EAP_AKA on FR4 and Got AKA-Permanent-ID tag, but identity is not a permanent ID
Peter Lambrechtsen
peter at crypt.nz
Sat Dec 23 23:54:26 CET 2017
I'm playing with EAP_AKA and EAP_AKA' to see if I can get it working.
Using a test sim card I got from our test lab they can also supplied me the
Ki and OPC.
I've defined the values in the mods-config/files/authorize.
1530990000000074 at wlan.mnc005.mcc530.3gppnetwork.org Sim-Ki := 0x..,
Sim-Opc := 0x.., Sim-SQN := 1
0530990000000074 at wlan.mnc005.mcc530.3gppnetwork.org Sim-Ki := 0x..,
Sim-Opc := 0x.., Sim-SQN := 1
I can successfully auth with EAP_SIM.
(14) Received Access-Request ID 114
(14) User-Name = "1530990000000074 at wlan.mnc005.mcc530.3gppnetwork.org"
(14) Calling-Station-Id = "E0-A3-AC-A0-CC-41"
(14) NAS-IP-Address = 192.168.1.240
(14) NAS-Port = 1
(14) Called-Station-Id = "00-22-7F-86-BC-E8:DaLambsTest"
(14) Service-Type = Framed-User
(14) Framed-MTU = 1400
(14) NAS-Port-Type = Wireless-802.11
(14) NAS-Identifier = "00-22-7F-86-BC-E8"
(14) Connect-Info = "CONNECT 802.11g/n"
(14) EAP-Message = 0x...
(14) Ruckus-SSID = "DaLambsTest"
(14) Message-Authenticator = 0xa9f5c23c47c9c2576b4dff7a96511654
(14) Running 'recv Access-Request' from file ./sites-enabled/default
(14) Running 'authenticate eap' from file ./sites-enabled/default
(14) authenticate eap {
(14) eap - Peer sent packet with EAP method Identity (1)
(14) eap - Calling submodule eap_md5
(14) eap_md5 - Issuing MD5 Challenge
(14) eap - Sending EAP Request (code 1) ID 1 length 22
(14) eap (handled)
(14) } # authenticate eap (handled)
(15,14) Running 'authenticate eap' from file ./sites-enabled/default
(15,14) authenticate eap {
(15,14) eap - Peer sent packet with EAP method NAK (3)
(15,14) eap - Found mutually acceptable type SIM (18)
(15,14) eap - Calling submodule eap_sim
(15,14) eap_sim - New EAP-SIM session
(15,14) eap_sim - WARNING: Failed parsing identity, continuing anyway:
Got SIM-Permanent-ID tag, but identity is not a permanent ID
(15,14) eap_sim - Reentering state START
(15,14) eap_sim - Sending SIM-State
(15,14) eap_sim - Encoding EAP-SIM attributes
(15,14) eap_sim - &EAP-SIM-Version-List = 1
(15,14) eap_sim - &EAP-SIM-Any-ID-Req = yes
(15,14) eap_sim - &EAP-SIM-Subtype = SIM-Start
(15,14) eap - Sending EAP Request (code 1) ID 32 length 20
(15,14) eap (handled)
(15,14) } # authenticate eap (handled)
(16,14) authenticate eap {
(16,14) eap - Peer sent packet with EAP method SIM (18)
(16,14) eap - Calling submodule eap_sim
(16,14) eap_sim - Decoded EAP-SIM attributes
(16,14) eap_sim - &EAP-SIM-Nonce-MT = 0x....
(16,14) eap_sim - &EAP-SIM-Selected-Version = 1
(16,14) eap_sim - &EAP-SIM-Identity = "
1530990000000074 at wlan.mnc005.mcc530.3gppnetwork.org"
(16,14) eap_sim - &EAP-SIM-Subtype = SIM-Start
(16,14) eap_sim - WARNING: Failed parsing identity: Got SIM-Permanent-ID
tag, but identity is not a permanent ID
(16,14) eap_sim - Reentering state START
(16,14) eap_sim - Sending SIM-State
(16,14) eap_sim - Encoding EAP-SIM attributes
(16,14) eap_sim - &EAP-SIM-Version-List = 1
(16,14) eap_sim - &EAP-SIM-Fullauth-ID-Req = yes
(16,14) eap_sim - &EAP-SIM-Subtype = SIM-Start
(16,14) eap - Sending EAP Request (code 1) ID 33 length 20
(16,14) eap (handled)
(16,14) } # authenticate eap (handled)
(17,14) authenticate eap {
(17,14) eap - Peer sent packet with EAP method SIM (18)
(17,14) eap - Calling submodule eap_sim
(17,14) eap_sim - Decoded EAP-SIM attributes
(17,14) eap_sim - &EAP-SIM-Nonce-MT = 0x...
(17,14) eap_sim - &EAP-SIM-Selected-Version = 1
(17,14) eap_sim - &EAP-SIM-Identity = "
1530990000000074 at wlan.mnc005.mcc530.3gppnetwork.org"
(17,14) eap_sim - &EAP-SIM-Subtype = SIM-Start
(17,14) eap_sim - WARNING: Failed parsing identity: Got SIM-Permanent-ID
tag, but identity is not a permanent ID
(17,14) eap_sim - Reentering state START
(17,14) eap_sim - Sending SIM-State
(17,14) eap_sim - Encoding EAP-SIM attributes
(17,14) eap_sim - &EAP-SIM-Version-List = 1
(17,14) eap_sim - &EAP-SIM-Permanent-ID-Req = yes
(17,14) eap_sim - &EAP-SIM-Subtype = SIM-Start
(17,14) eap - Sending EAP Request (code 1) ID 34 length 20
(17,14) eap (handled)
(17,14) } # authenticate eap (handled)
(18,14) authenticate eap {
(18,14) eap - Peer sent packet with EAP method SIM (18)
(18,14) eap - Calling submodule eap_sim
(18,14) eap_sim - Decoded EAP-SIM attributes
(18,14) eap_sim - &EAP-SIM-Nonce-MT = 0x..
(18,14) eap_sim - &EAP-SIM-Selected-Version = 1
(18,14) eap_sim - &EAP-SIM-Identity = "
1530052190001474 at wlan.mnc005.mcc530.3gppnetwork.org"
(18,14) eap_sim - &EAP-SIM-Subtype = SIM-Start
(18,14) eap_sim - WARNING: Failed parsing identity: Got SIM-Permanent-ID
tag, but identity is not a permanent ID
(18,14) eap_sim - Changed state START -> CHALLENGE
(18,14) eap_sim - Acquiring GSM vector(s)
(18,14) eap_sim - GSM vector[0]
(18,14) eap_sim - KC : 0x..
(18,14) eap_sim - RAND : 0x..
(18,14) eap_sim - SRES : 0x..
(18,14) eap_sim - GSM vector[1]
(18,14) eap_sim - KC : 0x..
(18,14) eap_sim - RAND : 0x..
(18,14) eap_sim - SRES : 0x..
(18,14) eap_sim - GSM vector[2]
(18,14) eap_sim - KC : 0x..
(18,14) eap_sim - RAND : 0x..
(18,14) eap_sim - SRES : 0x..
(18,14) eap_sim - Sending SIM-Challenge
(18,14) eap_sim - Encoding EAP-SIM attributes
(18,14) eap_sim - &EAP-SIM-RAND = 0x..
(18,14) eap_sim - &EAP-SIM-RAND = 0x..
(18,14) eap_sim - &EAP-SIM-RAND = 0x..
(18,14) eap_sim - &EAP-SIM-Subtype = SIM-Challenge
(18,14) eap_sim - &EAP-SIM-MAC = 0x
(18,14) eap - Sending EAP Request (code 1) ID 35 length 80
(18,14) eap (handled)
(18,14) } # authenticate eap (handled)
(19,14) authenticate eap {
(19,14) eap - Peer sent packet with EAP method SIM (18)
(19,14) eap - Calling submodule eap_sim
(19,14) eap_sim - Decoded EAP-SIM attributes
(19,14) eap_sim - &EAP-SIM-MAC = 0x..
(19,14) eap_sim - &EAP-SIM-Subtype = SIM-Challenge
(19,14) eap_sim - EAP-SIM-MAC matches calculated MAC
(19,14) eap_sim - Changed state CHALLENGE -> SUCCESS
(19,14) eap_sim - Sending SIM-Success
(19,14) eap_sim - &reply:MS-MPPE-Recv-Key = 0x..
(19,14) eap_sim - &reply:MS-MPPE-Send-Key = 0x..
(19,14) eap - Sending EAP Success (code 3) ID 35 length 4
(19,14) eap - Cleaning up EAP session
(19,14) eap (ok)
(19,14) } # authenticate eap (ok)
And EAP_SIM fails if I have the incorrect Ki/OPC pair on the server side so
I know I have the correct values.
But if I try and do the same on AKA or AKA' it fails.
(7) User-Name = "0530990000000074 at wlan.mnc005.mcc530.3gppnetwork.org"
With AKA the first digit of the IMSI is a 0 rather than 1.
(7) Running 'authenticate eap' from file ./sites-enabled/default
(7) authenticate eap {
(7) eap - Peer sent packet with EAP method Identity (1)
(7) eap - Calling submodule eap_md5
(7) eap_md5 - Issuing MD5 Challenge
(7) eap - Sending EAP Request (code 1) ID 1 length 22
(7) eap (handled)
(7) } # authenticate eap (handled)
(8,7) authenticate eap {
(8,7) eap - Peer sent packet with EAP method NAK (3)
(8,7) eap - Found mutually acceptable type AKA (23)
(8,7) eap - Calling submodule eap_aka
(8,7) eap_aka - Failed parsing identity, continuing anyway: Got
AKA-Permanent-ID tag, but identity is not a permanent ID
(8,7) eap_aka - New EAP-AKA session
(8,7) eap_aka - WARNING: Identity format unknown, sending Identity
request
(8,7) eap_aka - Reentering state IDENTITY
(8,7) eap_aka - Sending AKA-Identity (Id-Any-Req)
(8,7) eap_aka - Encoding EAP-AKA attributes
(8,7) eap_aka - &EAP-AKA-Subtype = AKA-Identity
(8,7) eap_aka - &EAP-AKA-Any-ID-Req = yes
(8,7) eap - Sending EAP Request (code 1) ID 93 length 12
(8,7) eap (handled)
(9,7) authenticate eap {
(9,7) eap - Peer sent packet with EAP method AKA (23)
(9,7) eap - Calling submodule eap_aka
(9,7) eap_aka - EAP-AKA decoded attributes
(9,7) eap_aka - &EAP-AKA-Identity = "
0530990000000074 at wlan.mnc005.mcc530.3gppnetwork.org"
(9,7) eap_aka - &EAP-AKA-Subtype = AKA-Identity
(9,7) eap_aka - WARNING: Failed parsing identity: Got AKA-Permanent-ID
tag, but identity is not a permanent ID
(9,7) eap_aka - Reentering state IDENTITY
(9,7) eap_aka - Sending AKA-Identity (FullAuth-Id-Req)
(9,7) eap_aka - Encoding EAP-AKA attributes
(9,7) eap_aka - &EAP-AKA-Subtype = AKA-Identity
(9,7) eap_aka - &EAP-AKA-Fullauth-ID-Req = yes
(9,7) eap - Sending EAP Request (code 1) ID 94 length 12
(9,7) eap (handled)
(9,7) } # authenticate eap (handled)
(10,7) authenticate eap {
(10,7) eap - Peer sent packet with EAP method AKA (23)
(10,7) eap - Calling submodule eap_aka
(10,7) eap_aka - EAP-AKA decoded attributes
(10,7) eap_aka - &EAP-AKA-Identity = "
0530990000000074 at wlan.mnc005.mcc530.3gppnetwork.org"
(10,7) eap_aka - &EAP-AKA-Subtype = AKA-Identity
(10,7) eap_aka - WARNING: Failed parsing identity: Got AKA-Permanent-ID
tag, but identity is not a permanent ID
(10,7) eap_aka - Reentering state IDENTITY
(10,7) eap_aka - Sending AKA-Identity (Permanent-Id-Req)
(10,7) eap_aka - Encoding EAP-AKA attributes
(10,7) eap_aka - &EAP-AKA-Subtype = AKA-Identity
(10,7) eap_aka - &EAP-AKA-Permanent-ID-Req = yes
(10,7) eap - Sending EAP Request (code 1) ID 95 length 12
(10,7) eap (handled)
(10,7) } # authenticate eap (handled)
(11,7) authenticate eap {
(11,7) eap - Peer sent packet with EAP method AKA (23)
(11,7) eap - Calling submodule eap_aka
(11,7) eap_aka - EAP-AKA decoded attributes
(11,7) eap_aka - &EAP-AKA-Identity = "
0530990000000074 at wlan.mnc005.mcc530.3gppnetwork.org"
(11,7) eap_aka - &EAP-AKA-Subtype = AKA-Identity
(11,7) eap_aka - WARNING: Failed parsing identity: Got AKA-Permanent-ID
tag, but identity is not a permanent ID
(11,7) eap_aka - Changed state IDENTITY -> CHALLENGE
(11,7) eap_aka - Acquiring UMTS vector(s)
(11,7) eap_aka - UMTS vector
(11,7) eap_aka - AUTN : 0x..
(11,7) eap_aka - CK : 0x..
(11,7) eap_aka - IK : 0x..
(11,7) eap_aka - RAND : 0x..
(11,7) eap_aka - XRES : 0x..
(11,7) eap_aka - Sending AKA-Challenge
(11,7) eap_aka - Encoding EAP-AKA attributes
(11,7) eap_aka - &EAP-AKA-Subtype = AKA-Challenge
(11,7) eap_aka - &EAP-AKA-Bidding = Prefer-AKA-Prime
(11,7) eap_aka - &EAP-AKA-RAND = 0x..
(11,7) eap_aka - &EAP-AKA-AUTN = 0x..
(11,7) eap_aka - &EAP-AKA-MAC = 0x
(11,7) eap_aka - &EAP-AKA-Checkcode = 0x..
(11,7) eap - Sending EAP Request (code 1) ID 96 length 96
(11,7) eap (handled)
(11,7) } # authenticate eap (handled)
(12,7) authenticate eap {
(12,7) eap - Peer sent packet with EAP method AKA (23)
(12,7) eap - Calling submodule eap_aka
(12,7) eap_aka - EAP-AKA decoded attributes
(12,7) eap_aka - &EAP-AKA-AUTS = 0x..
(12,7) eap_aka - &EAP-AKA-Subtype = AKA-Synchronization-Failure
(12,7) eap_aka - ERROR: EAP-AKA Peer synchronization failure
(12,7) eap_aka - Changed state CHALLENGE -> FAILURE-NOTIFICATION
(12,7) eap_aka - Sending AKA-Notification (General-Failure)
(12,7) eap_aka - Encoding EAP-AKA attributes
(12,7) eap_aka - &EAP-SIM-Notification = General-Failure
(12,7) eap_aka - &EAP-AKA-Subtype = AKA-Notification
(12,7) eap - Sending EAP Request (code 1) ID 97 length 12
(12,7) eap (handled)
(12,7) } # authenticate eap (handled)
(13,7) authenticate eap {
(13,7) eap - Peer sent packet with EAP method AKA (23)
(13,7) eap - Calling submodule eap_aka
(13,7) eap_aka - EAP-AKA decoded attributes
(13,7) eap_aka - &EAP-AKA-Subtype = AKA-Notification
(13,7) eap_aka - AKA-Notification ACKed, sending EAP-Failure
(13,7) eap_aka - Changed state FAILURE-NOTIFICATION -> FAILURE
(13,7) eap_aka - Sending EAP-Failure
(13,7) eap - ERROR: Failed in EAP AKA (23) session. EAP sub-module
failed
(13,7) eap - Sending EAP Failure (code 4) ID 97 length 4
(13,7) eap - Cleaning up EAP session
(13,7) eap (reject)
(13,7) } # authenticate eap (reject)
Do I need to have the sequence as a proper counter for AKA rather than just
a static value? Or what else am I doing wrong?
More information about the Freeradius-Users
mailing list