EAP-SIM Authentication Failure-FreeRadius-V2.2.0
Ratnesh Sinha
ratnesh.sinha at gmail.com
Sun Jan 13 16:08:18 CET 2013
Hi,
I am trying to test EAP-SIM Authentication using 802.1x Access Node and a
Wifi enabled phone with EAP-SIM support. I have configured Radius Server
2.2.0 based on instructions.
I am getting the following error:
[eap] Request found, released from the list
[eap] EAP/sim
[eap] processing type sim
[eap] Handler failed in EAP/sim
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type REJECT
############################################################################
###############################
The full trace below:
############################################################################
###############################
Ready to process requests.
rad_recv: Access-Request packet from host 10.0.0.1 port 1047, id=7,
length=244
User-Name = "1404450012769612 at wlan.mnc045.mcc404.3gppnetwork.org"
NAS-IP-Address = 10.0.0.1
NAS-Port = 0
Called-Station-Id = "0A-09-0F-E9-1C-A2:fortinet"
Calling-Station-Id = "44-A7-CF-BC-A0-67"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message =
0x02000038013134303434353030313234373839333540776c616e2e6d6e633034352e6d6363
3430342e336770706e6574776f726b2e6f7267
Message-Authenticator = 0x558781ab0d6f653bc2fcf8af9ee61260
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] Looking up realm "wlan.mnc045.mcc404.3gppnetwork.org" for User-Name
= "1404450012769612 at wlan.mnc045.mcc404.3gppnetwork.org"
[suffix] No such realm "wlan.mnc045.mcc404.3gppnetwork.org"
++[suffix] returns noop
rlm_sim_files: authorized user/imsi
1404450012769612 at wlan.mnc045.mcc404.3gppnetwork.org
rlm_sim_files: Adding EAP-Type: eap-sim
++[sim_files] returns ok
[eap] EAP packet type response id 0 length 56
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication
may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type sim
[eap] Underlying EAP-Type set EAP ID to 245
++[eap] returns handled
Sending Access-Challenge of id 7 to 10.0.0.1 port 1047
EAP-Message = 0x01f50014120a00000f0200020001000011010100
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xf445757cf4b067d13eec4c46dac51c4a
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.0.1 port 1047, id=8,
length=294
User-Name = "1404450012769612 at wlan.mnc045.mcc404.3gppnetwork.org"
NAS-IP-Address = 10.0.0.1
NAS-Port = 0
Called-Station-Id = "0A-09-0F-E9-1C-A2:fortinet"
Calling-Station-Id = "44-A7-CF-BC-A0-67"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message =
0x02f50058120a00000705000021846d8ebd5ce97d1b79c5501a95ac64100100010e0e003331
34303434353030313234373839333540776c616e2e6d6e633034352e6d63633430342e336770
706e6574776f726b2e6f726700
State = 0xf445757cf4b067d13eec4c46dac51c4a
Message-Authenticator = 0xe1d4bbed7648690e15b0720f9277206c
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] Looking up realm "wlan.mnc045.mcc404.3gppnetwork.org" for User-Name
= "1404450012769612 at wlan.mnc045.mcc404.3gppnetwork.org"
[suffix] No such realm "wlan.mnc045.mcc404.3gppnetwork.org"
++[suffix] returns noop
rlm_sim_files: authorized user/imsi
1404450012769612 at wlan.mnc045.mcc404.3gppnetwork.org
rlm_sim_files: Adding EAP-Type: eap-sim
++[sim_files] returns ok
[eap] EAP packet type response id 245 length 88
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication
may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/sim
[eap] processing type sim
+++> EAP-sim decoded packet:
User-Name = "1404450012769612 at wlan.mnc045.mcc404.3gppnetwork.org"
NAS-IP-Address = 10.0.0.1
NAS-Port = 0
Called-Station-Id = "0A-09-0F-E9-1C-A2:fortinet"
Calling-Station-Id = "44-A7-CF-BC-A0-67"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message =
0x02f50058120a00000705000021846d8ebd5ce97d1b79c5501a95ac64100100010e0e003331
34303434353030313234373839333540776c616e2e6d6e633034352e6d63633430342e336770
706e6574776f726b2e6f726700
State = 0xf445757cf4b067d13eec4c46dac51c4a
Message-Authenticator = 0xe1d4bbed7648690e15b0720f9277206c
EAP-Type = SIM
EAP-Sim-Subtype = Start
EAP-Sim-NONCE_MT = 0x000021846d8ebd5ce97d1b79c5501a95ac64
EAP-Sim-SELECTED_VERSION = 0x0001
EAP-Sim-IDENTITY =
0x00333134303434353030313234373839333540776c616e2e6d6e633034352e6d6363343034
2e336770706e6574776f726b2e6f726700
[eap] Underlying EAP-Type set EAP ID to 246
++[eap] returns handled
Sending Access-Challenge of id 8 to 10.0.0.1 port 1047
EAP-Message =
0x01f60050120b0000010d000030000000000000000000000000000000310000000000000000
00000000000000320000000000000000000000000000000b050000bb28c3433b5a561015daaf
0ea141811e
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xf445757cf5b367d13eec4c46dac51c4a
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.0.1 port 1047, id=9,
length=218
User-Name = "1404450012769612 at wlan.mnc045.mcc404.3gppnetwork.org"
NAS-IP-Address = 10.0.0.1
NAS-Port = 0
Called-Station-Id = "0A-09-0F-E9-1C-A2:fortinet"
Calling-Station-Id = "44-A7-CF-BC-A0-67"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x02f6000c120e000016010000
State = 0xf445757cf5b367d13eec4c46dac51c4a
Message-Authenticator = 0xca05315c11be75a0938baf8f708367e2
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] Looking up realm "wlan.mnc045.mcc404.3gppnetwork.org" for User-Name
= "1404450012769612 at wlan.mnc045.mcc404.3gppnetwork.org"
[suffix] No such realm "wlan.mnc045.mcc404.3gppnetwork.org"
++[suffix] returns noop
rlm_sim_files: authorized user/imsi
1404450012769612 at wlan.mnc045.mcc404.3gppnetwork.org
rlm_sim_files: Adding EAP-Type: eap-sim
++[sim_files] returns ok
[eap] EAP packet type response id 246 length 12
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication
may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/sim
[eap] processing type sim
[eap] Handler failed in EAP/sim
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type REJECT
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} ->
1404450012769612 at wlan.mnc045.mcc404.3gppnetwork.org
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 2 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 2
Sending Access-Reject of id 9 to 10.0.0.1 port 1047
EAP-Message = 0x04f60004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 0.9 seconds.
Cleaning up request 0 ID 7 with timestamp +19
Cleaning up request 1 ID 8 with timestamp +19
Waking up in 4.0 seconds.
Cleaning up request 2 ID 9 with timestamp +22
Ready to process requests.
rad_recv: Access-Request packet from host 10.0.0.1 port 1047, id=10,
length=244
User-Name = "1404450012769612 at wlan.mnc045.mcc404.3gppnetwork.org"
NAS-IP-Address = 10.0.0.1
NAS-Port = 0
Called-Station-Id = "0A-09-0F-E9-1C-A2:fortinet"
Calling-Station-Id = "44-A7-CF-BC-A0-67"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message =
0x02000038013134303434353030313234373839333540776c616e2e6d6e633034352e6d6363
3430342e336770706e6574776f726b2e6f7267
Message-Authenticator = 0x74523b39f4caeb2704555e3a35630534
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] Looking up realm "wlan.mnc045.mcc404.3gppnetwork.org" for User-Name
= "1404450012769612 at wlan.mnc045.mcc404.3gppnetwork.org"
[suffix] No such realm "wlan.mnc045.mcc404.3gppnetwork.org"
++[suffix] returns noop
rlm_sim_files: authorized user/imsi
1404450012769612 at wlan.mnc045.mcc404.3gppnetwork.org
rlm_sim_files: Adding EAP-Type: eap-sim
++[sim_files] returns ok
[eap] EAP packet type response id 0 length 56
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication
may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type sim
[eap] Underlying EAP-Type set EAP ID to 255
++[eap] returns handled
Sending Access-Challenge of id 10 to 10.0.0.1 port 1047
EAP-Message = 0x01ff0014120a00000f0200020001000011010100
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x067ab3ff0685a127aaec9be0764c9b76
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.0.1 port 1047, id=11,
length=294
User-Name = "1404450012769612 at wlan.mnc045.mcc404.3gppnetwork.org"
NAS-IP-Address = 10.0.0.1
NAS-Port = 0
Called-Station-Id = "0A-09-0F-E9-1C-A2:fortinet"
Calling-Station-Id = "44-A7-CF-BC-A0-67"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message =
0x02ff0058120a000007050000f3c0d40d24735995cd2aa194ccc3e9ae100100010e0e003331
34303434353030313234373839333540776c616e2e6d6e633034352e6d63633430342e336770
706e6574776f726b2e6f726700
State = 0x067ab3ff0685a127aaec9be0764c9b76
Message-Authenticator = 0x4e16bb97083e9c782af073721b309c20
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] Looking up realm "wlan.mnc045.mcc404.3gppnetwork.org" for User-Name
= "1404450012769612 at wlan.mnc045.mcc404.3gppnetwork.org"
[suffix] No such realm "wlan.mnc045.mcc404.3gppnetwork.org"
++[suffix] returns noop
rlm_sim_files: authorized user/imsi
1404450012769612 at wlan.mnc045.mcc404.3gppnetwork.org
rlm_sim_files: Adding EAP-Type: eap-sim
++[sim_files] returns ok
[eap] EAP packet type response id 255 length 88
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication
may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/sim
[eap] processing type sim
+++> EAP-sim decoded packet:
User-Name = "1404450012769612 at wlan.mnc045.mcc404.3gppnetwork.org"
NAS-IP-Address = 10.0.0.1
NAS-Port = 0
Called-Station-Id = "0A-09-0F-E9-1C-A2:fortinet"
Calling-Station-Id = "44-A7-CF-BC-A0-67"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message =
0x02ff0058120a000007050000f3c0d40d24735995cd2aa194ccc3e9ae100100010e0e003331
34303434353030313234373839333540776c616e2e6d6e633034352e6d63633430342e336770
706e6574776f726b2e6f726700
State = 0x067ab3ff0685a127aaec9be0764c9b76
Message-Authenticator = 0x4e16bb97083e9c782af073721b309c20
EAP-Type = SIM
EAP-Sim-Subtype = Start
EAP-Sim-NONCE_MT = 0x0000f3c0d40d24735995cd2aa194ccc3e9ae
EAP-Sim-SELECTED_VERSION = 0x0001
EAP-Sim-IDENTITY =
0x00333134303434353030313234373839333540776c616e2e6d6e633034352e6d6363343034
2e336770706e6574776f726b2e6f726700
[eap] Underlying EAP-Type set EAP ID to 0
++[eap] returns handled
Sending Access-Challenge of id 11 to 10.0.0.1 port 1047
EAP-Message =
0x01000050120b0000010d000030000000000000000000000000000000310000000000000000
00000000000000320000000000000000000000000000000b0500008ed118746ac218cc6ea072
1d59d42518
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x067ab3ff077aa127aaec9be0764c9b76
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.0.1 port 1047, id=12,
length=218
User-Name = "1404450012769612 at wlan.mnc045.mcc404.3gppnetwork.org"
NAS-IP-Address = 10.0.0.1
NAS-Port = 0
Called-Station-Id = "0A-09-0F-E9-1C-A2:fortinet"
Calling-Station-Id = "44-A7-CF-BC-A0-67"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x0200000c120e000016010000
State = 0x067ab3ff077aa127aaec9be0764c9b76
Message-Authenticator = 0x9a08d17e00177ea24b2a90933b12d4c0
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] Looking up realm "wlan.mnc045.mcc404.3gppnetwork.org" for User-Name
= "1404450012769612 at wlan.mnc045.mcc404.3gppnetwork.org"
[suffix] No such realm "wlan.mnc045.mcc404.3gppnetwork.org"
++[suffix] returns noop
rlm_sim_files: authorized user/imsi
1404450012769612 at wlan.mnc045.mcc404.3gppnetwork.org
rlm_sim_files: Adding EAP-Type: eap-sim
++[sim_files] returns ok
[eap] EAP packet type response id 0 length 12
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication
may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/sim
[eap] processing type sim
[eap] Handler failed in EAP/sim
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type REJECT
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} ->
1404450012769612 at wlan.mnc045.mcc404.3gppnetwork.org
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 5 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 5
Sending Access-Reject of id 12 to 10.0.0.1 port 1047
EAP-Message = 0x04000004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 0.9 seconds.
Cleaning up request 3 ID 10 with timestamp +29
Cleaning up request 4 ID 11 with timestamp +29
Waking up in 4.0 seconds.
Cleaning up request 5 ID 12 with timestamp +32
Ready to process requests.
############################################################################
###############################
simtriplets.dat content below
############################################################################
###############################
1404450012769612 at wlan.mnc045.mcc404.3gppnetwork.org,300000000000000000000000
00000000,30112233,445566778899AABB
1404450012769612 at wlan.mnc045.mcc404.3gppnetwork.org,310000000000000000000000
00000000,31112233,445566778899AABB
1404450012769612 at wlan.mnc045.mcc404.3gppnetwork.org,320000000000000000000000
00000000,32112233,445566778899AABB
1404450012769612 at wlan.mnc045.mcc404.3gppnetwork.org,330000000000000000000000
00000000,33112233,445566778899AABB
1404450012769612 at wlan.mnc045.mcc404.3gppnetwork.org,340000000000000000000000
00000000,34112233,445566778899AABB
############################################################################
###############################
Regards,
Ratnesh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130113/f4414c42/attachment-0001.html>
More information about the Freeradius-Users
mailing list