0x1ed3946d
rlm_perl: Added pair Auth-Type = EAP
rlm_perl: Added pair EAP-Type = SIM
++[packetfence] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/pf/raddb/sites-enabled/packetfence
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type sim
[eap] Underlying EAP-Type set EAP ID to 216
++[eap] returns handled
} # server packetfence
Sending Access-Challenge of id 105 to 10.0.0.24 port 1051
EAP-Message = 0x01d80014120a00000f0200020001000011010100
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x031a0cc303c21e1dddf19e8563de7dbd
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.0.24 port 1051, id=106,
length=348
User-Name = "IMSI at wlan.mnc720.mcc302.3gppnetwork.org"
Calling-Station-Id = "5C-59-48-ED-C4-96"
NAS-IP-Address = 10.0.0.24
NAS-Port = 1
Called-Station-Id = "50-A7-33-31-CF-B8:PacketFence-Ruckus"
Service-Type = Framed-User
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
NAS-Identifier = "50-A7-33-31-CF-B8"
Connect-Info = "CONNECT 802.11g"
EAP-Message =
0x02d80058120a00000e0e00333133303237323033303539333439353340776c616e2e6d6e633732302e6d63633330322e336770706e6574776f726b2e6f72670010010001070500008e1f8f320c33aee4baf5b36f1a9a5ef6
State = 0x031a0cc303c21e1dddf19e8563de7dbd
Vendor-25053-Attr-3 = 0x5061636b657446656e63652d5275636b7573
Message-Authenticator = 0xa6f31db6bfe9f1ae785521d4d8a9b63b
server packetfence {
# Executing section authorize from file
/usr/local/pf/raddb/sites-enabled/packetfence
+- entering group authorize {...}
[suffix] Looking up realm "wlan.mnc720.mcc302.3gppnetwork.org" for
User-Name = "IMSI at wlan.mnc720.mcc302.3gppnetwork.org"
[suffix] No such realm "wlan.mnc720.mcc302.3gppnetwork.org"
++[suffix] returns noop
++[preprocess] returns ok
rlm_sim_files: authorized user/imsi IMSI at wlan.mnc720.mcc302.3gppnetwork.org
rlm_sim_files: Adding EAP-Type: eap-sim
++[sim_files] returns ok
[eap] EAP packet type response id 216 length 88
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
rlm_perl: Added pair NAS-Port-Type = Wireless-802.11
rlm_perl: Added pair Service-Type = Framed-User
rlm_perl: Added pair State = 0x031a0cc303c21e1dddf19e8563de7dbd
rlm_perl: Added pair Called-Station-Id =
50-A7-33-31-CF-B8:PacketFence-Ruckus
rlm_perl: Added pair Calling-Station-Id = 5C-59-48-ED-C4-96
rlm_perl: Added pair Message-Authenticator =
0xa6f31db6bfe9f1ae785521d4d8a9b63b
rlm_perl: Added pair Vendor-25053-Attr-3 =
0x5061636b657446656e63652d5275636b7573
rlm_perl: Added pair User-Name = IMSI at wlan.mnc720.mcc302.3gppnetwork.org
rlm_perl: Added pair NAS-Identifier = 50-A7-33-31-CF-B8
rlm_perl: Added pair EAP-Message =
0x02d80058120a00000e0e00333133303237323033303539333439353340776c616e2e6d6e633732302e6d63633330322e336770706e6574776f726b2e6f72670010010001070500008e1f8f320c33aee4baf5b36f1a9a5ef6
rlm_perl: Added pair Connect-Info = CONNECT 802.11g
rlm_perl: Added pair EAP-Type = SIM
rlm_perl: Added pair NAS-IP-Address = 10.0.0.24
rlm_perl: Added pair NAS-Port = 1
rlm_perl: Added pair Framed-MTU = 1400
rlm_perl: Added pair EAP-Sim-Rand3 = 0x658719018376aab4d2a5ccde7a21b651
rlm_perl: Added pair EAP-Sim-Rand2 = 0x12314312514145bbdede1d3a5d7d8d81
rlm_perl: Added pair EAP-Sim-SRES1 = 0x4b0bd392
rlm_perl: Added pair EAP-Sim-SRES2 = 0x3fde44f1
rlm_perl: Added pair EAP-Sim-KC1 = 0x838482d6086d5505
rlm_perl: Added pair EAP-Sim-Rand1 = 0x512317ac521bade521831aa3a3a51231
rlm_perl: Added pair EAP-Sim-KC3 = 0x9f62a11a186fb409
rlm_perl: Added pair EAP-Sim-KC2 = 0xb9ea43fb85bca1a1
rlm_perl: Added pair EAP-Sim-SRES3 = 0x1ed3946d
rlm_perl: Added pair Auth-Type = EAP
rlm_perl: Added pair EAP-Type = SIM
++[packetfence] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/pf/raddb/sites-enabled/packetfence
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/sim
[eap] processing type sim
+++> EAP-sim decoded packet:
NAS-Port-Type = Wireless-802.11
Service-Type = Framed-User
State = 0x031a0cc303c21e1dddf19e8563de7dbd
Called-Station-Id = "50-A7-33-31-CF-B8:PacketFence-Ruckus"
Calling-Station-Id = "5C-59-48-ED-C4-96"
Message-Authenticator = 0xa6f31db6bfe9f1ae785521d4d8a9b63b
Vendor-25053-Attr-3 = 0x5061636b657446656e63652d5275636b7573
User-Name = "IMSI at wlan.mnc720.mcc302.3gppnetwork.org"
NAS-Identifier = "50-A7-33-31-CF-B8"
EAP-Message =
0x02d80058120a00000e0e00333133303237323033303539333439353340776c616e2e6d6e633732302e6d63633330322e336770706e6574776f726b2e6f72670010010001070500008e1f8f320c33aee4baf5b36f1a9a5ef6
Connect-Info = "CONNECT 802.11g"
EAP-Type = SIM
NAS-IP-Address = 10.0.0.24
NAS-Port = 1
Framed-MTU = 1400
EAP-Sim-Subtype = Start
EAP-Sim-IDENTITY =
0x00333133303237323033303539333439353340776c616e2e6d6e633732302e6d63633330322e336770706e6574776f726b2e6f726700
EAP-Sim-SELECTED_VERSION = 0x0001
EAP-Sim-NONCE_MT = 0x00008e1f8f320c33aee4baf5b36f1a9a5ef6
[eap] Underlying EAP-Type set EAP ID to 217
++[eap] returns handled
} # server packetfence
Sending Access-Challenge of id 106 to 10.0.0.24 port 1051
EAP-Message =
0x01d90050120b0000010d0000512317ac521bade521831aa3a3a5123112314312514145bbdede1d3a5d7d8d81658719018376aab4d2a5ccde7a21b6510b050000a95a21b1166856cd87afaafbc3e27593
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x031a0cc302c31e1dddf19e8563de7dbd
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.0.24 port 1051, id=107,
length=272
User-Name = "IMSI at wlan.mnc720.mcc302.3gppnetwork.org"
Calling-Station-Id = "5C-59-48-ED-C4-96"
NAS-IP-Address = 10.0.0.24
NAS-Port = 1
Called-Station-Id = "50-A7-33-31-CF-B8:PacketFence-Ruckus"
Service-Type = Framed-User
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
NAS-Identifier = "50-A7-33-31-CF-B8"
Connect-Info = "CONNECT 802.11g"
EAP-Message = 0x02d9000c120e000016010000
State = 0x031a0cc302c31e1dddf19e8563de7dbd
Vendor-25053-Attr-3 = 0x5061636b657446656e63652d5275636b7573
Message-Authenticator = 0x9d4a9f0d542a77b968ea642f201db204
server packetfence {
# Executing section authorize from file
/usr/local/pf/raddb/sites-enabled/packetfence
+- entering group authorize {...}
[suffix] Looking up realm "wlan.mnc720.mcc302.3gppnetwork.org" for
User-Name = "IMSI at wlan.mnc720.mcc302.3gppnetwork.org"
[suffix] No such realm "wlan.mnc720.mcc302.3gppnetwork.org"
++[suffix] returns noop
++[preprocess] returns ok
rlm_sim_files: authorized user/imsi IMSI at wlan.mnc720.mcc302.3gppnetwork.org
rlm_sim_files: Adding EAP-Type: eap-sim
++[sim_files] returns ok
[eap] EAP packet type response id 217 length 12
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
rlm_perl: Added pair NAS-Port-Type = Wireless-802.11
rlm_perl: Added pair Service-Type = Framed-User
rlm_perl: Added pair State = 0x031a0cc302c31e1dddf19e8563de7dbd
rlm_perl: Added pair Called-Station-Id =
50-A7-33-31-CF-B8:PacketFence-Ruckus
rlm_perl: Added pair Calling-Station-Id = 5C-59-48-ED-C4-96
rlm_perl: Added pair Message-Authenticator =
0x9d4a9f0d542a77b968ea642f201db204
rlm_perl: Added pair Vendor-25053-Attr-3 =
0x5061636b657446656e63652d5275636b7573
rlm_perl: Added pair User-Name = IMSI at wlan.mnc720.mcc302.3gppnetwork.org
rlm_perl: Added pair NAS-Identifier = 50-A7-33-31-CF-B8
rlm_perl: Added pair EAP-Message = 0x02d9000c120e000016010000
rlm_perl: Added pair Connect-Info = CONNECT 802.11g
rlm_perl: Added pair EAP-Type = SIM
rlm_perl: Added pair NAS-IP-Address = 10.0.0.24
rlm_perl: Added pair NAS-Port = 1
rlm_perl: Added pair Framed-MTU = 1400
rlm_perl: Added pair EAP-Sim-Rand3 = 0x658719018376aab4d2a5ccde7a21b651
rlm_perl: Added pair EAP-Sim-Rand2 = 0x12314312514145bbdede1d3a5d7d8d81
rlm_perl: Added pair EAP-Sim-SRES1 = 0x4b0bd392
rlm_perl: Added pair EAP-Sim-SRES2 = 0x3fde44f1
rlm_perl: Added pair EAP-Sim-KC1 = 0x838482d6086d5505
rlm_perl: Added pair EAP-Sim-Rand1 = 0x512317ac521bade521831aa3a3a51231
rlm_perl: Added pair EAP-Sim-KC3 = 0x9f62a11a186fb409
rlm_perl: Added pair EAP-Sim-KC2 = 0xb9ea43fb85bca1a1
rlm_perl: Added pair EAP-Sim-SRES3 = 0x1ed3946d
rlm_perl: Added pair Auth-Type = EAP
rlm_perl: Added pair EAP-Type = SIM
++[packetfence] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/pf/raddb/sites-enabled/packetfence
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/sim
[eap] processing type sim
[eap] Handler failed in EAP/sim
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
} # server packetfence
Using Post-Auth-Type REJECT
# Executing group from file /usr/local/pf/raddb/sites-enabled/packetfence
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} ->
IMSI at wlan.mnc720.mcc302.3gppnetwork.org
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 3 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 3
Sending Access-Reject of id 107 to 10.0.0.24 port 1051
EAP-Message = 0x04d90004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.4 seconds.
Thanks!
--
Francois Gaudreault, ing. jr
fgaudreault at inverse.ca :: +1.514.447.4918 (x130) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
More information about the Freeradius-Users
mailing list