3.0.x - Issue with EAP-SIM - EAP-Message too short in Challenge

Chaigneau, Nicolas nicolas.chaigneau at capgemini.com
Wed Jun 11 19:15:29 CEST 2014


Hello,

I've tried to rebuild the FreeRADIUS server I was using to perform EAP-SIM authentication with the latest commit from FreeRADIUS 3.0.x HEAD.

It doesn't seem to work anymore, I'm not sure what's going on...


I've noticed some changes to eapsimlib.c (not sure if it's linked...) in the following commit :
https://github.com/FreeRADIUS/freeradius-server/commit/39df09e42d80a96363be0bddee2ff0ba97fdb035

So I tried a prior commit :
https://github.com/FreeRADIUS/freeradius-server/tree/7edb8dd4a91d0111da0950e21c113cfc3e4d2a28
With this version I don't have the problem.

(For both, I use the same configuration and the same EAP-SIM triplets.)




Anyway, here is my problem:

When sending back the Access-Challenge, the EAP-Message attribute is too short.
(0x01330008120a0000 instead of something like 0x01160014120a00000f02000200010000110101bd)

The client then complains that it can't use it...



Here is the debug output I got from FreeRADIUS head (not working):

Received Access-Request Id 224 from 10.67.106.10:58041 to 10.67.141.74:31812 length 188
  Code:         1
  Id:           224
  Length:       188
  Vector:       dcfdcece0b9e4e4e0201b61669befbd5
  Data:         01  35  31 32 30 38 30 31 30 30 30 30 30 30 30 30 30 32
                        40 77 6c 61 6e 2e 6d 6e 63 30 30 31 2e 6d 63 63
                        32 30 38 2e 33 67 70 70 6e 65 74 77 6f 72 6b 2e
                        6f 72 67
                50  12  bc 8d b4 d3 e3 4e 76 10 e1 83 c2 45 10 65 ff 14
                04  06  0a 14 00 00
                20  0a  4c 69 76 65 42 6f 78 31
                1f  13  46 37 3a 42 42 3a 43 38 3a 32 45 3a 42 36 3a 36
                        31
                4f  3a  02 07 00 38 01 31 32 30 38 30 31 30 30 30 30 30
                        30 30 30 30 32 40 77 6c 61 6e 2e 6d 6e 63 30 30
                        31 2e 6d 63 63 32 30 38 2e 33 67 70 70 6e 65 74
                        77 6f 72 6b 2e 6f 72 67
                21  04  37 34
        User-Name = '1208010000000002 at wlan.mnc001.mcc208.3gppnetwork.org'
        Message-Authenticator = 0xbc8db4d3e34e7610e183c2451065ff14
        NAS-IP-Address = 10.20.0.0
        NAS-Identifier = 'LiveBox1'
        Calling-Station-Id = 'F7:BB:C8:2E:B6:61'
        EAP-Message = 0x02070038013132303830313030303030303030303240776c616e2e6d6e633030312e6d63633230382e336770706e6574776f726b2e6f7267
        Proxy-State = 0x3734
Wed Jun 11 17:39:31 2014 : Debug: (0) # Executing section authorize from file /opt/application/sim3gppb/current/etc/raddb/sites-enabled/server-sim3gpp-b
Wed Jun 11 17:39:31 2014 : Debug: (0)   authorize {
Wed Jun 11 17:39:31 2014 : Debug: (0)  modsingle[authorize]: calling files (rlm_files) for request 0
Wed Jun 11 17:39:31 2014 : Debug: (0)  files : users: Matched entry DEFAULT at line 1
Wed Jun 11 17:39:31 2014 : Debug: (0)  files : ::: FROM 0 TO 0 MAX 0
Wed Jun 11 17:39:31 2014 : Debug: (0)  files : ::: TO in 0 out 0
Wed Jun 11 17:39:31 2014 : Debug: (0) modsingle[authorize]: returned from files (rlm_files) for request 0
Wed Jun 11 17:39:31 2014 : Debug: (0)   [files] = ok
Wed Jun 11 17:39:31 2014 : Debug: (0)  modsingle[authorize]: calling eap (rlm_eap) for request 0
Wed Jun 11 17:39:31 2014 : Debug: (0)  eap : EAP packet type response id 7 length 56
Wed Jun 11 17:39:31 2014 : Debug: (0)  eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
Wed Jun 11 17:39:31 2014 : Debug: (0) modsingle[authorize]: returned from eap (rlm_eap) for request 0
Wed Jun 11 17:39:31 2014 : Debug: (0)   [eap] = ok
Wed Jun 11 17:39:31 2014 : Debug: (0)  } #  authorize = ok
Wed Jun 11 17:39:31 2014 : Debug: (0) Found Auth-Type = EAP
Wed Jun 11 17:39:31 2014 : Debug: (0) # Executing group from file /opt/application/sim3gppb/current/etc/raddb/sites-enabled/server-sim3gpp-b
Wed Jun 11 17:39:31 2014 : Debug: (0)   authenticate {
Wed Jun 11 17:39:31 2014 : Debug: (0)  modsingle[authenticate]: calling eap (rlm_eap) for request 0
Wed Jun 11 17:39:31 2014 : Debug: (0)  eap : Peer sent Identity (1)
Wed Jun 11 17:39:31 2014 : Debug: (0)  eap : Calling eap_sim to process EAP data
Wed Jun 11 17:39:31 2014 : Debug: (0)  eap : Underlying EAP-Type set EAP ID to 51
Wed Jun 11 17:39:31 2014 : Debug: (0)  eap : New EAP session, adding 'State' attribute to reply 0xbefde769becef5c4
Wed Jun 11 17:39:31 2014 : Debug: (0) modsingle[authenticate]: returned from eap (rlm_eap) for request 0
Wed Jun 11 17:39:31 2014 : Debug: (0)   [eap] = handled
Wed Jun 11 17:39:31 2014 : Debug: (0)  } #  authenticate = handled
Sending Access-Challenge Id 224 from 10.67.141.74:31812 to 10.67.106.10:58041
        EAP-Message = 0x01330008120a0000
                4f 0a  01 33 00 08 12 0a 00 00
        Message-Authenticator = 0x00000000000000000000000000000000
                50 12 ...
        State = 0xbefde769becef5c4fed48348b17e5f33
                18 12  be fd e7 69 be ce f5 c4 fe d4 83 48 b1 7e 5f 33
        Proxy-State = 0x3734
                21 04  37 34
  Code:         11
  Id:           224
  Length:       70
  Vector:       eedd54e7cb408773ed0592f29c79366a
  Data:         4f  0a  01 33 00 08 12 0a 00 00
                50  12  c2 7b 71 a9 21 27 d9 a8 ac c9 ee 7f 66 b5 1a 3b
                18  12  be fd e7 69 be ce f5 c4 fe d4 83 48 b1 7e 5f 33
                21  04  37 34
Wed Jun 11 17:39:31 2014 : Debug: (0) Finished request



And the debug output of the version which works:


Received Access-Request Id 133 from 10.67.106.10:58041 to 10.67.141.74:31812 length 189
  Code:         1
  Id:           133
  Length:       189
  Vector:       f10dc73217b1a3f43ce8dd257f974fab
  Data:         01  35  31 32 30 38 30 31 30 30 30 30 30 30 30 30 30 32
                        40 77 6c 61 6e 2e 6d 6e 63 30 30 31 2e 6d 63 63
                        32 30 38 2e 33 67 70 70 6e 65 74 77 6f 72 6b 2e
                        6f 72 67
                50  12  7a a1 76 b9 ad c5 60 a9 07 2f 81 bd 62 82 e0 34
                04  06  0a 14 00 00
                20  0a  4c 69 76 65 42 6f 78 31
                1f  13  46 37 3a 42 42 3a 43 38 3a 32 45 3a 42 36 3a 36
                        31
                4f  3a  02 2f 00 38 01 31 32 30 38 30 31 30 30 30 30 30
                        30 30 30 30 32 40 77 6c 61 6e 2e 6d 6e 63 30 30
                        31 2e 6d 63 63 32 30 38 2e 33 67 70 70 6e 65 74
                        77 6f 72 6b 2e 6f 72 67
                21  05  32 30 32
        User-Name = '1208010000000002 at wlan.mnc001.mcc208.3gppnetwork.org'
        Message-Authenticator = 0x7aa176b9adc560a9072f81bd6282e034
        NAS-IP-Address = 10.20.0.0
        NAS-Identifier = 'LiveBox1'
        Calling-Station-Id = 'F7:BB:C8:2E:B6:61'
        EAP-Message = 0x022f0038013132303830313030303030303030303240776c616e2e6d6e633030312e6d63633230382e336770706e6574776f726b2e6f7267
        Proxy-State = 0x323032
Wed Jun 11 18:55:50 2014 : Debug: (0) # Executing section authorize from file /opt/application/sim3gppb/current/etc/raddb/sites-enabled/server-sim3gpp-b
Wed Jun 11 18:55:50 2014 : Debug: (0)   authorize {
Wed Jun 11 18:55:50 2014 : Debug: (0)  modsingle[authorize]: calling files (rlm_files) for request 0
Wed Jun 11 18:55:50 2014 : Debug: (0)  files : users: Matched entry DEFAULT at line 1
Wed Jun 11 18:55:50 2014 : Debug: (0)  files : ::: FROM 0 TO 0 MAX 0
Wed Jun 11 18:55:50 2014 : Debug: (0)  files : ::: TO in 0 out 0
Wed Jun 11 18:55:50 2014 : Debug: (0) modsingle[authorize]: returned from files (rlm_files) for request 0
Wed Jun 11 18:55:50 2014 : Debug: (0)   [files] = ok
Wed Jun 11 18:55:50 2014 : Debug: (0)  modsingle[authorize]: calling eap (rlm_eap) for request 0
Wed Jun 11 18:55:50 2014 : Debug: (0)  eap : EAP packet type response id 47 length 56
Wed Jun 11 18:55:50 2014 : Debug: (0)  eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
Wed Jun 11 18:55:50 2014 : Debug: (0) modsingle[authorize]: returned from eap (rlm_eap) for request 0
Wed Jun 11 18:55:50 2014 : Debug: (0)   [eap] = ok
Wed Jun 11 18:55:50 2014 : Debug: (0)  } #  authorize = ok
Wed Jun 11 18:55:50 2014 : Debug: (0) Found Auth-Type = EAP
Wed Jun 11 18:55:50 2014 : Debug: (0) # Executing group from file /opt/application/sim3gppb/current/etc/raddb/sites-enabled/server-sim3gpp-b
Wed Jun 11 18:55:50 2014 : Debug: (0)   authenticate {
Wed Jun 11 18:55:50 2014 : Debug: (0)  modsingle[authenticate]: calling eap (rlm_eap) for request 0
Wed Jun 11 18:55:50 2014 : Debug: (0)  eap : Peer sent Identity (1)
Wed Jun 11 18:55:50 2014 : Debug: (0)  eap : Calling eap_sim to process EAP data
Wed Jun 11 18:55:50 2014 : Debug: (0)  eap : Underlying EAP-Type set EAP ID to 22
Wed Jun 11 18:55:50 2014 : Debug: (0)  eap : New EAP session, adding 'State' attribute to reply 0xa0e39a96a0f58828
Wed Jun 11 18:55:50 2014 : Debug: (0) modsingle[authenticate]: returned from eap (rlm_eap) for request 0
Wed Jun 11 18:55:50 2014 : Debug: (0)   [eap] = handled
Wed Jun 11 18:55:50 2014 : Debug: (0)  } #  authenticate = handled
Sending Access-Challenge Id 133 from 10.67.141.74:31812 to 10.67.106.10:58041
        EAP-Message = 0x01160014120a00000f02000200010000110101bd
                4f 16  01 16 00 14 12 0a 00 00 0f 02 00 02 00 01 00 00
                        11 01 01 bd
        Message-Authenticator = 0x00000000000000000000000000000000
                50 12 ...
        State = 0xa0e39a96a0f588286d14f17f1bb6a974
                18 12  a0 e3 9a 96 a0 f5 88 28 6d 14 f1 7f 1b b6 a9 74
        Proxy-State = 0x323032
                21 05  32 30 32
  Code:         11
  Id:           133
  Length:       83
  Vector:       e51a3a64a9b0ba2d9df6ddd978b09a36
  Data:         4f  16  01 16 00 14 12 0a 00 00 0f 02 00 02 00 01 00 00
                        11 01 01 bd
                50  12  a6 57 63 1b 50 56 40 da f8 7e 5b 45 cd 23 a3 c7
                18  12  a0 e3 9a 96 a0 f5 88 28 6d 14 f1 7f 1b b6 a9 74
                21  05  32 30 32
Wed Jun 11 18:55:50 2014 : Debug: (0) Finished request






Regards,
Nicolas.


This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.



More information about the Freeradius-Users mailing list