eap sim authorization problem

raptor raptor raptorspor at gmail.com
Thu Jun 20 15:56:02 CEST 2013


Hi, IIiya
i'm sorry my posting above is about one client

first, i connect with one client and it's success
(until "Finished request 2" in debug log)

and then in next request, i try with different supplicant/client to
authenticate and i have input identitiy (IMSI, RAND, SRES,KC) in to
simtriplets.dat and users also

my simtriplets.dat format
1510019760806391,326258E6F77C40f3866DB25DEA60AE4D,DD287535,7F743521EBabb000
1510019760806391,FD9989BD90AD4a03962E6C08C000C14B,BFf89ad2,1C7098005Fea8c00
1510019760806391,26CC8DB02C9848c7BBCC2790E3F0913B,17172cc6,BF34bf34D4ca4c00

1510080325656501,5A8F4C0677DE4930B47825B55534CC79,94d66001,AC85d79439b564c0
1510080325656501,8E29A03F8E13466fBF84D12F6A9D4734,E284e39e,13a524d040094ef4
1510080325656501,BC5D3CEB1EAC4164AA463E289222C450,AE8bdfc6,B0354bf3402e42ed

my users format

1510019760806391 at wlan.mnc001.mcc510.3gppnetwork.org         EAP-Type := SIM
        EAP-Sim-Rand1 = 0x 326258E6F77C40f3866DB25DEA60AE4D,
        EAP-Sim-SRES1 = 0x DD287535,
        EAP-Sim-KC1 = 0x 7F743521EBabb000,
        EAP-Sim-Rand2 = 0x FD9989BD90AD4a03962E6C08C000C14B,
        EAP-Sim-SRES2 = 0x BFf89ad2,
        EAP-Sim-KC2 = 0x 1C7098005Fea8c00,
        EAP-Sim-Rand3 = 0x 26CC8DB02C9848c7BBCC2790E3F0913B,
        EAP-Sim-SRES3 = 0x 17172cc6,
        EAP-Sim-KC3 = 0x BF34bf34D4ca4c00,

1510080325656501 at wlan.mnc008.mcc510.3gppnetwork.org         EAP-Type := SIM
        EAP-Sim-Rand1 = 0x 5A8F4C0677DE4930B47825B55534CC79,
        EAP-Sim-SRES1 = 0x 94d66001,
        EAP-Sim-KC1 = 0x AC85d79439b564c0,
        EAP-Sim-Rand2 = 0x 8E29A03F8E13466fBF84D12F6A9D4734,
        EAP-Sim-SRES2 = 0x E284e39e,
        EAP-Sim-KC2 = 0x 13a524d040094ef4,
        EAP-Sim-Rand3 = 0x BC5D3CEB1EAC4164AA463E289222C450,
        EAP-Sim-SRES3 = 0x AE8bdfc6,
        EAP-Sim-KC3 = 0x B0354bf3402e42ed


here is my debug log:

rad_recv: Access-Request packet from host 192.168.2.1 port 2048, id=1,
length=215

            User-Name = "1510019760806391 at wlan.mnc001.mcc510.3gppnetwork.org
"

            NAS-IP-Address = 192.168.2.1

            Called-Station-Id = "48f8b315461a"

            Calling-Station-Id = "1814563e5189"

            NAS-Identifier = "48f8b315461a"

            NAS-Port = 38

            Framed-MTU = 1400

            NAS-Port-Type = Wireless-802.11

            EAP-Message =
0x02000038013135313030313937363038303633393140776c616e2e6d6e633030312e6d63633531302e336770706e6574776f726b2e6f7267

            Message-Authenticator = 0x509abafbd92ee8417dcb22095d89059d

# Executing section authorize from file
/etc/freeradius/sites-enabled/default

+- entering group authorize {...}

++[preprocess] returns ok

++[chap] returns noop

++[mschap] returns noop

++[digest] returns noop

[suffix] Looking up realm "wlan.mnc001.mcc510.3gppnetwork.org" for
User-Name = "1510019760806391 at wlan.mnc001.mcc510.3gppnetwork.org"

[suffix] No such realm "wlan.mnc001.mcc510.3gppnetwork.org"

++[suffix] returns noop

rlm_sim_files: authorized user/imsi
1510019760806391 at wlan.mnc001.mcc510.3gppnetwork.org

rlm_sim_files: Adding EAP-Type: eap-sim

++[sim_files] returns ok

[eap] EAP packet type response id 0 length 56

[eap] No EAP Start, assuming it's an on-going EAP conversation

++[eap] returns updated

[files] users: Matched entry
1510019760806391 at wlan.mnc001.mcc510.3gppnetwork.org at line 1

++[files] returns ok

++[expiration] returns noop

++[logintime] returns noop

[pap] WARNING! No "known good" password found for the user.  Authentication
may fail because of this.

++[pap] returns noop

Found Auth-Type = EAP

# Executing group from file /etc/freeradius/sites-enabled/default

+- entering group authenticate {...}

[eap] EAP Identity

[eap] processing type sim

[eap] Underlying EAP-Type set EAP ID to 161

++[eap] returns handled

Sending Access-Challenge of id 1 to 192.168.2.1 port 2048

            EAP-Message = 0x01a10014120a00000f0200020001000011010100

            Message-Authenticator = 0x00000000000000000000000000000000

            State = 0x86406e6686e17cf5f398cb77ce20781c

Finished request 0.

Going to the next request

Waking up in 4.9 seconds.

rad_recv: Access-Request packet from host 192.168.2.1 port 2048, id=1,
length=265

Cleaning up request 0 ID 1 with timestamp +25

            User-Name = "1510019760806391 at wlan.mnc001.mcc510.3gppnetwork.org
"

            NAS-IP-Address = 192.168.2.1

            Called-Station-Id = "48f8b315461a"

            Calling-Station-Id = "1814563e5189"

            NAS-Identifier = "48f8b315461a"

            NAS-Port = 38

            Framed-MTU = 1400

            State = 0x86406e6686e17cf5f398cb77ce20781c

            NAS-Port-Type = Wireless-802.11

            EAP-Message =
0x02a10058120a0000070500005004b19c6e3aacce33e95d1f3c10c481100100010e0e00333135313030313937363038303633393140776c616e2e6d6e633030312e6d63633531302e336770706e6574776f726b2e6f726700

            Message-Authenticator = 0xc9bbe2c285ff35377724d62bb118966b

# Executing section authorize from file
/etc/freeradius/sites-enabled/default

+- entering group authorize {...}

++[preprocess] returns ok

++[chap] returns noop

++[mschap] returns noop

++[digest] returns noop

[suffix] Looking up realm "wlan.mnc001.mcc510.3gppnetwork.org" for
User-Name = "1510019760806391 at wlan.mnc001.mcc510.3gppnetwork.org"

[suffix] No such realm "wlan.mnc001.mcc510.3gppnetwork.org"

++[suffix] returns noop

rlm_sim_files: authorized user/imsi
1510019760806391 at wlan.mnc001.mcc510.3gppnetwork.org

rlm_sim_files: Adding EAP-Type: eap-sim

++[sim_files] returns ok

[eap] EAP packet type response id 161 length 88

[eap] No EAP Start, assuming it's an on-going EAP conversation

++[eap] returns updated

[files] users: Matched entry
1510019760806391 at wlan.mnc001.mcc510.3gppnetwork.org at line 1

++[files] returns ok

 [sql] User 1510019760806391 at wlan.mnc001.mcc510.3gppnetwork.org not found

++[sql] returns notfound

++[expiration] returns noop

++[logintime] returns noop

[pap] WARNING! No "known good" password found for the user.  Authentication
may fail because of this.

++[pap] returns noop

Found Auth-Type = EAP

# Executing group from file /etc/freeradius/sites-enabled/default

+- entering group authenticate {...}

[eap] Request found, released from the list

[eap] EAP/sim

[eap] processing type sim

+++> EAP-sim decoded packet:

            User-Name = "1510019760806391 at wlan.mnc001.mcc510.3gppnetwork.org
"

            NAS-IP-Address = 192.168.2.1

            Called-Station-Id = "48f8b315461a"

            Calling-Station-Id = "1814563e5189"

            NAS-Identifier = "48f8b315461a"

            NAS-Port = 38

            Framed-MTU = 1400

            State = 0x86406e6686e17cf5f398cb77ce20781c

            NAS-Port-Type = Wireless-802.11

            EAP-Message =
0x02a10058120a0000070500005004b19c6e3aacce33e95d1f3c10c481100100010e0e00333135313030313937363038303633393140776c616e2e6d6e633030312e6d63633531302e336770706e6574776f726b2e6f726700

            Message-Authenticator = 0xc9bbe2c285ff35377724d62bb118966b

            EAP-Type = SIM

            EAP-Sim-Subtype = Start

            EAP-Sim-NONCE_MT = 0x00005004b19c6e3aacce33e95d1f3c10c481

            EAP-Sim-SELECTED_VERSION = 0x0001

            EAP-Sim-IDENTITY =
0x3135313030313937363038303633393140776c616e2e6d6e633030312e6d63633531302e336770706e6574776f726b2e6f7267

[eap] Underlying EAP-Type set EAP ID to 162

++[eap] returns handled

Sending Access-Challenge of id 1 to 192.168.2.1 port 2048

            EAP-Message =
0x01a20050120b0000010d0000326258e6f77c40f3866db25dea60ae4dfd9989bd90ad4a03962e6c08c000c14b26cc8db02c9848c7bbcc2790e3f0913b0b050000dec6228540e79bb78b2b1a497cba928e

            Message-Authenticator = 0x00000000000000000000000000000000

            State = 0x86406e6687e27cf5f398cb77ce20781c

Finished request 1.

Going to the next request

Waking up in 4.9 seconds.

rad_recv: Access-Request packet from host 192.168.2.1 port 2048, id=1,
length=205

Cleaning up request 1 ID 1 with timestamp +25

            User-Name = "1510019760806391 at wlan.mnc001.mcc510.3gppnetwork.org
"

            NAS-IP-Address = 192.168.2.1

            Called-Station-Id = "48f8b315461a"

            Calling-Station-Id = "1814563e5189"

            NAS-Identifier = "48f8b315461a"

            NAS-Port = 38

            Framed-MTU = 1400

            State = 0x86406e6687e27cf5f398cb77ce20781c

            NAS-Port-Type = Wireless-802.11

            EAP-Message =
0x02a2001c120b00000b050000f2d858a5a86f03c2be282e6cde78c7e1

            Message-Authenticator = 0x2ca89c665a9f9e46895e8098aac382ee

# Executing section authorize from file
/etc/freeradius/sites-enabled/default

+- entering group authorize {...}

++[preprocess] returns ok

++[chap] returns noop

++[mschap] returns noop

++[digest] returns noop

[suffix] Looking up realm "wlan.mnc001.mcc510.3gppnetwork.org" for
User-Name = "1510019760806391 at wlan.mnc001.mcc510.3gppnetwork.org"

[suffix] No such realm "wlan.mnc001.mcc510.3gppnetwork.org"

++[suffix] returns noop

rlm_sim_files: authorized user/imsi
1510019760806391 at wlan.mnc001.mcc510.3gppnetwork.org

rlm_sim_files: Adding EAP-Type: eap-sim

++[sim_files] returns ok

[eap] EAP packet type response id 162 length 28

[eap] No EAP Start, assuming it's an on-going EAP conversation

++[eap] returns updated

[files] users: Matched entry
1510019760806391 at wlan.mnc001.mcc510.3gppnetwork.org at line 1

++[files] returns ok

 [sql] User 1510019760806391 at wlan.mnc001.mcc510.3gppnetwork.org not found

++[sql] returns notfound

++[expiration] returns noop

++[logintime] returns noop

[pap] WARNING! No "known good" password found for the user.  Authentication
may fail because of this.

++[pap] returns noop

Found Auth-Type = EAP

# Executing group from file /etc/freeradius/sites-enabled/default

+- entering group authenticate {...}

[eap] Request found, released from the list

[eap] EAP/sim

[eap] processing type sim

MAC check succeed

[eap] Underlying EAP-Type set EAP ID to 163

[eap] Freeing handler

++[eap] returns ok

# Executing section post-auth from file
/etc/freeradius/sites-enabled/default

+- entering group post-auth {...}

++[sql] returns ok

++[exec] returns noop

Sending Access-Accept of id 1 to 192.168.2.1 port 2048

            MS-MPPE-Recv-Key =
0x1493962f20dce781f0e363ecdac45c203fe566abf333ec6e3d6f11398159f97b

            MS-MPPE-Send-Key =
0x976c0332286aac5b7fabc037a7ef34de9f7879861e3412582892bc0f9f06a0f0

            EAP-Message = 0x03a30004

            Message-Authenticator = 0x00000000000000000000000000000000

            User-Name = "1510019760806391 at wlan.mnc001.mcc510.3gppnetwork.org
"

Finished request 2.

Going to the next request

Waking up in 4.9 seconds.

Cleaning up request 2 ID 1 with timestamp +26

Ready to process requests.

rad_recv: Access-Request packet from host 192.168.2.1 port 2048, id=2,
length=215

            User-Name = "1510080325656501 at wlan.mnc008.mcc510.3gppnetwork.org
"

            NAS-IP-Address = 192.168.2.1

            Called-Station-Id = "48f8b315461a"

            Calling-Station-Id = "001adc019b98"

            NAS-Identifier = "48f8b315461a"

            NAS-Port = 2

            Framed-MTU = 1400

            NAS-Port-Type = Wireless-802.11

            EAP-Message =
0x02000038013135313030383033323536353635303140776c616e2e6d6e633030382e6d63633531302e336770706e6574776f726b2e6f7267

            Message-Authenticator = 0x1e6d83334fd94f359c5fda46d916ce7e

# Executing section authorize from file
/etc/freeradius/sites-enabled/default

+- entering group authorize {...}

++[preprocess] returns ok

++[chap] returns noop

++[mschap] returns noop

++[digest] returns noop

[suffix] Looking up realm "wlan.mnc008.mcc510.3gppnetwork.org" for
User-Name = "1510080325656501 at wlan.mnc008.mcc510.3gppnetwork.org"

[suffix] No such realm "wlan.mnc008.mcc510.3gppnetwork.org"

++[suffix] returns noop

rlm_sim_files: authorized user/imsi
1510080325656501 at wlan.mnc008.mcc510.3gppnetwork.org

rlm_sim_files: Adding EAP-Type: eap-sim

++[sim_files] returns ok

[eap] EAP packet type response id 0 length 56

[eap] No EAP Start, assuming it's an on-going EAP conversation

++[eap] returns updated

++[files] returns noop

++[sql] returns notfound

++[expiration] returns noop

++[logintime] returns noop

[pap] WARNING! No "known good" password found for the user.  Authentication
may fail because of this.

++[pap] returns noop

Found Auth-Type = EAP

# Executing group from file /etc/freeradius/sites-enabled/default

+- entering group authenticate {...}

[eap] EAP Identity

[eap] processing type sim

   can not initiate sim, no RAND1 attribute

[eap] Default EAP type sim failed in initiate

[eap] Failed in EAP select

++[eap] returns invalid

Failed to authenticate the user.

Using Post-Auth-Type REJECT

# Executing group from file /etc/freeradius/sites-enabled/default

+- entering group REJECT {...}

[attr_filter.access_reject]         expand: %{User-Name} ->
1510080325656501 at wlan.mnc008.mcc510.3gppnetwork.org

attr_filter: Matched entry DEFAULT at line 11

++[attr_filter.access_reject] returns updated

Delaying reject of request 3 for 1 seconds

Going to the next request

Waking up in 0.9 seconds.

Sending delayed reject for request 3

Sending Access-Reject of id 2 to 192.168.2.1 port 2048

            EAP-Message = 0x04000004

            Message-Authenticator = 0x00000000000000000000000000000000

Waking up in 4.9 seconds.

Cleaning up request 3 ID 2 with timestamp +135

Ready to process requests.


thank you very much for your help,time and your advice

best regards


On Thu, Jun 20, 2013 at 4:49 PM, Iliya Peregoudov <iperegudov at cboss.ru>wrote:

> On 20.06.2013 13:38, raptor raptor wrote:
>
>> Sending Access-Accept of id 0 to 192.168.2.1 port 2048
>> MS-MPPE-Recv-Key = 0x9d0b6b0a9151822473399a9fed44**
>> e8f0d74df083532a7d437e436f6086**6252d8
>> MS-MPPE-Send-Key = 0xebf07da25ca3cd97267d1fc6a1ce**
>> 18d68ad2737902f610284bdb45c6ee**d0cb7f
>> EAP-Message = 0x03760004
>> Message-Authenticator = 0x0000000000000000000000000000**0000
>> User-Name = "1510019760806391 at wlan.mnc001.**mcc510.3gppnetwork.org<1510019760806391 at wlan.mnc001.mcc510.3gppnetwork.org>
>> "
>> Finished request 2.
>>
>
> I cannot see authentication failure in this debug log.
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/**
> list/users.html <http://www.freeradius.org/list/users.html>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130620/bc34b4b3/attachment-0001.html>


More information about the Freeradius-Users mailing list