EAP-SIM Testing Fails

François Vergès misterpaco21 at gmail.com
Thu Mar 22 21:58:40 CET 2018


Hello Everyone,

I have setup freeradius in my lab environment to authenticate an Android
cell phone using EAP-SIM and a SIM card.

Performing a packet capture over the Wi-Fi, I was able to realize that the
phone receive the EAP-SIM challenge request but doesn't reply with a
EAP-SIM Challenge response. Instead, it replies with a EAP-SIM Client-Error
(0). I can also see the RAND values in the EAP-SIM Challenge Request packet.

I have used this script to generate the triplets (RAND, SRES and KC) using
the Ki number of the SIM card:
https://github.com/skelsec/COMP128/blob/master/COMP128.py

I have provided, below,  the output of the freeradius server when I try to
connect.

Do you have an idea of what could be wrong?
Do you think it could be related to the triplets not being generated
correctly?

Thank you in advance!


Here are the logs:

(0) Received Access-Request Id 108 from 192.168.20.19:54927 to
192.168.20.17:1812 length 291

(0)   User-Name = "1901700000020240 at wlan.mnc070.mcc901.3gppnetwork.org"

(0)   NAS-IP-Address = 192.168.20.19

(0)   NAS-Port = 0

(0)   NAS-Identifier = "192.168.20.19"

(0)   NAS-Port-Type = Wireless-802.11

(0)   Calling-Station-Id = "c0eefb5acc11"

(0)   Called-Station-Id = "000b86ee0268"

(0)   Service-Type = Login-User

(0)   Framed-MTU = 1100

(0)   EAP-Message =
0x02010038013139303137303030303030323032343040776c616e2e6d6e633037302e6d63633930312e336770706e6574776f726b2e6f7267

(0)   Aruba-Essid-Name = "Test EAP-SIM"

(0)   Aruba-Location-Id = "00:0b:86:ee:02:68"

(0)   Aruba-AP-Group = "instant-EE:02:68"

(0)   Message-Authenticator = 0x7c7de18dffeab059ae54da7999356d53

(0) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default

(0)   authorize {

(0)     policy filter_username {

(0)       if (&User-Name) {

(0)       if (&User-Name)  -> TRUE

(0)       if (&User-Name)  {

(0)         if (&User-Name =~ / /) {

(0)         if (&User-Name =~ / /)  -> FALSE

(0)         if (&User-Name =~ /@[^@]*@/ ) {

(0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(0)         if (&User-Name =~ /\.\./ ) {

(0)         if (&User-Name =~ /\.\./ )  -> FALSE

(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {

(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE

(0)         if (&User-Name =~ /\.$/)  {

(0)         if (&User-Name =~ /\.$/)   -> FALSE

(0)         if (&User-Name =~ /@\./)  {

(0)         if (&User-Name =~ /@\./)   -> FALSE

(0)       } # if (&User-Name)  = notfound

(0)     } # policy filter_username = notfound

(0)     [preprocess] = ok

(0)     [chap] = noop

(0)     [mschap] = noop

(0)     [digest] = noop

(0) suffix: Checking for suffix after "@"

(0) suffix: Looking up realm "wlan.mnc070.mcc901.3gppnetwork.org" for
User-Name = "1901700000020240 at wlan.mnc070.mcc901.3gppnetwork.org"

(0) suffix: No such realm "wlan.mnc070.mcc901.3gppnetwork.org"

(0)     [suffix] = noop

(0) eap: Peer sent EAP Response (code 2) ID 1 length 56

(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize

(0)     [eap] = ok

(0)   } # authorize = ok

(0) Found Auth-Type = eap

(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(0)   authenticate {

(0) eap: Peer sent packet with method EAP Identity (1)

(0) eap: Calling submodule eap_md5 to process data

(0) eap_md5: Issuing MD5 Challenge

(0) eap: Sending EAP Request (code 1) ID 2 length 22

(0) eap: EAP session adding &reply:State = 0x1646e2171644e69d

(0)     [eap] = handled

(0)   } # authenticate = handled

(0) Using Post-Auth-Type Challenge

(0) Post-Auth-Type sub-section not found.  Ignoring.

(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(0) Sent Access-Challenge Id 108 from 192.168.20.17:1812 to
192.168.20.19:54927 length 0

(0)   EAP-Message = 0x010200160410970ed9f6222d1151ea27852e700dfc83

(0)   Message-Authenticator = 0x00000000000000000000000000000000

(0)   State = 0x1646e2171644e69d214aa497303ba7f5

(0) Finished request

Waking up in 4.9 seconds.

(1) Received Access-Request Id 109 from 192.168.20.19:54927 to
192.168.20.17:1812 length 259

(1)   User-Name = "1901700000020240 at wlan.mnc070.mcc901.3gppnetwork.org"

(1)   NAS-IP-Address = 192.168.20.19

(1)   NAS-Port = 0

(1)   NAS-Identifier = "192.168.20.19"

(1)   NAS-Port-Type = Wireless-802.11

(1)   Calling-Station-Id = "c0eefb5acc11"

(1)   Called-Station-Id = "000b86ee0268"

(1)   Service-Type = Login-User

(1)   Framed-MTU = 1100

(1)   EAP-Message = 0x020200060312

(1)   State = 0x1646e2171644e69d214aa497303ba7f5

(1)   Aruba-Essid-Name = "Test EAP-SIM"

(1)   Aruba-Location-Id = "00:0b:86:ee:02:68"

(1)   Aruba-AP-Group = "instant-EE:02:68"

(1)   Message-Authenticator = 0x4b85a873255dd52687e055cdfde627c6

(1) session-state: No cached attributes

(1) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default

(1)   authorize {

(1)     policy filter_username {

(1)       if (&User-Name) {

(1)       if (&User-Name)  -> TRUE

(1)       if (&User-Name)  {

(1)         if (&User-Name =~ / /) {

(1)         if (&User-Name =~ / /)  -> FALSE

(1)         if (&User-Name =~ /@[^@]*@/ ) {

(1)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(1)         if (&User-Name =~ /\.\./ ) {

(1)         if (&User-Name =~ /\.\./ )  -> FALSE

(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {

(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE

(1)         if (&User-Name =~ /\.$/)  {

(1)         if (&User-Name =~ /\.$/)   -> FALSE

(1)         if (&User-Name =~ /@\./)  {

(1)         if (&User-Name =~ /@\./)   -> FALSE

(1)       } # if (&User-Name)  = notfound

(1)     } # policy filter_username = notfound

(1)     [preprocess] = ok

(1)     [chap] = noop

(1)     [mschap] = noop

(1)     [digest] = noop

(1) suffix: Checking for suffix after "@"

(1) suffix: Looking up realm "wlan.mnc070.mcc901.3gppnetwork.org" for
User-Name = "1901700000020240 at wlan.mnc070.mcc901.3gppnetwork.org"

(1) suffix: No such realm "wlan.mnc070.mcc901.3gppnetwork.org"

(1)     [suffix] = noop

(1) eap: Peer sent EAP Response (code 2) ID 2 length 6

(1) eap: No EAP Start, assuming it's an on-going EAP conversation

(1)     [eap] = updated

(1) files: users: Matched entry
1901700000020240 at wlan.mnc070.mcc901.3gppnetwork.org at line 96

(1)     [files] = ok

(1)     if (User-Name =~ /^[0-9]+/) {

(1)     if (User-Name =~ /^[0-9]+/)  -> TRUE

(1)     if (User-Name =~ /^[0-9]+/)  {

(1)       update reply {

(1)         EXPAND %{control:EAP-Sim-Rand1}

(1)            --> 0x5e56fc4d1cb798dd53c4191e157472ac

(1)         &EAP-Sim-Rand1 := 0x5e56fc4d1cb798dd53c4191e157472ac

(1)         EXPAND %{control:EAP-Sim-Rand2}

(1)            --> 0x7711b7949ea67837276197a3bfc10561

(1)         &EAP-Sim-Rand2 := 0x7711b7949ea67837276197a3bfc10561

(1)         EXPAND %{control:EAP-Sim-Rand3}

(1)            --> 0xdb249cea25f603d22e193aa1ae792b20

(1)         &EAP-Sim-Rand3 := 0xdb249cea25f603d22e193aa1ae792b20

(1)         EXPAND %{control:EAP-Sim-SRES1}

(1)            --> 0x47c9aae3

(1)         &EAP-Sim-SRES1 := 0x47c9aae3

(1)         EXPAND %{control:EAP-Sim-SRES2}

(1)            --> 0x7112acb0

(1)         &EAP-Sim-SRES2 := 0x7112acb0

(1)         EXPAND %{control:EAP-Sim-SRES3}

(1)            --> 0x12d89ed9

(1)         &EAP-Sim-SRES3 := 0x12d89ed9

(1)         EXPAND %{control:EAP-Sim-KC1}

(1)            --> 0x44fb0ab88d208400

(1)         &EAP-Sim-KC1 := 0x44fb0ab88d208400

(1)         EXPAND %{control:EAP-Sim-KC2}

(1)            --> 0x9135bb2807184400

(1)         &EAP-Sim-KC2 := 0x9135bb2807184400

(1)         EXPAND %{control:EAP-Sim-KC3}

(1)            --> 0x783fa135bbb97000

(1)         &EAP-Sim-KC3 := 0x783fa135bbb97000

(1)       } # update reply = noop

(1)     } # if (User-Name =~ /^[0-9]+/)  = noop

(1)     [expiration] = noop

(1)     [logintime] = noop

(1) pap: WARNING: No "known good" password found for the user.  Not setting
Auth-Type

(1) pap: WARNING: Authentication will fail unless a "known good" password
is available

(1)     [pap] = noop

(1)   } # authorize = updated

(1) Found Auth-Type = eap

(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(1)   authenticate {

(1) eap: Expiring EAP session with state 0x1646e2171644e69d

(1) eap: Finished EAP session with state 0x1646e2171644e69d

(1) eap: Previous EAP request found for state 0x1646e2171644e69d, released
from the list

(1) eap: Peer sent packet with method EAP NAK (3)

(1) eap: Found mutually acceptable type SIM (18)

(1) eap: Calling submodule eap_sim to process data

(1) eap: Sending EAP Request (code 1) ID 90 length 20

(1) eap: EAP session adding &reply:State = 0x1646e217171cf09d

(1)     [eap] = handled

(1)   } # authenticate = handled

(1) Using Post-Auth-Type Challenge

(1) Post-Auth-Type sub-section not found.  Ignoring.

(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(1) Sent Access-Challenge Id 109 from 192.168.20.17:1812 to
192.168.20.19:54927 length 0

(1)   EAP-Message = 0x015a0014120a00000f0200020001000011010100

(1)   Message-Authenticator = 0x00000000000000000000000000000000

(1)   State = 0x1646e217171cf09d214aa497303ba7f5

(1) Finished request

Waking up in 4.9 seconds.

(2) Received Access-Request Id 110 from 192.168.20.19:54927 to
192.168.20.17:1812 length 341

(2)   User-Name = "1901700000020240 at wlan.mnc070.mcc901.3gppnetwork.org"

(2)   NAS-IP-Address = 192.168.20.19

(2)   NAS-Port = 0

(2)   NAS-Identifier = "192.168.20.19"

(2)   NAS-Port-Type = Wireless-802.11

(2)   Calling-Station-Id = "c0eefb5acc11"

(2)   Called-Station-Id = "000b86ee0268"

(2)   Service-Type = Login-User

(2)   Framed-MTU = 1100

(2)   EAP-Message =
0x025a0058120a0000100100010705000043cdc6794d84b18456e0fe40aee0d7e20e0e00333139303137303030303030323032343040776c616e2e6d6e633037302e6d63633930312e336770706e6574776f726b2e6f726700

(2)   State = 0x1646e217171cf09d214aa497303ba7f5

(2)   Aruba-Essid-Name = "Test EAP-SIM"

(2)   Aruba-Location-Id = "00:0b:86:ee:02:68"

(2)   Aruba-AP-Group = "instant-EE:02:68"

(2)   Message-Authenticator = 0xa4a1ade2eae64052c6f0aa2ecc3ea908

(2) session-state: No cached attributes

(2) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default

(2)   authorize {

(2)     policy filter_username {

(2)       if (&User-Name) {

(2)       if (&User-Name)  -> TRUE

(2)       if (&User-Name)  {

(2)         if (&User-Name =~ / /) {

(2)         if (&User-Name =~ / /)  -> FALSE

(2)         if (&User-Name =~ /@[^@]*@/ ) {

(2)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(2)         if (&User-Name =~ /\.\./ ) {

(2)         if (&User-Name =~ /\.\./ )  -> FALSE

(2)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {

(2)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE

(2)         if (&User-Name =~ /\.$/)  {

(2)         if (&User-Name =~ /\.$/)   -> FALSE

(2)         if (&User-Name =~ /@\./)  {

(2)         if (&User-Name =~ /@\./)   -> FALSE

(2)       } # if (&User-Name)  = notfound

(2)     } # policy filter_username = notfound

(2)     [preprocess] = ok

(2)     [chap] = noop

(2)     [mschap] = noop

(2)     [digest] = noop

(2) suffix: Checking for suffix after "@"

(2) suffix: Looking up realm "wlan.mnc070.mcc901.3gppnetwork.org" for
User-Name = "1901700000020240 at wlan.mnc070.mcc901.3gppnetwork.org"

(2) suffix: No such realm "wlan.mnc070.mcc901.3gppnetwork.org"

(2)     [suffix] = noop

(2) eap: Peer sent EAP Response (code 2) ID 90 length 88

(2) eap: No EAP Start, assuming it's an on-going EAP conversation

(2)     [eap] = updated

(2) files: users: Matched entry
1901700000020240 at wlan.mnc070.mcc901.3gppnetwork.org at line 96

(2)     [files] = ok

(2)     if (User-Name =~ /^[0-9]+/) {

(2)     if (User-Name =~ /^[0-9]+/)  -> TRUE

(2)     if (User-Name =~ /^[0-9]+/)  {

(2)       update reply {

(2)         EXPAND %{control:EAP-Sim-Rand1}

(2)            --> 0x5e56fc4d1cb798dd53c4191e157472ac

(2)         &EAP-Sim-Rand1 := 0x5e56fc4d1cb798dd53c4191e157472ac

(2)         EXPAND %{control:EAP-Sim-Rand2}

(2)            --> 0x7711b7949ea67837276197a3bfc10561

(2)         &EAP-Sim-Rand2 := 0x7711b7949ea67837276197a3bfc10561

(2)         EXPAND %{control:EAP-Sim-Rand3}

(2)            --> 0xdb249cea25f603d22e193aa1ae792b20

(2)         &EAP-Sim-Rand3 := 0xdb249cea25f603d22e193aa1ae792b20

(2)         EXPAND %{control:EAP-Sim-SRES1}

(2)            --> 0x47c9aae3

(2)         &EAP-Sim-SRES1 := 0x47c9aae3

(2)         EXPAND %{control:EAP-Sim-SRES2}

(2)            --> 0x7112acb0

(2)         &EAP-Sim-SRES2 := 0x7112acb0

(2)         EXPAND %{control:EAP-Sim-SRES3}

(2)            --> 0x12d89ed9

(2)         &EAP-Sim-SRES3 := 0x12d89ed9

(2)         EXPAND %{control:EAP-Sim-KC1}

(2)            --> 0x44fb0ab88d208400

(2)         &EAP-Sim-KC1 := 0x44fb0ab88d208400

(2)         EXPAND %{control:EAP-Sim-KC2}

(2)            --> 0x9135bb2807184400

(2)         &EAP-Sim-KC2 := 0x9135bb2807184400

(2)         EXPAND %{control:EAP-Sim-KC3}

(2)            --> 0x783fa135bbb97000

(2)         &EAP-Sim-KC3 := 0x783fa135bbb97000

(2)       } # update reply = noop

(2)     } # if (User-Name =~ /^[0-9]+/)  = noop

(2)     [expiration] = noop

(2)     [logintime] = noop

(2) pap: WARNING: No "known good" password found for the user.  Not setting
Auth-Type

(2) pap: WARNING: Authentication will fail unless a "known good" password
is available

(2)     [pap] = noop

(2)   } # authorize = updated

(2) Found Auth-Type = eap

(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(2)   authenticate {

(2) eap: Expiring EAP session with state 0x1646e217171cf09d

(2) eap: Finished EAP session with state 0x1646e217171cf09d

(2) eap: Previous EAP request found for state 0x1646e217171cf09d, released
from the list

(2) eap: Peer sent packet with method EAP SIM (18)

(2) eap: Calling submodule eap_sim to process data

(2) eap_sim: EAP-SIM decoded packet

(2) eap_sim:   User-Name = "
1901700000020240 at wlan.mnc070.mcc901.3gppnetwork.org"

(2) eap_sim:   NAS-IP-Address = 192.168.20.19

(2) eap_sim:   NAS-Port = 0

(2) eap_sim:   NAS-Identifier = "192.168.20.19"

(2) eap_sim:   NAS-Port-Type = Wireless-802.11

(2) eap_sim:   Calling-Station-Id = "c0eefb5acc11"

(2) eap_sim:   Called-Station-Id = "000b86ee0268"

(2) eap_sim:   Service-Type = Login-User

(2) eap_sim:   Framed-MTU = 1100

(2) eap_sim:   EAP-Message =
0x025a0058120a0000100100010705000043cdc6794d84b18456e0fe40aee0d7e20e0e00333139303137303030303030323032343040776c616e2e6d6e633037302e6d63633930312e336770706e6574776f726b2e6f726700

(2) eap_sim:   State = 0x1646e217171cf09d214aa497303ba7f5

(2) eap_sim:   Aruba-Essid-Name = "Test EAP-SIM"

(2) eap_sim:   Aruba-Location-Id = "00:0b:86:ee:02:68"

(2) eap_sim:   Aruba-AP-Group = "instant-EE:02:68"

(2) eap_sim:   Message-Authenticator = 0xa4a1ade2eae64052c6f0aa2ecc3ea908

(2) eap_sim:   Event-Timestamp = "Mar 22 2018 20:34:34 UTC"

(2) eap_sim:   EAP-Type = SIM

(2) eap_sim:   EAP-Sim-Subtype = Start

(2) eap_sim:   EAP-Sim-SELECTED_VERSION = 0x0001

(2) eap_sim:   EAP-Sim-NONCE_MT = 0x000043cdc6794d84b18456e0fe40aee0d7e2

(2) eap_sim:   EAP-Sim-IDENTITY =
0x00333139303137303030303030323032343040776c616e2e6d6e633037302e6d63633930312e336770706e6574776f726b2e6f726700

(2) eap: Sending EAP Request (code 1) ID 91 length 80

(2) eap: EAP session adding &reply:State = 0x1646e217141df09d

(2)     [eap] = handled

(2)   } # authenticate = handled

(2) Using Post-Auth-Type Challenge

(2) Post-Auth-Type sub-section not found.  Ignoring.

(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(2) Sent Access-Challenge Id 110 from 192.168.20.17:1812 to
192.168.20.19:54927 length 0

(2)   EAP-Message =
0x015b0050120b0000010d00005e56fc4d1cb798dd53c4191e157472ac7711b7949ea67837276197a3bfc10561db249cea25f603d22e193aa1ae792b200b050000e2a774c8fd253915e0e4dfe1d832709e

(2)   Message-Authenticator = 0x00000000000000000000000000000000

(2)   State = 0x1646e217141df09d214aa497303ba7f5

(2) Finished request

Waking up in 4.9 seconds.

(3) Received Access-Request Id 111 from 192.168.20.19:54927 to
192.168.20.17:1812 length 265

(3)   User-Name = "1901700000020240 at wlan.mnc070.mcc901.3gppnetwork.org"

(3)   NAS-IP-Address = 192.168.20.19

(3)   NAS-Port = 0

(3)   NAS-Identifier = "192.168.20.19"

(3)   NAS-Port-Type = Wireless-802.11

(3)   Calling-Station-Id = "c0eefb5acc11"

(3)   Called-Station-Id = "000b86ee0268"

(3)   Service-Type = Login-User

(3)   Framed-MTU = 1100

(3)   EAP-Message = 0x025b000c120e000016010000

(3)   State = 0x1646e217141df09d214aa497303ba7f5

(3)   Aruba-Essid-Name = "Test EAP-SIM"

(3)   Aruba-Location-Id = "00:0b:86:ee:02:68"

(3)   Aruba-AP-Group = "instant-EE:02:68"

(3)   Message-Authenticator = 0xf23c8af6d4ad1d8640f4ad602564c6bb

(3) session-state: No cached attributes

(3) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default

(3)   authorize {

(3)     policy filter_username {

(3)       if (&User-Name) {

(3)       if (&User-Name)  -> TRUE

(3)       if (&User-Name)  {

(3)         if (&User-Name =~ / /) {

(3)         if (&User-Name =~ / /)  -> FALSE

(3)         if (&User-Name =~ /@[^@]*@/ ) {

(3)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(3)         if (&User-Name =~ /\.\./ ) {

(3)         if (&User-Name =~ /\.\./ )  -> FALSE

(3)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {

(3)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE

(3)         if (&User-Name =~ /\.$/)  {

(3)         if (&User-Name =~ /\.$/)   -> FALSE

(3)         if (&User-Name =~ /@\./)  {

(3)         if (&User-Name =~ /@\./)   -> FALSE

(3)       } # if (&User-Name)  = notfound

(3)     } # policy filter_username = notfound

(3)     [preprocess] = ok

(3)     [chap] = noop

(3)     [mschap] = noop

(3)     [digest] = noop

(3) suffix: Checking for suffix after "@"

(3) suffix: Looking up realm "wlan.mnc070.mcc901.3gppnetwork.org" for
User-Name = "1901700000020240 at wlan.mnc070.mcc901.3gppnetwork.org"

(3) suffix: No such realm "wlan.mnc070.mcc901.3gppnetwork.org"

(3)     [suffix] = noop

(3) eap: Peer sent EAP Response (code 2) ID 91 length 12

(3) eap: No EAP Start, assuming it's an on-going EAP conversation

(3)     [eap] = updated

(3) files: users: Matched entry
1901700000020240 at wlan.mnc070.mcc901.3gppnetwork.org at line 96

(3)     [files] = ok

(3)     if (User-Name =~ /^[0-9]+/) {

(3)     if (User-Name =~ /^[0-9]+/)  -> TRUE

(3)     if (User-Name =~ /^[0-9]+/)  {

(3)       update reply {

(3)         EXPAND %{control:EAP-Sim-Rand1}

(3)            --> 0x5e56fc4d1cb798dd53c4191e157472ac

(3)         &EAP-Sim-Rand1 := 0x5e56fc4d1cb798dd53c4191e157472ac

(3)         EXPAND %{control:EAP-Sim-Rand2}

(3)            --> 0x7711b7949ea67837276197a3bfc10561

(3)         &EAP-Sim-Rand2 := 0x7711b7949ea67837276197a3bfc10561

(3)         EXPAND %{control:EAP-Sim-Rand3}

(3)            --> 0xdb249cea25f603d22e193aa1ae792b20

(3)         &EAP-Sim-Rand3 := 0xdb249cea25f603d22e193aa1ae792b20

(3)         EXPAND %{control:EAP-Sim-SRES1}

(3)            --> 0x47c9aae3

(3)         &EAP-Sim-SRES1 := 0x47c9aae3

(3)         EXPAND %{control:EAP-Sim-SRES2}

(3)            --> 0x7112acb0

(3)         &EAP-Sim-SRES2 := 0x7112acb0

(3)         EXPAND %{control:EAP-Sim-SRES3}

(3)            --> 0x12d89ed9

(3)         &EAP-Sim-SRES3 := 0x12d89ed9

(3)         EXPAND %{control:EAP-Sim-KC1}

(3)            --> 0x44fb0ab88d208400

(3)         &EAP-Sim-KC1 := 0x44fb0ab88d208400

(3)         EXPAND %{control:EAP-Sim-KC2}

(3)            --> 0x9135bb2807184400

(3)         &EAP-Sim-KC2 := 0x9135bb2807184400

(3)         EXPAND %{control:EAP-Sim-KC3}

(3)            --> 0x783fa135bbb97000

(3)         &EAP-Sim-KC3 := 0x783fa135bbb97000

(3)       } # update reply = noop

(3)     } # if (User-Name =~ /^[0-9]+/)  = noop

(3)     [expiration] = noop

(3)     [logintime] = noop

(3) pap: WARNING: No "known good" password found for the user.  Not setting
Auth-Type

(3) pap: WARNING: Authentication will fail unless a "known good" password
is available

(3)     [pap] = noop

(3)   } # authorize = updated

(3) Found Auth-Type = eap

(3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(3)   authenticate {

(3) eap: Expiring EAP session with state 0x1646e217141df09d

(3) eap: Finished EAP session with state 0x1646e217141df09d

(3) eap: Previous EAP request found for state 0x1646e217141df09d, released
from the list

(3) eap: Peer sent packet with method EAP SIM (18)

(3) eap: Calling submodule eap_sim to process data

(3) eap: ERROR: Failed continuing EAP SIM (18) session.  EAP sub-module
failed

(3) eap: Sending EAP Failure (code 4) ID 91 length 4

(3) eap: Failed in EAP select

(3)     [eap] = invalid

(3)   } # authenticate = invalid

(3) Failed to authenticate the user

(3) Using Post-Auth-Type Reject

(3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(3)   Post-Auth-Type REJECT {

(3) attr_filter.access_reject: EXPAND %{User-Name}

(3) attr_filter.access_reject:    -->
1901700000020240 at wlan.mnc070.mcc901.3gppnetwork.org

(3) attr_filter.access_reject: Matched entry DEFAULT at line 11

(3)     [attr_filter.access_reject] = updated

(3)     [eap] = noop

(3)     policy remove_reply_message_if_eap {

(3)       if (&reply:EAP-Message && &reply:Reply-Message) {

(3)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE

(3)       else {

(3)         [noop] = noop

(3)       } # else = noop

(3)     } # policy remove_reply_message_if_eap = noop

(3)   } # Post-Auth-Type REJECT = updated

(3) Delaying response for 1.000000 seconds

Waking up in 0.3 seconds.

Waking up in 0.6 seconds.

(3) Sending delayed response

(3) Sent Access-Reject Id 111 from 192.168.20.17:1812 to 192.168.20.19:54927
length 44

(3)   EAP-Message = 0x045b0004

(3)   Message-Authenticator = 0x00000000000000000000000000000000

Waking up in 3.6 seconds.

(0) Cleaning up request packet ID 108 with timestamp +14

(1) Cleaning up request packet ID 109 with timestamp +14

(2) Cleaning up request packet ID 110 with timestamp +14

Waking up in 0.2 seconds.

(3) Cleaning up request packet ID 111 with timestamp +14

Ready to process requests




--
François


More information about the Freeradius-Users mailing list