eap sim authorization problem

raptor raptor raptorspor at gmail.com
Tue Jun 11 05:00:49 CEST 2013


Iliya Peregoudov wite :

1.

> rlm_sim_files: insufficient number of challenges for imsi
> 1510019760806391: 0
> ++[sim_files] returns notfound
>

It's strange that rlm_sim_files was unable to find auth vectors.
Ensure that simtriplets.dat has UNIX line endings (LF, not CRLF).

i'm sorry i dont understand about LF UNIX line ending, could you show me
what should i do to simtriplets.dat format?
is there any mistake?

2.
Your users format is ok: 16-octet RAND, 4-octet SRES, 8-octet Kc.

Auth vectors in users file differ from those in simtriplets.dat. You cannot
use arbitrary auth vectors. EAP-SIM is mutual authentication protocol. UE
checks that AAA knows correct auth vectors when Request/SIM/Challenge
received before sending Response/SIM/Challenge.

i got that format in /src/tests/eapsim-03/users-example.txt
what should i fill in Rand1 attribute?

thanx for your advice
best regard


On Mon, Jun 10, 2013 at 5:29 PM, Iliya Peregoudov <iperegudov at cboss.ru>wrote:

> On 09.06.2013 5:34, raptor raptor wrote:
>
>> simtriplets.dat format that i wite:
>>
>> 1<imsi>,<RAND>,<SRES>,<Kc>
>> 1510019760806391,**AAC0FAFDC47D4524AC9E2A3D51BDBA**
>> 39,2A71bac3,7868589a75fdc000
>> 1510019760806391,**BF9A9F6EEB36422895D010927D7697**
>> 2C,F49dd880,3Afbcf2fA9b0a000
>> 1510019760806391,**C63837CFECD348deB119C35CFECD48**
>> 98,49312999,FD488938B6f2a000
>>
>
> Your simtriplets.dat format is ok.
>
>  i add in users file:
>>
>> DEFAULTAuth-Type := EAP,  EAP-Type := SIM
>>
>> EAP-Sim-Rand1 = 0x101112131415161718191a1b1c1d**1e1f,
>> EAP-Sim-SRES1 = 0xd1d2d3d4,
>> EAP-Sim-Rand2 = 0x202122232425262728292a2b2c2d**2e2f,
>> EAP-Sim-SRES2 = 0xe1e2e3e4,
>> EAP-Sim-Rand3 = 0x303132333435363738393a3b3c3d**3e3f,
>> EAP-Sim-SRES3 = 0xf1f2f3f4,
>> EAP-Sim-KC1 = 0xa0a1a2a3a4a5a6a7,
>> EAP-Sim-KC2 = 0xb0b1b2b3b4b5b6b7,
>> EAP-Sim-KC3 = 0xc0c1c2c3c4c5c6c7,
>>
>
> Your users format is ok: 16-octet RAND, 4-octet SRES, 8-octet Kc.
>
> Auth vectors in users file differ from those in simtriplets.dat. You
> cannot use arbitrary auth vectors. EAP-SIM is mutual authentication
> protocol. UE checks that AAA knows correct auth vectors when
> Request/SIM/Challenge received before sending Response/SIM/Challenge.
>
>
>  rlm_sim_files: insufficient number of challenges for imsi
>> 1510019760806391: 0
>> ++[sim_files] returns notfound
>>
>
> It's strange that rlm_sim_files was unable to find auth vectors.
> Ensure that simtriplets.dat has UNIX line endings (LF, not CRLF).
>
>
>  Sending Access-Challenge of id 0 to 192.168.1.1 port 2048
>> EAP-Message = 0x011a0014120a00000f0200020001**000011010100
>> Message-Authenticator = 0x0000000000000000000000000000**0000
>> State = 0x019a1a23018008ce78acd4b07bc4**c4ac
>>
>
> Here radiusd generates EAP Request/SIM/Start. There is no cryptography yet
> so UE will respond with Response/SIM/Start.
>
>
>  +++> EAP-sim decoded packet:
>> User-Name = "1510019760806391 at wlan.mnc001.**mcc510.3gppnetwork.org<1510019760806391 at wlan.mnc001.mcc510.3gppnetwork.org>
>> "
>> NAS-IP-Address = 192.168.1.1
>> Called-Station-Id = "48f8b315461a"
>> Calling-Station-Id = "1814563e5189"
>> NAS-Identifier = "48f8b315461a"
>> NAS-Port = 38
>> Framed-MTU = 1400
>> State = 0x019a1a23018008ce78acd4b07bc4**c4ac
>> NAS-Port-Type = Wireless-802.11
>> EAP-Message =
>> 0x021a0058120a0000070500004383**7c0b63fd6c4dc3fccbebc8439b0410**
>> 0100010e0e00333135313030313937**363038303633393140776c616e2e6d**
>> 6e633030312e6d63633531302e3367**70706e6574776f726b2e6f726700
>> Message-Authenticator = 0x441da87c8c81ad6b22b7596fba8b**9098
>> Stripped-User-Name = "1510019760806391"
>> Realm = "wlan.mnc001.mcc510.**3gppnetwork.org<http://wlan.mnc001.mcc510.3gppnetwork.org>
>> "
>> EAP-Type = SIM
>> EAP-Sim-Subtype = Start
>> EAP-Sim-NONCE_MT = 0x000043837c0b63fd6c4dc3fccbeb**c8439b04
>> EAP-Sim-SELECTED_VERSION = 0x0001
>> EAP-Sim-IDENTITY =
>> 0x0033313531303031393736303830**3633393140776c616e2e6d6e633030**
>> 312e6d63633531302e336770706e65**74776f726b2e6f726700
>>
>
> This is Response/SIM/Start from UE.
>
>
>  Sending Access-Challenge of id 0 to 192.168.1.1 port 2048
>> EAP-Message =
>> 0x011b0050120b0000010d00001011**12131415161718191a1b1c1d1e1f20**
>> 2122232425262728292a2b2c2d2e2f**303132333435363738393a3b3c3d3e**
>> 3f0b050000fb675502a33041883129**31054f33cd1f
>> Message-Authenticator = 0x0000000000000000000000000000**0000
>> State = 0x019a1a23008108ce78acd4b07bc4**c4ac
>>
>
> Here radiusd generates EAP Request/SIM/Challenge using auth vectors from
> users file and NONCE_MT from Response/EAP/Start. UE will reject this EAP
> request (because AAA does not know correct auth vectors) and will restart
> EAP authentication.
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/**
> list/users.html <http://www.freeradius.org/list/users.html>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130611/20c926aa/attachment-0001.html>


More information about the Freeradius-Users mailing list