EAP-SIM authentication problem at 2nd stage

johan firdianto johanfirdi at gmail.com
Tue Jul 30 09:09:37 CEST 2013


dear guest, i have problem in eap-sim authentication.
I'm using freeradius 2.2.0, blackberry 9220
here my simtripletsdat. file
1510012660372465,AF6876E748BD46bf853A99DC2032F0A7,95762655,449177635B92bc00
1510012660372465,A1A9AC744E8D49819D27A79B067BCA69,257b31c6,64ff9467DEa1e400
1510012660372465,603906BFD8DC404197BAC35FF1274EB3,4F41eb06,F3ce89b4FCbc0000
1510080332618369,23A95DB79B644a4299463F0342069A11,7775d266,B10f3eba2Bc5ed2b
1510080332618369,FDCE8E4F2B0B4b3086BEF230076EAD58,D9e080d9,E2aad63f711e1324
1510080332618369,238100571AD1495fBCE2AD5505634E41,A40e1656,66a098a750d9cd13

here content of users file
1510080332618369    Auth-Type := EAP,      EAP-Type := SIM
        EAP-Sim-Rand1 :=  0x23A95DB79B644a4299463F0342069A11,
        EAP-Sim-SRES1 :=  0x7775d266,
        EAP-Sim-KC1 :=  0xB10f3eba2Bc5ed2b,
        EAP-Sim-Rand2 :=  0xFDCE8E4F2B0B4b3086BEF230076EAD58,
        EAP-Sim-SRES2 :=  0xD9e080d9,
        EAP-Sim-KC2 :=  0xE2aad63f711e1324,
        EAP-Sim-Rand3 :=  0x238100571AD1495fBCE2AD5505634E41,
        EAP-Sim-SRES3 := 0xA40e1656,
        EAP-Sim-KC3 :=  0x66a098a750d9cd13,

1510012660372465   Auth-Type := EAP,        EAP-Type := sim
        EAP-Sim-Rand1 :=  0xAF6876E748BD46bf853A99DC2032F0A7,
        EAP-Sim-SRES1 :=  0x95762655,
        EAP-Sim-KC1 :=  0x449177635B92bc00,
        EAP-Sim-Rand2 :=  0xA1A9AC744E8D49819D27A79B067BCA69,
        EAP-Sim-SRES2 :=  0x257b31c6,
        EAP-Sim-KC2 :=  0x64ff9467DEa1e400,
        EAP-Sim-Rand3 :=  0x603906BFD8DC404197BAC35FF1274EB3,
        EAP-Sim-SRES3 :=  0x4F41eb06,
        EAP-Sim-KC3 :=  0xF3ce89b4FCbc0000,

1510080332618369 at wlan.mnc080.mcc510.3gppnetwork.org    Auth-Type :=
EAP,      EAP-Type := SIM
        EAP-Sim-Rand1 :=  0x23A95DB79B644a4299463F0342069A11,
        EAP-Sim-SRES1 :=  0x7775d266,
        EAP-Sim-KC1 :=  0xB10f3eba2Bc5ed2b,
        EAP-Sim-Rand2 :=  0xFDCE8E4F2B0B4b3086BEF230076EAD58,
        EAP-Sim-SRES2 :=  0xD9e080d9,
        EAP-Sim-KC2 :=  0xE2aad63f711e1324,
        EAP-Sim-Rand3 :=  0x238100571AD1495fBCE2AD5505634E41,
        EAP-Sim-SRES3 := 0xA40e1656,
        EAP-Sim-KC3 :=  0x66a098a750d9cd13

Already included sim_files in modules
and sim { } in eap.conf.
I analyze  in debug , the firsth authorization success (sim_files return ok
status) , the first authenticating success , the second authorization
success also,
but the problem the second authenticating is failed.

Already read in the past list archive, but no clue .


Here debug of radius
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.111.72 port 34647,
id=129, length=250
        User-Name = "1510080332618369 at wlan.mnc080.mcc510.3gppnetwork.org"
        NAS-IP-Address = 192.168.88.52
        Called-Station-Id = "FA-1A-67-9F-E4-68:NOLSPOT-Secure"
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 1
        Calling-Station-Id = "70-AA-B2-EF-8E-9D"
        Connect-Info = "CONNECT 54Mbps 802.11g"
        Framed-MTU = 1400
        EAP-Message =
0x02100038013135313030383033333236313833363940776c616e2e6d6e633038302e6d63633531302e336770706e6574776f726b2e6f7267
        Message-Authenticator = 0xf0b7f7c3d39dd64797e1ffa08c3c078e
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] Looking up realm "wlan.mnc080.mcc510.3gppnetwork.org" for
User-Name = "1510080332618369 at wlan.mnc080.mcc510.3gppnetwork.org"
[suffix] Found realm "wlan.mnc080.mcc510.3gppnetwork.org"
[suffix] Adding Stripped-User-Name = "1510080332618369"
[suffix] Adding Realm = "wlan.mnc080.mcc510.3gppnetwork.org"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[files] users: Matched entry 1510080332618369 at line 206
++[files] returns ok
rlm_sim_files: authorized user/imsi 1510080332618369
rlm_sim_files: Adding EAP-Type: eap-sim
++[sim_files] returns ok
[eap] EAP packet type response id 16 length 56
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[sql]   expand: %{User-Name} ->
1510080332618369 at wlan.mnc080.mcc510.3gppnetwork.org
[sql] sql_set_user escaped user --> '
1510080332618369 at wlan.mnc080.mcc510.3gppnetwork.org'
rlm_sql (sql): Reserving sql socket id: 4
[sql]   expand: SELECT id, username, attribute, value, op           FROM
radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY
id -> SELECT id, username, attribute, value, op           FROM
radcheck           WHERE username = '
1510080332618369 at wlan.mnc080.mcc510.3gppnetwork.org'           ORDER BY id
[sql]   expand: SELECT groupname           FROM radusergroup
WHERE username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT
groupname           FROM radusergroup           WHERE username = '
1510080332618369 at wlan.mnc080.mcc510.3gppnetwork.org'           ORDER BY
priority
rlm_sql (sql): Released sql socket id: 4
[sql] User 1510080332618369 at wlan.mnc080.mcc510.3gppnetwork.org not found
++[sql] returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication
may fail because of this.
++[pap] returns noop
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[noresetcounter] returns noop
Found Auth-Type = EAP
Found Auth-Type = EAP
Warning:  Found 2 auth-types on request for user '1510080332618369'
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type sim
[eap] Underlying EAP-Type set EAP ID to 182
++[eap] returns handled
Sending Access-Challenge of id 129 to 192.168.111.72 port 34647
        EAP-Message = 0x01b60014120a00000f0200020001000011010100
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x876b64d687dd7613c1482e3b4d19abaa
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.111.72 port 34647,
id=130, length=300
        User-Name = "1510080332618369 at wlan.mnc080.mcc510.3gppnetwork.org"
        NAS-IP-Address = 192.168.88.52
        Called-Station-Id = "FA-1A-67-9F-E4-68:NOLSPOT-Secure"
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 1
        Calling-Station-Id = "70-AA-B2-EF-8E-9D"
        Connect-Info = "CONNECT 54Mbps 802.11g"
        Framed-MTU = 1400
        EAP-Message =
0x02b60058120a000007050000c6fb9b6adcacba2f73e0dec777302196100100010e0e00333135313030383033333236313833363940776c616e2e6d6e633038302e6d63633531302e336770706e6574776f726b2e6f726700
        State = 0x876b64d687dd7613c1482e3b4d19abaa
        Message-Authenticator = 0xf06c219eca5af618cf61099f2f79f3a4
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] Looking up realm "wlan.mnc080.mcc510.3gppnetwork.org" for
User-Name = "1510080332618369 at wlan.mnc080.mcc510.3gppnetwork.org"
[suffix] Found realm "wlan.mnc080.mcc510.3gppnetwork.org"
[suffix] Adding Stripped-User-Name = "1510080332618369"
[suffix] Adding Realm = "wlan.mnc080.mcc510.3gppnetwork.org"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[files] users: Matched entry 1510080332618369 at line 206
++[files] returns ok
rlm_sim_files: authorized user/imsi 1510080332618369
rlm_sim_files: Adding EAP-Type: eap-sim
++[sim_files] returns ok
[eap] EAP packet type response id 182 length 88
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[sql]   expand: %{User-Name} ->
1510080332618369 at wlan.mnc080.mcc510.3gppnetwork.org
[sql] sql_set_user escaped user --> '
1510080332618369 at wlan.mnc080.mcc510.3gppnetwork.org'
rlm_sql (sql): Reserving sql socket id: 3
[sql]   expand: SELECT id, username, attribute, value, op           FROM
radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY
id -> SELECT id, username, attribute, value, op           FROM
radcheck           WHERE username = '
1510080332618369 at wlan.mnc080.mcc510.3gppnetwork.org'           ORDER BY id
[sql]   expand: SELECT groupname           FROM radusergroup
WHERE username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT
groupname           FROM radusergroup           WHERE username = '
1510080332618369 at wlan.mnc080.mcc510.3gppnetwork.org'           ORDER BY
priority
rlm_sql (sql): Released sql socket id: 3
[sql] User 1510080332618369 at wlan.mnc080.mcc510.3gppnetwork.org not found
++[sql] returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication
may fail because of this.
++[pap] returns noop
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[noresetcounter] returns noop
Found Auth-Type = EAP
Found Auth-Type = EAP
Warning:  Found 2 auth-types on request for user '1510080332618369'
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/sim
[eap] processing type sim
+++> EAP-sim decoded packet:
        User-Name = "1510080332618369 at wlan.mnc080.mcc510.3gppnetwork.org"
        NAS-IP-Address = 192.168.88.52
        Called-Station-Id = "FA-1A-67-9F-E4-68:NOLSPOT-Secure"
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 1
        Calling-Station-Id = "70-AA-B2-EF-8E-9D"
        Connect-Info = "CONNECT 54Mbps 802.11g"
        Framed-MTU = 1400
        EAP-Message =
0x02b60058120a000007050000c6fb9b6adcacba2f73e0dec777302196100100010e0e00333135313030383033333236313833363940776c616e2e6d6e633038302e6d63633531302e336770706e6574776f726b2e6f726700
        State = 0x876b64d687dd7613c1482e3b4d19abaa
        Message-Authenticator = 0xf06c219eca5af618cf61099f2f79f3a4
        Stripped-User-Name = "1510080332618369"
        Realm = "wlan.mnc080.mcc510.3gppnetwork.org"
        EAP-Type = SIM
        EAP-Sim-Subtype = Start
        EAP-Sim-NONCE_MT = 0x0000c6fb9b6adcacba2f73e0dec777302196
        EAP-Sim-SELECTED_VERSION = 0x0001
        EAP-Sim-IDENTITY =
0x00333135313030383033333236313833363940776c616e2e6d6e633038302e6d63633531302e336770706e6574776f726b2e6f726700
[eap] Underlying EAP-Type set EAP ID to 183
++[eap] returns handled
Sending Access-Challenge of id 130 to 192.168.111.72 port 34647
        EAP-Message =
0x01b70050120b0000010d000023a95db79b644a4299463f0342069a11fdce8e4f2b0b4b3086bef230076ead58238100571ad1495fbce2ad5505634e410b0500002fe3b8c33af56aa2dc9e873f71c4b691
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x876b64d686dc7613c1482e3b4d19abaa
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.111.72 port 34647,
id=131, length=224
        User-Name = "1510080332618369 at wlan.mnc080.mcc510.3gppnetwork.org"
        NAS-IP-Address = 192.168.88.52
        Called-Station-Id = "FA-1A-67-9F-E4-68:NOLSPOT-Secure"
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 1
        Calling-Station-Id = "70-AA-B2-EF-8E-9D"
        Connect-Info = "CONNECT 54Mbps 802.11g"
        Framed-MTU = 1400
        EAP-Message = 0x02b7000c120e000016010000
        State = 0x876b64d686dc7613c1482e3b4d19abaa
        Message-Authenticator = 0xeb64a094fea2ddbf458b0cac3e47686d
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] Looking up realm "wlan.mnc080.mcc510.3gppnetwork.org" for
User-Name = "1510080332618369 at wlan.mnc080.mcc510.3gppnetwork.org"
[suffix] Found realm "wlan.mnc080.mcc510.3gppnetwork.org"
[suffix] Adding Stripped-User-Name = "1510080332618369"
[suffix] Adding Realm = "wlan.mnc080.mcc510.3gppnetwork.org"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[files] users: Matched entry 1510080332618369 at line 206
++[files] returns ok
rlm_sim_files: authorized user/imsi 1510080332618369
rlm_sim_files: Adding EAP-Type: eap-sim
++[sim_files] returns ok
[eap] EAP packet type response id 183 length 12
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[sql]   expand: %{User-Name} ->
1510080332618369 at wlan.mnc080.mcc510.3gppnetwork.org
[sql] sql_set_user escaped user --> '
1510080332618369 at wlan.mnc080.mcc510.3gppnetwork.org'
rlm_sql (sql): Reserving sql socket id: 2
[sql]   expand: SELECT id, username, attribute, value, op           FROM
radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY
id -> SELECT id, username, attribute, value, op           FROM
radcheck           WHERE username = '
1510080332618369 at wlan.mnc080.mcc510.3gppnetwork.org'           ORDER BY id
[sql]   expand: SELECT groupname           FROM radusergroup
WHERE username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT
groupname           FROM radusergroup           WHERE username = '
1510080332618369 at wlan.mnc080.mcc510.3gppnetwork.org'           ORDER BY
priority
rlm_sql (sql): Released sql socket id: 2
[sql] User 1510080332618369 at wlan.mnc080.mcc510.3gppnetwork.org not found
++[sql] returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication
may fail because of this.
++[pap] returns noop
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[noresetcounter] returns noop
Found Auth-Type = EAP
Found Auth-Type = EAP
Warning:  Found 2 auth-types on request for user '1510080332618369'
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/sim
[eap] processing type sim
[eap] Handler failed in EAP/sim
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type REJECT
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130730/9d1e7611/attachment-0001.html>


More information about the Freeradius-Users mailing list