EAP-SIM Authentication Failure-FreeRadius-V2.2.0

Ratnesh Sinha ratnesh.sinha at gmail.com
Sun Jan 13 16:08:18 CET 2013


Hi,

 

I am trying to test EAP-SIM Authentication using 802.1x Access Node and a
Wifi enabled phone with EAP-SIM support. I have configured Radius Server
2.2.0 based on instructions.

 

I am getting the following error:

 

[eap] Request found, released from the list

[eap] EAP/sim

[eap] processing type sim

[eap] Handler failed in EAP/sim

[eap] Failed in EAP select

++[eap] returns invalid

Failed to authenticate the user.

Using Post-Auth-Type REJECT

 

############################################################################
###############################

The full trace below:

############################################################################
###############################

 

Ready to process requests.

rad_recv: Access-Request packet from host 10.0.0.1 port 1047, id=7,
length=244

        User-Name = "1404450012769612 at wlan.mnc045.mcc404.3gppnetwork.org"

        NAS-IP-Address = 10.0.0.1

        NAS-Port = 0

        Called-Station-Id = "0A-09-0F-E9-1C-A2:fortinet"

        Calling-Station-Id = "44-A7-CF-BC-A0-67"

        Framed-MTU = 1400

        NAS-Port-Type = Wireless-802.11

        Connect-Info = "CONNECT 11Mbps 802.11b"

        EAP-Message =
0x02000038013134303434353030313234373839333540776c616e2e6d6e633034352e6d6363
3430342e336770706e6574776f726b2e6f7267

        Message-Authenticator = 0x558781ab0d6f653bc2fcf8af9ee61260

# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default

+- entering group authorize {...}

++[preprocess] returns ok

++[chap] returns noop

++[mschap] returns noop

++[digest] returns noop

[suffix] Looking up realm "wlan.mnc045.mcc404.3gppnetwork.org" for User-Name
= "1404450012769612 at wlan.mnc045.mcc404.3gppnetwork.org"

[suffix] No such realm "wlan.mnc045.mcc404.3gppnetwork.org"

++[suffix] returns noop

rlm_sim_files: authorized user/imsi
1404450012769612 at wlan.mnc045.mcc404.3gppnetwork.org 

rlm_sim_files: Adding EAP-Type: eap-sim

++[sim_files] returns ok

[eap] EAP packet type response id 0 length 56

[eap] No EAP Start, assuming it's an on-going EAP conversation

++[eap] returns updated

++[files] returns noop

++[expiration] returns noop

++[logintime] returns noop

[pap] WARNING! No "known good" password found for the user.  Authentication
may fail because of this.

++[pap] returns noop

Found Auth-Type = EAP

# Executing group from file /usr/local/etc/raddb/sites-enabled/default

+- entering group authenticate {...}

[eap] EAP Identity

[eap] processing type sim

[eap] Underlying EAP-Type set EAP ID to 245

++[eap] returns handled

Sending Access-Challenge of id 7 to 10.0.0.1 port 1047

        EAP-Message = 0x01f50014120a00000f0200020001000011010100

        Message-Authenticator = 0x00000000000000000000000000000000

        State = 0xf445757cf4b067d13eec4c46dac51c4a

Finished request 0.

Going to the next request

Waking up in 4.9 seconds.

rad_recv: Access-Request packet from host 10.0.0.1 port 1047, id=8,
length=294

        User-Name = "1404450012769612 at wlan.mnc045.mcc404.3gppnetwork.org"

        NAS-IP-Address = 10.0.0.1

        NAS-Port = 0

        Called-Station-Id = "0A-09-0F-E9-1C-A2:fortinet"

        Calling-Station-Id = "44-A7-CF-BC-A0-67"

        Framed-MTU = 1400

        NAS-Port-Type = Wireless-802.11

        Connect-Info = "CONNECT 11Mbps 802.11b"

        EAP-Message =
0x02f50058120a00000705000021846d8ebd5ce97d1b79c5501a95ac64100100010e0e003331
34303434353030313234373839333540776c616e2e6d6e633034352e6d63633430342e336770
706e6574776f726b2e6f726700

        State = 0xf445757cf4b067d13eec4c46dac51c4a

        Message-Authenticator = 0xe1d4bbed7648690e15b0720f9277206c

# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default

+- entering group authorize {...}

++[preprocess] returns ok

++[chap] returns noop

++[mschap] returns noop

++[digest] returns noop

[suffix] Looking up realm "wlan.mnc045.mcc404.3gppnetwork.org" for User-Name
= "1404450012769612 at wlan.mnc045.mcc404.3gppnetwork.org"

[suffix] No such realm "wlan.mnc045.mcc404.3gppnetwork.org"

++[suffix] returns noop

rlm_sim_files: authorized user/imsi
1404450012769612 at wlan.mnc045.mcc404.3gppnetwork.org 

rlm_sim_files: Adding EAP-Type: eap-sim

++[sim_files] returns ok

[eap] EAP packet type response id 245 length 88

[eap] No EAP Start, assuming it's an on-going EAP conversation

++[eap] returns updated

++[files] returns noop

++[expiration] returns noop

++[logintime] returns noop

[pap] WARNING! No "known good" password found for the user.  Authentication
may fail because of this.

++[pap] returns noop

Found Auth-Type = EAP

# Executing group from file /usr/local/etc/raddb/sites-enabled/default

+- entering group authenticate {...}

[eap] Request found, released from the list

[eap] EAP/sim

[eap] processing type sim

+++> EAP-sim decoded packet:

        User-Name = "1404450012769612 at wlan.mnc045.mcc404.3gppnetwork.org"

        NAS-IP-Address = 10.0.0.1

        NAS-Port = 0

        Called-Station-Id = "0A-09-0F-E9-1C-A2:fortinet"

        Calling-Station-Id = "44-A7-CF-BC-A0-67"

        Framed-MTU = 1400

        NAS-Port-Type = Wireless-802.11

        Connect-Info = "CONNECT 11Mbps 802.11b"

        EAP-Message =
0x02f50058120a00000705000021846d8ebd5ce97d1b79c5501a95ac64100100010e0e003331
34303434353030313234373839333540776c616e2e6d6e633034352e6d63633430342e336770
706e6574776f726b2e6f726700

        State = 0xf445757cf4b067d13eec4c46dac51c4a

        Message-Authenticator = 0xe1d4bbed7648690e15b0720f9277206c

        EAP-Type = SIM

        EAP-Sim-Subtype = Start

        EAP-Sim-NONCE_MT = 0x000021846d8ebd5ce97d1b79c5501a95ac64

        EAP-Sim-SELECTED_VERSION = 0x0001

        EAP-Sim-IDENTITY =
0x00333134303434353030313234373839333540776c616e2e6d6e633034352e6d6363343034
2e336770706e6574776f726b2e6f726700

[eap] Underlying EAP-Type set EAP ID to 246

++[eap] returns handled

Sending Access-Challenge of id 8 to 10.0.0.1 port 1047

        EAP-Message =
0x01f60050120b0000010d000030000000000000000000000000000000310000000000000000
00000000000000320000000000000000000000000000000b050000bb28c3433b5a561015daaf
0ea141811e

        Message-Authenticator = 0x00000000000000000000000000000000

        State = 0xf445757cf5b367d13eec4c46dac51c4a

Finished request 1.

Going to the next request

Waking up in 4.9 seconds.

rad_recv: Access-Request packet from host 10.0.0.1 port 1047, id=9,
length=218

        User-Name = "1404450012769612 at wlan.mnc045.mcc404.3gppnetwork.org"

        NAS-IP-Address = 10.0.0.1

        NAS-Port = 0

        Called-Station-Id = "0A-09-0F-E9-1C-A2:fortinet"

        Calling-Station-Id = "44-A7-CF-BC-A0-67"

        Framed-MTU = 1400

        NAS-Port-Type = Wireless-802.11

        Connect-Info = "CONNECT 11Mbps 802.11b"

        EAP-Message = 0x02f6000c120e000016010000

        State = 0xf445757cf5b367d13eec4c46dac51c4a

        Message-Authenticator = 0xca05315c11be75a0938baf8f708367e2

# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default

+- entering group authorize {...}

++[preprocess] returns ok

++[chap] returns noop

++[mschap] returns noop

++[digest] returns noop

[suffix] Looking up realm "wlan.mnc045.mcc404.3gppnetwork.org" for User-Name
= "1404450012769612 at wlan.mnc045.mcc404.3gppnetwork.org"

[suffix] No such realm "wlan.mnc045.mcc404.3gppnetwork.org"

++[suffix] returns noop

rlm_sim_files: authorized user/imsi
1404450012769612 at wlan.mnc045.mcc404.3gppnetwork.org 

rlm_sim_files: Adding EAP-Type: eap-sim

++[sim_files] returns ok

[eap] EAP packet type response id 246 length 12

[eap] No EAP Start, assuming it's an on-going EAP conversation

++[eap] returns updated

++[files] returns noop

++[expiration] returns noop

++[logintime] returns noop

[pap] WARNING! No "known good" password found for the user.  Authentication
may fail because of this.

++[pap] returns noop

Found Auth-Type = EAP

# Executing group from file /usr/local/etc/raddb/sites-enabled/default

+- entering group authenticate {...}

[eap] Request found, released from the list

[eap] EAP/sim

[eap] processing type sim

[eap] Handler failed in EAP/sim

[eap] Failed in EAP select

++[eap] returns invalid

Failed to authenticate the user.

Using Post-Auth-Type REJECT

# Executing group from file /usr/local/etc/raddb/sites-enabled/default

+- entering group REJECT {...}

[attr_filter.access_reject]     expand: %{User-Name} ->
1404450012769612 at wlan.mnc045.mcc404.3gppnetwork.org

attr_filter: Matched entry DEFAULT at line 11

++[attr_filter.access_reject] returns updated

Delaying reject of request 2 for 1 seconds

Going to the next request

Waking up in 0.9 seconds.

Sending delayed reject for request 2

Sending Access-Reject of id 9 to 10.0.0.1 port 1047

        EAP-Message = 0x04f60004

        Message-Authenticator = 0x00000000000000000000000000000000

Waking up in 0.9 seconds.

Cleaning up request 0 ID 7 with timestamp +19

Cleaning up request 1 ID 8 with timestamp +19

Waking up in 4.0 seconds.

Cleaning up request 2 ID 9 with timestamp +22

Ready to process requests.

 

 

 

 

 

 

 

rad_recv: Access-Request packet from host 10.0.0.1 port 1047, id=10,
length=244

        User-Name = "1404450012769612 at wlan.mnc045.mcc404.3gppnetwork.org"

        NAS-IP-Address = 10.0.0.1

        NAS-Port = 0

        Called-Station-Id = "0A-09-0F-E9-1C-A2:fortinet"

        Calling-Station-Id = "44-A7-CF-BC-A0-67"

        Framed-MTU = 1400

        NAS-Port-Type = Wireless-802.11

        Connect-Info = "CONNECT 11Mbps 802.11b"

        EAP-Message =
0x02000038013134303434353030313234373839333540776c616e2e6d6e633034352e6d6363
3430342e336770706e6574776f726b2e6f7267

        Message-Authenticator = 0x74523b39f4caeb2704555e3a35630534

# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default

+- entering group authorize {...}

++[preprocess] returns ok

++[chap] returns noop

++[mschap] returns noop

++[digest] returns noop

[suffix] Looking up realm "wlan.mnc045.mcc404.3gppnetwork.org" for User-Name
= "1404450012769612 at wlan.mnc045.mcc404.3gppnetwork.org"

[suffix] No such realm "wlan.mnc045.mcc404.3gppnetwork.org"

++[suffix] returns noop

rlm_sim_files: authorized user/imsi
1404450012769612 at wlan.mnc045.mcc404.3gppnetwork.org 

rlm_sim_files: Adding EAP-Type: eap-sim

++[sim_files] returns ok

[eap] EAP packet type response id 0 length 56

[eap] No EAP Start, assuming it's an on-going EAP conversation

++[eap] returns updated

++[files] returns noop

++[expiration] returns noop

++[logintime] returns noop

[pap] WARNING! No "known good" password found for the user.  Authentication
may fail because of this.

++[pap] returns noop

Found Auth-Type = EAP

# Executing group from file /usr/local/etc/raddb/sites-enabled/default

+- entering group authenticate {...}

[eap] EAP Identity

[eap] processing type sim

[eap] Underlying EAP-Type set EAP ID to 255

++[eap] returns handled

Sending Access-Challenge of id 10 to 10.0.0.1 port 1047

        EAP-Message = 0x01ff0014120a00000f0200020001000011010100

        Message-Authenticator = 0x00000000000000000000000000000000

        State = 0x067ab3ff0685a127aaec9be0764c9b76

Finished request 3.

Going to the next request

Waking up in 4.9 seconds.

rad_recv: Access-Request packet from host 10.0.0.1 port 1047, id=11,
length=294

        User-Name = "1404450012769612 at wlan.mnc045.mcc404.3gppnetwork.org"

        NAS-IP-Address = 10.0.0.1

        NAS-Port = 0

        Called-Station-Id = "0A-09-0F-E9-1C-A2:fortinet"

        Calling-Station-Id = "44-A7-CF-BC-A0-67"

        Framed-MTU = 1400

        NAS-Port-Type = Wireless-802.11

        Connect-Info = "CONNECT 11Mbps 802.11b"

        EAP-Message =
0x02ff0058120a000007050000f3c0d40d24735995cd2aa194ccc3e9ae100100010e0e003331
34303434353030313234373839333540776c616e2e6d6e633034352e6d63633430342e336770
706e6574776f726b2e6f726700

        State = 0x067ab3ff0685a127aaec9be0764c9b76

        Message-Authenticator = 0x4e16bb97083e9c782af073721b309c20

# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default

+- entering group authorize {...}

++[preprocess] returns ok

++[chap] returns noop

++[mschap] returns noop

++[digest] returns noop

[suffix] Looking up realm "wlan.mnc045.mcc404.3gppnetwork.org" for User-Name
= "1404450012769612 at wlan.mnc045.mcc404.3gppnetwork.org"

[suffix] No such realm "wlan.mnc045.mcc404.3gppnetwork.org"

++[suffix] returns noop

rlm_sim_files: authorized user/imsi
1404450012769612 at wlan.mnc045.mcc404.3gppnetwork.org 

rlm_sim_files: Adding EAP-Type: eap-sim

++[sim_files] returns ok

[eap] EAP packet type response id 255 length 88

[eap] No EAP Start, assuming it's an on-going EAP conversation

++[eap] returns updated

++[files] returns noop

++[expiration] returns noop

++[logintime] returns noop

[pap] WARNING! No "known good" password found for the user.  Authentication
may fail because of this.

++[pap] returns noop

Found Auth-Type = EAP

# Executing group from file /usr/local/etc/raddb/sites-enabled/default

+- entering group authenticate {...}

[eap] Request found, released from the list

[eap] EAP/sim

[eap] processing type sim

+++> EAP-sim decoded packet:

        User-Name = "1404450012769612 at wlan.mnc045.mcc404.3gppnetwork.org"

        NAS-IP-Address = 10.0.0.1

        NAS-Port = 0

        Called-Station-Id = "0A-09-0F-E9-1C-A2:fortinet"

        Calling-Station-Id = "44-A7-CF-BC-A0-67"

        Framed-MTU = 1400

        NAS-Port-Type = Wireless-802.11

        Connect-Info = "CONNECT 11Mbps 802.11b"

        EAP-Message =
0x02ff0058120a000007050000f3c0d40d24735995cd2aa194ccc3e9ae100100010e0e003331
34303434353030313234373839333540776c616e2e6d6e633034352e6d63633430342e336770
706e6574776f726b2e6f726700

        State = 0x067ab3ff0685a127aaec9be0764c9b76

        Message-Authenticator = 0x4e16bb97083e9c782af073721b309c20

        EAP-Type = SIM

        EAP-Sim-Subtype = Start

        EAP-Sim-NONCE_MT = 0x0000f3c0d40d24735995cd2aa194ccc3e9ae

        EAP-Sim-SELECTED_VERSION = 0x0001

        EAP-Sim-IDENTITY =
0x00333134303434353030313234373839333540776c616e2e6d6e633034352e6d6363343034
2e336770706e6574776f726b2e6f726700

[eap] Underlying EAP-Type set EAP ID to 0

++[eap] returns handled

Sending Access-Challenge of id 11 to 10.0.0.1 port 1047

        EAP-Message =
0x01000050120b0000010d000030000000000000000000000000000000310000000000000000
00000000000000320000000000000000000000000000000b0500008ed118746ac218cc6ea072
1d59d42518

        Message-Authenticator = 0x00000000000000000000000000000000

        State = 0x067ab3ff077aa127aaec9be0764c9b76

Finished request 4.

Going to the next request

Waking up in 4.9 seconds.

rad_recv: Access-Request packet from host 10.0.0.1 port 1047, id=12,
length=218

        User-Name = "1404450012769612 at wlan.mnc045.mcc404.3gppnetwork.org"

        NAS-IP-Address = 10.0.0.1

        NAS-Port = 0

        Called-Station-Id = "0A-09-0F-E9-1C-A2:fortinet"

        Calling-Station-Id = "44-A7-CF-BC-A0-67"

        Framed-MTU = 1400

        NAS-Port-Type = Wireless-802.11

        Connect-Info = "CONNECT 11Mbps 802.11b"

        EAP-Message = 0x0200000c120e000016010000

        State = 0x067ab3ff077aa127aaec9be0764c9b76

        Message-Authenticator = 0x9a08d17e00177ea24b2a90933b12d4c0

# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default

+- entering group authorize {...}

++[preprocess] returns ok

++[chap] returns noop

++[mschap] returns noop

++[digest] returns noop

[suffix] Looking up realm "wlan.mnc045.mcc404.3gppnetwork.org" for User-Name
= "1404450012769612 at wlan.mnc045.mcc404.3gppnetwork.org"

[suffix] No such realm "wlan.mnc045.mcc404.3gppnetwork.org"

++[suffix] returns noop

rlm_sim_files: authorized user/imsi
1404450012769612 at wlan.mnc045.mcc404.3gppnetwork.org 

rlm_sim_files: Adding EAP-Type: eap-sim

++[sim_files] returns ok

[eap] EAP packet type response id 0 length 12

[eap] No EAP Start, assuming it's an on-going EAP conversation

++[eap] returns updated

++[files] returns noop

++[expiration] returns noop

++[logintime] returns noop

[pap] WARNING! No "known good" password found for the user.  Authentication
may fail because of this.

++[pap] returns noop

Found Auth-Type = EAP

# Executing group from file /usr/local/etc/raddb/sites-enabled/default

+- entering group authenticate {...}

[eap] Request found, released from the list

[eap] EAP/sim

[eap] processing type sim

[eap] Handler failed in EAP/sim

[eap] Failed in EAP select

++[eap] returns invalid

Failed to authenticate the user.

Using Post-Auth-Type REJECT

# Executing group from file /usr/local/etc/raddb/sites-enabled/default

+- entering group REJECT {...}

[attr_filter.access_reject]     expand: %{User-Name} ->
1404450012769612 at wlan.mnc045.mcc404.3gppnetwork.org

attr_filter: Matched entry DEFAULT at line 11

++[attr_filter.access_reject] returns updated

Delaying reject of request 5 for 1 seconds

Going to the next request

Waking up in 0.9 seconds.

Sending delayed reject for request 5

Sending Access-Reject of id 12 to 10.0.0.1 port 1047

        EAP-Message = 0x04000004

        Message-Authenticator = 0x00000000000000000000000000000000

Waking up in 0.9 seconds.

Cleaning up request 3 ID 10 with timestamp +29

Cleaning up request 4 ID 11 with timestamp +29

Waking up in 4.0 seconds.

Cleaning up request 5 ID 12 with timestamp +32

Ready to process requests.

 

############################################################################
###############################

simtriplets.dat content below

############################################################################
###############################

1404450012769612 at wlan.mnc045.mcc404.3gppnetwork.org,300000000000000000000000
00000000,30112233,445566778899AABB

1404450012769612 at wlan.mnc045.mcc404.3gppnetwork.org,310000000000000000000000
00000000,31112233,445566778899AABB

1404450012769612 at wlan.mnc045.mcc404.3gppnetwork.org,320000000000000000000000
00000000,32112233,445566778899AABB

1404450012769612 at wlan.mnc045.mcc404.3gppnetwork.org,330000000000000000000000
00000000,33112233,445566778899AABB

1404450012769612 at wlan.mnc045.mcc404.3gppnetwork.org,340000000000000000000000
00000000,34112233,445566778899AABB

############################################################################
###############################

 

Regards,

Ratnesh

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130113/f4414c42/attachment-0001.html>


More information about the Freeradius-Users mailing list