EAP-SIM Error "Failed continuing EAP SIM (18) session. EAP sub-module failed"
Li Zhaoxing
fxlizhaoxing at 163.com
Fri May 13 09:43:44 CEST 2016
Hi, I am new here and here is my problem:
I am using FreeRADIUS version 3.0.4 and I am working on configure the FreeRADIUS as a local RADIUS server in hotspot2.0 network. I am now in trouble with EAP-SIM authentication.
I have configure the EAP-SIM in the file eap under /mods-enabled, and change the order of "eap" after "files" in authorize part in the file default under /sites-enabled. I have tested the EAP-SIM using radeapclient successfully.
I tested EAP-TTLS with MSCHAPv2 authentication in my experimental network successfully which use an username and password. Everything seems going well until I tested the EAP-SIM in the hotspot2.0 network.
I tested the EAP-SIM authentication using a real smartphone with a SIM card in which I specified an Ki by myself. The AP(the NAI of RADIUS) is a hostspot2.0-supported wireless access point running hostapd on it. and when I try to access the network through AP I got ERROR "Failed continuing EAP SIM (18) session. EAP sub-module failed".
Here is my configurations and debug output
In users file my account is:
1208930000000001 at wlan.mnc093.mcc208.3gppnetwork.org EAP-Type := SIM, EAP-Sim-KI := 0x8baf473f2f8fd09487cccbd7097c6862, EAP-Sim-Algo-Version := 1
Here is the radiusd -X debug output when I require to access the network:
(6) Received Access-Request Id 20 from 192.168.0.129:45017 to 192.168.0.200:1812 length 249
(6) User-Name = "1208930000000001 at wlan.mnc093.mcc208.3gppnetwork.org"
(6) NAS-IP-Address = 192.168.0.129
(6) Called-Station-Id = "00-14-D5-91-C0-FD:hs20"
(6) NAS-Port-Type = Wireless-802.11
(6) NAS-Port = 1
(6) Calling-Station-Id = "68-3E-34-9B-32-C7"
(6) Connect-Info = "CONNECT 54Mbps 802.11g"
(6) Framed-MTU = 1400
(6) EAP-Message = 0x02330038013132303839333030303030303030303140776c616e2e6d6e633039332e6d63633230382e336770706e6574776f726b2e6f7267
(6) HS20-AP-Version = 1
(6) Message-Authenticator = 0x440d0fe99fb6058bc76eb93698cf224d
(6) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(6) authorize {
(6) policy filter_username {
(6) if (&User-Name) {
(6) if (&User-Name) -> TRUE
(6) if (&User-Name) {
(6) if (&User-Name =~ / /) {
(6) if (&User-Name =~ / /) -> FALSE
(6) if (&User-Name =~ /@[^@]*@/ ) {
(6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(6) if (&User-Name =~ /\.\./ ) {
(6) if (&User-Name =~ /\.\./ ) -> FALSE
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(6) if (&User-Name =~ /\.$/) {
(6) if (&User-Name =~ /\.$/) -> FALSE
(6) if (&User-Name =~ /@\./) {
(6) if (&User-Name =~ /@\./) -> FALSE
(6) } # if (&User-Name) = notfound
(6) } # policy filter_username = notfound
(6) [preprocess] = ok
(6) [chap] = noop
(6) [mschap] = noop
(6) [digest] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: Looking up realm "wlan.mnc093.mcc208.3gppnetwork.org" for User-Name = "1208930000000001 at wlan.mnc093.mcc208.3gppnetwork.org"
(6) suffix: No such realm "wlan.mnc093.mcc208.3gppnetwork.org"
(6) [suffix] = noop
(6) files: users: Matched entry 1208930000000001 at wlan.mnc093.mcc208.3gppnetwork.org at line 3
(6) [files] = ok
(6) eap: Peer sent EAP Response (code 2) ID 51 length 56c
(6) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(6) [eap] = ok
(6) } # authorize = ok
(6) Found Auth-Type = eap
(6) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(6) authenticate {
(6) eap: Peer sent packet with method EAP Identity (1)
(6) eap: Calling submodule eap_sim to process data
(6) eap_sim: Generated following triplets for round 0:
(6) eap_sim: RAND : 0x872b74dc0e5582cdd217f486e088008e
(6) eap_sim: SRES : 0x2d989648
(6) eap_sim: Kc : 0xff85b4f6889f9800
(6) eap_sim: Generated following triplets for round 1:
(6) eap_sim: RAND : 0xf3fe491aaf74d6b894e94af1ada52ca6
(6) eap_sim: SRES : 0x056b09ed
(6) eap_sim: Kc : 0xdbf228d55f6fcc00
(6) eap_sim: Generated following triplets for round 2:
(6) eap_sim: RAND : 0xaf2c073cb54b1861ee429fe7a3e3f60b
(6) eap_sim: SRES : 0xe1445dc1
(6) eap_sim: Kc : 0x65a776abc0f43c00
(6) eap: Sending EAP Request (code 1) ID 180 length 20
(6) eap: EAP session adding &reply:State = 0x14c723b2147331b1
(6) [eap] = handled
(6) } # authenticate = handled
(6) Using Post-Auth-Type Challenge
(6) Post-Auth-Type sub-section not found. Ignoring.
(6) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(6) Sent Access-Challenge Id 20 from 192.168.0.200:1812 to 192.168.0.129:45017 length 0
(6) EAP-Message = 0x01b40014120a00000f0200020001000011010100
(6) Message-Authenticator = 0x00000000000000000000000000000000
(6) State = 0x14c723b2147331b1a0c3c29e8d6db7ba
(6) Finished request
Waking up in 4.9 seconds.
(7) Received Access-Request Id 21 from 192.168.0.129:45017 to 192.168.0.200:1812 length 299
(7) User-Name = "1208930000000001 at wlan.mnc093.mcc208.3gppnetwork.org"
(7) NAS-IP-Address = 192.168.0.129
(7) Called-Station-Id = "00-14-D5-91-C0-FD:hs20"
(7) NAS-Port-Type = Wireless-802.11
(7) NAS-Port = 1
(7) Calling-Station-Id = "68-3E-34-9B-32-C7"
(7) Connect-Info = "CONNECT 54Mbps 802.11g"
(7) Framed-MTU = 1400
(7) EAP-Message = 0x02b40058120a000007050000ef994301bfa74fda8473e5ce391e2bc5100100010e0e00333132303839333030303030303030303140776c616e2e6d6e633039332e6d63633230382e336770706e6574776f726b2e6f726700
(7) State = 0x14c723b2147331b1a0c3c29e8d6db7ba
(7) HS20-AP-Version = 1
(7) Message-Authenticator = 0xd9cb8b33b442579671f1b5ebe828ff41
(7) session-state: No cached attributes
(7) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(7) authorize {
(7) policy filter_username {
(7) if (&User-Name) {
(7) if (&User-Name) -> TRUE
(7) if (&User-Name) {
(7) if (&User-Name =~ / /) {
(7) if (&User-Name =~ / /) -> FALSE
(7) if (&User-Name =~ /@[^@]*@/ ) {
(7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(7) if (&User-Name =~ /\.\./ ) {
(7) if (&User-Name =~ /\.\./ ) -> FALSE
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(7) if (&User-Name =~ /\.$/) {
(7) if (&User-Name =~ /\.$/) -> FALSE
(7) if (&User-Name =~ /@\./) {
(7) if (&User-Name =~ /@\./) -> FALSE
(7) } # if (&User-Name) = notfound
(7) } # policy filter_username = notfound
(7) [preprocess] = ok
(7) [chap] = noop
(7) [mschap] = noop
(7) [digest] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: Looking up realm "wlan.mnc093.mcc208.3gppnetwork.org" for User-Name = "1208930000000001 at wlan.mnc093.mcc208.3gppnetwork.org"
(7) suffix: No such realm "wlan.mnc093.mcc208.3gppnetwork.org"
(7) [suffix] = noop
(7) files: users: Matched entry 1208930000000001 at wlan.mnc093.mcc208.3gppnetwork.org at line 3
(7) [files] = ok
(7) eap: Peer sent EAP Response (code 2) ID 180 length 88
(7) eap: No EAP Start, assuming it's an on-going EAP conversation
(7) [eap] = updated
(7) [expiration] = noop
(7) [logintime] = noop
(7) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type
(7) pap: WARNING: Authentication will fail unless a "known good" password is available
(7) [pap] = noop
(7) } # authorize = updated
(7) Found Auth-Type = eap
(7) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(7) authenticate {
(7) eap: Expiring EAP session with state 0x14c723b2147331b1
(7) eap: Finished EAP session with state 0x14c723b2147331b1
(7) eap: Previous EAP request found for state 0x14c723b2147331b1, released from the list
(7) eap: Peer sent packet with method EAP SIM (18)
(7) eap: Calling submodule eap_sim to process data
(7) eap_sim: EAP-SIM decoded packet
(7) eap_sim: User-Name = "1208930000000001 at wlan.mnc093.mcc208.3gppnetwork.org"
(7) eap_sim: NAS-IP-Address = 192.168.0.129
(7) eap_sim: Called-Station-Id = "00-14-D5-91-C0-FD:hs20"
(7) eap_sim: NAS-Port-Type = Wireless-802.11
(7) eap_sim: NAS-Port = 1
(7) eap_sim: Calling-Station-Id = "68-3E-34-9B-32-C7"
(7) eap_sim: Connect-Info = "CONNECT 54Mbps 802.11g"
(7) eap_sim: Framed-MTU = 1400
(7) eap_sim: EAP-Message = 0x02b40058120a000007050000ef994301bfa74fda8473e5ce391e2bc5100100010e0e00333132303839333030303030303030303140776c616e2e6d6e633039332e6d63633230382e336770706e6574776f726b2e6f726700
(7) eap_sim: State = 0x14c723b2147331b1a0c3c29e8d6db7ba
(7) eap_sim: HS20-AP-Version = 1
(7) eap_sim: Message-Authenticator = 0xd9cb8b33b442579671f1b5ebe828ff41
(7) eap_sim: Event-Timestamp = "May 13 2016 14:52:36 CST"
(7) eap_sim: EAP-Type = SIM
(7) eap_sim: EAP-Sim-Subtype = Start
(7) eap_sim: EAP-Sim-NONCE_MT = 0x0000ef994301bfa74fda8473e5ce391e2bc5
(7) eap_sim: EAP-Sim-SELECTED_VERSION = 0x0001
(7) eap_sim: EAP-Sim-IDENTITY = 0x00333132303839333030303030303030303140776c616e2e6d6e633039332e6d63633230382e336770706e6574776f726b2e6f726700
(7) eap: Sending EAP Request (code 1) ID 181 length 80
(7) eap: EAP session adding &reply:State = 0x14c723b2157231b1
(7) [eap] = handled
(7) } # authenticate = handled
(7) Using Post-Auth-Type Challenge
(7) Post-Auth-Type sub-section not found. Ignoring.
(7) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(7) Sent Access-Challenge Id 21 from 192.168.0.200:1812 to 192.168.0.129:45017 length 0
(7) EAP-Message = 0x01b50050120b0000010d0000872b74dc0e5582cdd217f486e088008ef3fe491aaf74d6b894e94af1ada52ca6af2c073cb54b1861ee429fe7a3e3f60b0b0500006ccc60941e49dc60ae915c9edba32357
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0x14c723b2157231b1a0c3c29e8d6db7ba
(7) Finished request
Waking up in 4.9 seconds.
(8) Received Access-Request Id 22 from 192.168.0.129:45017 to 192.168.0.200:1812 length 223
(8) User-Name = "1208930000000001 at wlan.mnc093.mcc208.3gppnetwork.org"
(8) NAS-IP-Address = 192.168.0.129
(8) Called-Station-Id = "00-14-D5-91-C0-FD:hs20"
(8) NAS-Port-Type = Wireless-802.11
(8) NAS-Port = 1
(8) Calling-Station-Id = "68-3E-34-9B-32-C7"
(8) Connect-Info = "CONNECT 54Mbps 802.11g"
(8) Framed-MTU = 1400
(8) EAP-Message = 0x02b5000c120e000016010000
(8) State = 0x14c723b2157231b1a0c3c29e8d6db7ba
(8) HS20-AP-Version = 1
(8) Message-Authenticator = 0x602535e3fc71889877b3e8ff37557d10
(8) session-state: No cached attributes
(8) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(8) authorize {
(8) policy filter_username {
(8) if (&User-Name) {
(8) if (&User-Name) -> TRUE
(8) if (&User-Name) {
(8) if (&User-Name =~ / /) {
(8) if (&User-Name =~ / /) -> FALSE
(8) if (&User-Name =~ /@[^@]*@/ ) {
(8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(8) if (&User-Name =~ /\.\./ ) {
(8) if (&User-Name =~ /\.\./ ) -> FALSE
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(8) if (&User-Name =~ /\.$/) {
(8) if (&User-Name =~ /\.$/) -> FALSE
(8) if (&User-Name =~ /@\./) {
(8) if (&User-Name =~ /@\./) -> FALSE
(8) } # if (&User-Name) = notfound
(8) } # policy filter_username = notfound
(8) [preprocess] = ok
(8) [chap] = noop
(8) [mschap] = noop
(8) [digest] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: Looking up realm "wlan.mnc093.mcc208.3gppnetwork.org" for User-Name = "1208930000000001 at wlan.mnc093.mcc208.3gppnetwork.org"
(8) suffix: No such realm "wlan.mnc093.mcc208.3gppnetwork.org"
(8) [suffix] = noop
(8) files: users: Matched entry 1208930000000001 at wlan.mnc093.mcc208.3gppnetwork.org at line 3
(8) [files] = ok
(8) eap: Peer sent EAP Response (code 2) ID 181 length 12
(8) eap: No EAP Start, assuming it's an on-going EAP conversation
(8) [eap] = updated
(8) [expiration] = noop
(8) [logintime] = noop
(8) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type
(8) pap: WARNING: Authentication will fail unless a "known good" password is available
(8) [pap] = noop
(8) } # authorize = updated
(8) Found Auth-Type = eap
(8) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(8) authenticate {
(8) eap: Expiring EAP session with state 0x14c723b2157231b1
(8) eap: Finished EAP session with state 0x14c723b2157231b1
(8) eap: Previous EAP request found for state 0x14c723b2157231b1, released from the list
(8) eap: Peer sent packet with method EAP SIM (18)
(8) eap: Calling submodule eap_sim to process data
(8) eap: ERROR: Failed continuing EAP SIM (18) session. EAP sub-module failed
(8) eap: Sending EAP Failure (code 4) ID 181 length 4
(8) eap: Failed in EAP select
(8) [eap] = invalid
(8) } # authenticate = invalid
(8) Failed to authenticate the user
(8) Using Post-Auth-Type Reject
(8) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(8) Post-Auth-Type REJECT {
(8) attr_filter.access_reject: EXPAND %{User-Name}
(8) attr_filter.access_reject: --> 1208930000000001 at wlan.mnc093.mcc208.3gppnetwork.org
(8) attr_filter.access_reject: Matched entry DEFAULT at line 11
(8) [attr_filter.access_reject] = updated
(8) [eap] = noop
(8) policy remove_reply_message_if_eap {
(8) if (&reply:EAP-Message && &reply:Reply-Message) {
(8) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(8) else {
(8) [noop] = noop
(8) } # else = noop
(8) } # policy remove_reply_message_if_eap = noop
(8) } # Post-Auth-Type REJECT = updated
(8) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(8) Sending delayed response
(8) Sent Access-Reject Id 22 from 192.168.0.200:1812 to 192.168.0.129:45017 length 44
(8) EAP-Message = 0x04b50004
(8) Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.6 seconds.
(6) Cleaning up request packet ID 20 with timestamp +61
(7) Cleaning up request packet ID 21 with timestamp +61
Waking up in 0.3 seconds.
(8) Cleaning up request packet ID 22 with timestamp +61
It seems that my radius server failed in calling EAP SIM module to process the MAC Challenge response.
Anyone gets some ideas? Since the log gets only one line ERROR, I can't tell what's going wrong. Thank you for your attention and if any information is required to locate my error I am very pleased to offer my configuration and logs.
Li Zhaoxing
Beijing University of Posts and Telecommunications
More information about the Freeradius-Users
mailing list