EAP-SIM Error "Failed continuing EAP SIM (18) session. EAP sub-module failed"

Li Zhaoxing fxlizhaoxing at 163.com
Fri May 13 09:43:44 CEST 2016


Hi, I am new here and here is my problem:
    I am using FreeRADIUS version 3.0.4 and I am working on configure the FreeRADIUS as a local RADIUS server in hotspot2.0 network. I am now in trouble with EAP-SIM authentication.
    I have configure the EAP-SIM in the file eap under /mods-enabled, and change the order of "eap" after "files" in authorize part in the file default  under /sites-enabled. I have tested the EAP-SIM using radeapclient successfully.
    I tested  EAP-TTLS with MSCHAPv2 authentication in my experimental network successfully which use an username and password. Everything seems going well until I tested the EAP-SIM in the hotspot2.0 network.
    I tested the EAP-SIM authentication using a real smartphone with a SIM card in which I specified an Ki by myself. The AP(the NAI of RADIUS) is a hostspot2.0-supported wireless access point running hostapd on it. and when I try to access the network through AP I got ERROR "Failed continuing EAP SIM (18) session. EAP sub-module failed".
Here is my configurations and debug output
In users file my account is:
 1208930000000001 at wlan.mnc093.mcc208.3gppnetwork.org EAP-Type := SIM, EAP-Sim-KI := 0x8baf473f2f8fd09487cccbd7097c6862, EAP-Sim-Algo-Version := 1
Here is the radiusd -X debug output when I require to access the network:
(6) Received Access-Request Id 20 from 192.168.0.129:45017 to 192.168.0.200:1812 length 249
(6)   User-Name = "1208930000000001 at wlan.mnc093.mcc208.3gppnetwork.org"
(6)   NAS-IP-Address = 192.168.0.129
(6)   Called-Station-Id = "00-14-D5-91-C0-FD:hs20"
(6)   NAS-Port-Type = Wireless-802.11
(6)   NAS-Port = 1
(6)   Calling-Station-Id = "68-3E-34-9B-32-C7"
(6)   Connect-Info = "CONNECT 54Mbps 802.11g"
(6)   Framed-MTU = 1400
(6)   EAP-Message = 0x02330038013132303839333030303030303030303140776c616e2e6d6e633039332e6d63633230382e336770706e6574776f726b2e6f7267
(6)   HS20-AP-Version = 1
(6)   Message-Authenticator = 0x440d0fe99fb6058bc76eb93698cf224d
(6) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(6)   authorize {
(6)     policy filter_username {
(6)       if (&User-Name) {
(6)       if (&User-Name)  -> TRUE
(6)       if (&User-Name)  {
(6)         if (&User-Name =~ / /) {
(6)         if (&User-Name =~ / /)  -> FALSE
(6)         if (&User-Name =~ /@[^@]*@/ ) {
(6)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(6)         if (&User-Name =~ /\.\./ ) {
(6)         if (&User-Name =~ /\.\./ )  -> FALSE
(6)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(6)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(6)         if (&User-Name =~ /\.$/)  {
(6)         if (&User-Name =~ /\.$/)   -> FALSE
(6)         if (&User-Name =~ /@\./)  {
(6)         if (&User-Name =~ /@\./)   -> FALSE
(6)       } # if (&User-Name)  = notfound
(6)     } # policy filter_username = notfound
(6)     [preprocess] = ok
(6)     [chap] = noop
(6)     [mschap] = noop
(6)     [digest] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: Looking up realm "wlan.mnc093.mcc208.3gppnetwork.org" for User-Name = "1208930000000001 at wlan.mnc093.mcc208.3gppnetwork.org"
(6) suffix: No such realm "wlan.mnc093.mcc208.3gppnetwork.org"
(6)     [suffix] = noop
(6) files: users: Matched entry 1208930000000001 at wlan.mnc093.mcc208.3gppnetwork.org at line 3
(6)     [files] = ok
(6) eap: Peer sent EAP Response (code 2) ID 51 length 56c
(6) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(6)     [eap] = ok
(6)   } # authorize = ok
(6) Found Auth-Type = eap
(6) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(6)   authenticate {
(6) eap: Peer sent packet with method EAP Identity (1)
(6) eap: Calling submodule eap_sim to process data
(6) eap_sim: Generated following triplets for round 0:
(6) eap_sim:   RAND : 0x872b74dc0e5582cdd217f486e088008e
(6) eap_sim:   SRES : 0x2d989648
(6) eap_sim:   Kc   : 0xff85b4f6889f9800
(6) eap_sim: Generated following triplets for round 1:
(6) eap_sim:   RAND : 0xf3fe491aaf74d6b894e94af1ada52ca6
(6) eap_sim:   SRES : 0x056b09ed
(6) eap_sim:   Kc   : 0xdbf228d55f6fcc00
(6) eap_sim: Generated following triplets for round 2:
(6) eap_sim:   RAND : 0xaf2c073cb54b1861ee429fe7a3e3f60b
(6) eap_sim:   SRES : 0xe1445dc1
(6) eap_sim:   Kc   : 0x65a776abc0f43c00
(6) eap: Sending EAP Request (code 1) ID 180 length 20
(6) eap: EAP session adding &reply:State = 0x14c723b2147331b1
(6)     [eap] = handled
(6)   } # authenticate = handled
(6) Using Post-Auth-Type Challenge
(6) Post-Auth-Type sub-section not found.  Ignoring.
(6) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(6) Sent Access-Challenge Id 20 from 192.168.0.200:1812 to 192.168.0.129:45017 length 0
(6)   EAP-Message = 0x01b40014120a00000f0200020001000011010100
(6)   Message-Authenticator = 0x00000000000000000000000000000000
(6)   State = 0x14c723b2147331b1a0c3c29e8d6db7ba
(6) Finished request
Waking up in 4.9 seconds.
(7) Received Access-Request Id 21 from 192.168.0.129:45017 to 192.168.0.200:1812 length 299
(7)   User-Name = "1208930000000001 at wlan.mnc093.mcc208.3gppnetwork.org"
(7)   NAS-IP-Address = 192.168.0.129
(7)   Called-Station-Id = "00-14-D5-91-C0-FD:hs20"
(7)   NAS-Port-Type = Wireless-802.11
(7)   NAS-Port = 1
(7)   Calling-Station-Id = "68-3E-34-9B-32-C7"
(7)   Connect-Info = "CONNECT 54Mbps 802.11g"
(7)   Framed-MTU = 1400
(7)   EAP-Message = 0x02b40058120a000007050000ef994301bfa74fda8473e5ce391e2bc5100100010e0e00333132303839333030303030303030303140776c616e2e6d6e633039332e6d63633230382e336770706e6574776f726b2e6f726700
(7)   State = 0x14c723b2147331b1a0c3c29e8d6db7ba
(7)   HS20-AP-Version = 1
(7)   Message-Authenticator = 0xd9cb8b33b442579671f1b5ebe828ff41
(7) session-state: No cached attributes
(7) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(7)   authorize {
(7)     policy filter_username {
(7)       if (&User-Name) {
(7)       if (&User-Name)  -> TRUE
(7)       if (&User-Name)  {
(7)         if (&User-Name =~ / /) {
(7)         if (&User-Name =~ / /)  -> FALSE
(7)         if (&User-Name =~ /@[^@]*@/ ) {
(7)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(7)         if (&User-Name =~ /\.\./ ) {
(7)         if (&User-Name =~ /\.\./ )  -> FALSE
(7)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(7)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(7)         if (&User-Name =~ /\.$/)  {
(7)         if (&User-Name =~ /\.$/)   -> FALSE
(7)         if (&User-Name =~ /@\./)  {
(7)         if (&User-Name =~ /@\./)   -> FALSE
(7)       } # if (&User-Name)  = notfound
(7)     } # policy filter_username = notfound
(7)     [preprocess] = ok
(7)     [chap] = noop
(7)     [mschap] = noop
(7)     [digest] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: Looking up realm "wlan.mnc093.mcc208.3gppnetwork.org" for User-Name = "1208930000000001 at wlan.mnc093.mcc208.3gppnetwork.org"
(7) suffix: No such realm "wlan.mnc093.mcc208.3gppnetwork.org"
(7)     [suffix] = noop
(7) files: users: Matched entry 1208930000000001 at wlan.mnc093.mcc208.3gppnetwork.org at line 3
(7)     [files] = ok
(7) eap: Peer sent EAP Response (code 2) ID 180 length 88
(7) eap: No EAP Start, assuming it's an on-going EAP conversation
(7)     [eap] = updated
(7)     [expiration] = noop
(7)     [logintime] = noop
(7) pap: WARNING: No "known good" password found for the user.  Not setting Auth-Type
(7) pap: WARNING: Authentication will fail unless a "known good" password is available
(7)     [pap] = noop
(7)   } # authorize = updated
(7) Found Auth-Type = eap
(7) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(7)   authenticate {
(7) eap: Expiring EAP session with state 0x14c723b2147331b1
(7) eap: Finished EAP session with state 0x14c723b2147331b1
(7) eap: Previous EAP request found for state 0x14c723b2147331b1, released from the list
(7) eap: Peer sent packet with method EAP SIM (18)
(7) eap: Calling submodule eap_sim to process data
(7) eap_sim: EAP-SIM decoded packet
(7) eap_sim:   User-Name = "1208930000000001 at wlan.mnc093.mcc208.3gppnetwork.org"
(7) eap_sim:   NAS-IP-Address = 192.168.0.129
(7) eap_sim:   Called-Station-Id = "00-14-D5-91-C0-FD:hs20"
(7) eap_sim:   NAS-Port-Type = Wireless-802.11
(7) eap_sim:   NAS-Port = 1
(7) eap_sim:   Calling-Station-Id = "68-3E-34-9B-32-C7"
(7) eap_sim:   Connect-Info = "CONNECT 54Mbps 802.11g"
(7) eap_sim:   Framed-MTU = 1400
(7) eap_sim:   EAP-Message = 0x02b40058120a000007050000ef994301bfa74fda8473e5ce391e2bc5100100010e0e00333132303839333030303030303030303140776c616e2e6d6e633039332e6d63633230382e336770706e6574776f726b2e6f726700
(7) eap_sim:   State = 0x14c723b2147331b1a0c3c29e8d6db7ba
(7) eap_sim:   HS20-AP-Version = 1
(7) eap_sim:   Message-Authenticator = 0xd9cb8b33b442579671f1b5ebe828ff41
(7) eap_sim:   Event-Timestamp = "May 13 2016 14:52:36 CST"
(7) eap_sim:   EAP-Type = SIM
(7) eap_sim:   EAP-Sim-Subtype = Start
(7) eap_sim:   EAP-Sim-NONCE_MT = 0x0000ef994301bfa74fda8473e5ce391e2bc5
(7) eap_sim:   EAP-Sim-SELECTED_VERSION = 0x0001
(7) eap_sim:   EAP-Sim-IDENTITY = 0x00333132303839333030303030303030303140776c616e2e6d6e633039332e6d63633230382e336770706e6574776f726b2e6f726700
(7) eap: Sending EAP Request (code 1) ID 181 length 80
(7) eap: EAP session adding &reply:State = 0x14c723b2157231b1
(7)     [eap] = handled
(7)   } # authenticate = handled
(7) Using Post-Auth-Type Challenge
(7) Post-Auth-Type sub-section not found.  Ignoring.
(7) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(7) Sent Access-Challenge Id 21 from 192.168.0.200:1812 to 192.168.0.129:45017 length 0
(7)   EAP-Message = 0x01b50050120b0000010d0000872b74dc0e5582cdd217f486e088008ef3fe491aaf74d6b894e94af1ada52ca6af2c073cb54b1861ee429fe7a3e3f60b0b0500006ccc60941e49dc60ae915c9edba32357
(7)   Message-Authenticator = 0x00000000000000000000000000000000
(7)   State = 0x14c723b2157231b1a0c3c29e8d6db7ba
(7) Finished request
Waking up in 4.9 seconds.
(8) Received Access-Request Id 22 from 192.168.0.129:45017 to 192.168.0.200:1812 length 223
(8)   User-Name = "1208930000000001 at wlan.mnc093.mcc208.3gppnetwork.org"
(8)   NAS-IP-Address = 192.168.0.129
(8)   Called-Station-Id = "00-14-D5-91-C0-FD:hs20"
(8)   NAS-Port-Type = Wireless-802.11
(8)   NAS-Port = 1
(8)   Calling-Station-Id = "68-3E-34-9B-32-C7"
(8)   Connect-Info = "CONNECT 54Mbps 802.11g"
(8)   Framed-MTU = 1400
(8)   EAP-Message = 0x02b5000c120e000016010000
(8)   State = 0x14c723b2157231b1a0c3c29e8d6db7ba
(8)   HS20-AP-Version = 1
(8)   Message-Authenticator = 0x602535e3fc71889877b3e8ff37557d10
(8) session-state: No cached attributes
(8) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(8)   authorize {
(8)     policy filter_username {
(8)       if (&User-Name) {
(8)       if (&User-Name)  -> TRUE
(8)       if (&User-Name)  {
(8)         if (&User-Name =~ / /) {
(8)         if (&User-Name =~ / /)  -> FALSE
(8)         if (&User-Name =~ /@[^@]*@/ ) {
(8)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(8)         if (&User-Name =~ /\.\./ ) {
(8)         if (&User-Name =~ /\.\./ )  -> FALSE
(8)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(8)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(8)         if (&User-Name =~ /\.$/)  {
(8)         if (&User-Name =~ /\.$/)   -> FALSE
(8)         if (&User-Name =~ /@\./)  {
(8)         if (&User-Name =~ /@\./)   -> FALSE
(8)       } # if (&User-Name)  = notfound
(8)     } # policy filter_username = notfound
(8)     [preprocess] = ok
(8)     [chap] = noop
(8)     [mschap] = noop
(8)     [digest] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: Looking up realm "wlan.mnc093.mcc208.3gppnetwork.org" for User-Name = "1208930000000001 at wlan.mnc093.mcc208.3gppnetwork.org"
(8) suffix: No such realm "wlan.mnc093.mcc208.3gppnetwork.org"
(8)     [suffix] = noop
(8) files: users: Matched entry 1208930000000001 at wlan.mnc093.mcc208.3gppnetwork.org at line 3
(8)     [files] = ok
(8) eap: Peer sent EAP Response (code 2) ID 181 length 12
(8) eap: No EAP Start, assuming it's an on-going EAP conversation
(8)     [eap] = updated
(8)     [expiration] = noop
(8)     [logintime] = noop
(8) pap: WARNING: No "known good" password found for the user.  Not setting Auth-Type
(8) pap: WARNING: Authentication will fail unless a "known good" password is available
(8)     [pap] = noop
(8)   } # authorize = updated
(8) Found Auth-Type = eap
(8) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(8)   authenticate {
(8) eap: Expiring EAP session with state 0x14c723b2157231b1
(8) eap: Finished EAP session with state 0x14c723b2157231b1
(8) eap: Previous EAP request found for state 0x14c723b2157231b1, released from the list
(8) eap: Peer sent packet with method EAP SIM (18)
(8) eap: Calling submodule eap_sim to process data
(8) eap: ERROR: Failed continuing EAP SIM (18) session.  EAP sub-module failed
(8) eap: Sending EAP Failure (code 4) ID 181 length 4
(8) eap: Failed in EAP select
(8)     [eap] = invalid
(8)   } # authenticate = invalid
(8) Failed to authenticate the user
(8) Using Post-Auth-Type Reject
(8) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(8)   Post-Auth-Type REJECT {
(8) attr_filter.access_reject: EXPAND %{User-Name}
(8) attr_filter.access_reject:    --> 1208930000000001 at wlan.mnc093.mcc208.3gppnetwork.org
(8) attr_filter.access_reject: Matched entry DEFAULT at line 11
(8)     [attr_filter.access_reject] = updated
(8)     [eap] = noop
(8)     policy remove_reply_message_if_eap {
(8)       if (&reply:EAP-Message && &reply:Reply-Message) {
(8)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(8)       else {
(8)         [noop] = noop
(8)       } # else = noop
(8)     } # policy remove_reply_message_if_eap = noop
(8)   } # Post-Auth-Type REJECT = updated
(8) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(8) Sending delayed response
(8) Sent Access-Reject Id 22 from 192.168.0.200:1812 to 192.168.0.129:45017 length 44
(8)   EAP-Message = 0x04b50004
(8)   Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.6 seconds.
(6) Cleaning up request packet ID 20 with timestamp +61
(7) Cleaning up request packet ID 21 with timestamp +61
Waking up in 0.3 seconds.
(8) Cleaning up request packet ID 22 with timestamp +61
It seems that my radius server failed in calling EAP SIM module to process the MAC Challenge response.
Anyone gets some ideas?  Since the log gets only one line ERROR,  I can't tell what's going wrong. Thank you for your attention and if any information is required to locate my error I am very pleased to offer my configuration and logs.

Li Zhaoxing
Beijing University of Posts and Telecommunications



More information about the Freeradius-Users mailing list