EAP-SIM Testing Fails
François Vergès
francoisverges at gmail.com
Fri Mar 23 03:28:32 CET 2018
Thank you Arran and thank you Alan for the quick responses.
I was able to install 3.0.16 and test it tonight as I don't have a smart
card reader on hand at the moment.
The installation worked and I edited the users file as follow:
1901700000020240 at wlan.mnc070.mcc901.3gppnetwork.org EAP-SIM-Ki :=
0xCA0B.........B, EAP-Sim-Algo-Version := 1
I had to add the "EAP-Sim-Algo-Version" attribute according to what the
logs were telling me.
I tested from the Android phone after that and was able to connect if the
EAP-Sim-Algo-Version attribute was equal to 1. Is this attribute the
version of EAP-SIM or the version of COMP128?
The android phone connected but I can still see the following error in the
logs (see full logs below):
(3) eap_sim: ERROR: Failed decoding EAP-SIM packet:
Do you have an idea why?
Thank you again for your help.
Here are the full logs:
(0) Received Access-Request Id 166 from 192.168.20.19:54927 to
192.168.20.17:1812 length 291
(0) User-Name = "1901700000020240 at wlan.mnc070.mcc901.3gppnetwork.org"
(0) NAS-IP-Address = 192.168.20.19
(0) NAS-Port = 0
(0) NAS-Identifier = "192.168.20.19"
(0) NAS-Port-Type = Wireless-802.11
(0) Calling-Station-Id = "c0eefb5acc11"
(0) Called-Station-Id = "000b86ee0268"
(0) Service-Type = Login-User
(0) Framed-MTU = 1100
(0) EAP-Message =
0x02010038013139303137303030303030323032343040776c616e2e6d6e633037302e6d63633930312e336770706e6574776f726b2e6f7267
(0) Aruba-Essid-Name = "Test EAP-SIM"
(0) Aruba-Location-Id = "00:0b:86:ee:02:68"
(0) Aruba-AP-Group = "instant-EE:02:68"
(0) Message-Authenticator = 0xa7d1d164a9fed5e7816fba1c9cdbf270
(0) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /@\./) {
(0) if (&User-Name =~ /@\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: Looking up realm "wlan.mnc070.mcc901.3gppnetwork.org" for
User-Name = "1901700000020240 at wlan.mnc070.mcc901.3gppnetwork.org"
(0) suffix: No such realm "wlan.mnc070.mcc901.3gppnetwork.org"
(0) [suffix] = noop
(0) eap: Peer sent EAP Response (code 2) ID 1 length 56
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0) authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_md5 to process data
(0) eap_md5: Issuing MD5 Challenge
(0) eap: Sending EAP Request (code 1) ID 2 length 22
(0) eap: EAP session adding &reply:State = 0x73d0173773d21381
(0) [eap] = handled
(0) } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0) Challenge { ... } # empty sub-section is ignored
(0) Sent Access-Challenge Id 166 from 192.168.20.17:1812 to
192.168.20.19:54927 length 0
(0) EAP-Message = 0x010200160410b76b7cfc5c8795d66b2cc27e9ef326cc
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0x73d0173773d213813979a7a15dbcab87
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 167 from 192.168.20.19:54927 to
192.168.20.17:1812 length 259
(1) User-Name = "1901700000020240 at wlan.mnc070.mcc901.3gppnetwork.org"
(1) NAS-IP-Address = 192.168.20.19
(1) NAS-Port = 0
(1) NAS-Identifier = "192.168.20.19"
(1) NAS-Port-Type = Wireless-802.11
(1) Calling-Station-Id = "c0eefb5acc11"
(1) Called-Station-Id = "000b86ee0268"
(1) Service-Type = Login-User
(1) Framed-MTU = 1100
(1) EAP-Message = 0x020200060312
(1) State = 0x73d0173773d213813979a7a15dbcab87
(1) Aruba-Essid-Name = "Test EAP-SIM"
(1) Aruba-Location-Id = "00:0b:86:ee:02:68"
(1) Aruba-AP-Group = "instant-EE:02:68"
(1) Message-Authenticator = 0x88355e717976da933abc319d0bc4504d
(1) session-state: No cached attributes
(1) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
(1) authorize {
(1) policy filter_username {
(1) if (&User-Name) {
(1) if (&User-Name) -> TRUE
(1) if (&User-Name) {
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@[^@]*@/ ) {
(1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(1) if (&User-Name =~ /\.\./ ) {
(1) if (&User-Name =~ /\.\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(1) if (&User-Name =~ /\.$/) {
(1) if (&User-Name =~ /\.$/) -> FALSE
(1) if (&User-Name =~ /@\./) {
(1) if (&User-Name =~ /@\./) -> FALSE
(1) } # if (&User-Name) = notfound
(1) } # policy filter_username = notfound
(1) [preprocess] = ok
(1) [chap] = noop
(1) [mschap] = noop
(1) [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: Looking up realm "wlan.mnc070.mcc901.3gppnetwork.org" for
User-Name = "1901700000020240 at wlan.mnc070.mcc901.3gppnetwork.org"
(1) suffix: No such realm "wlan.mnc070.mcc901.3gppnetwork.org"
(1) [suffix] = noop
(1) eap: Peer sent EAP Response (code 2) ID 2 length 6
(1) eap: No EAP Start, assuming it's an on-going EAP conversation
(1) [eap] = updated
(1) files: users: Matched entry
1901700000020240 at wlan.mnc070.mcc901.3gppnetwork.org at line 3
(1) [files] = ok
(1) if (User-Name =~ /^[0-9]+/) {
(1) if (User-Name =~ /^[0-9]+/) -> TRUE
(1) if (User-Name =~ /^[0-9]+/) {
(1) update reply {
(1) EXPAND %{control:EAP-Sim-Ki}
(1) --> 0xca0b8d177406d08cbfbed48b832f72db
(1) &EAP-Sim-Ki := 0xca0b8d177406d08cbfbed48b832f72db
(1) EXPAND %{control:EAP-Sim-Algo-Version}
(1) --> 1
(1) &EAP-Sim-Algo-Version := 1
(1) } # update reply = noop
(1) } # if (User-Name =~ /^[0-9]+/) = noop
(1) [expiration] = noop
(1) [logintime] = noop
(1) pap: WARNING: No "known good" password found for the user. Not setting
Auth-Type
(1) pap: WARNING: Authentication will fail unless a "known good" password
is available
(1) [pap] = noop
(1) } # authorize = updated
(1) Found Auth-Type = eap
(1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(1) authenticate {
(1) eap: Expiring EAP session with state 0x73d0173773d21381
(1) eap: Finished EAP session with state 0x73d0173773d21381
(1) eap: Previous EAP request found for state 0x73d0173773d21381, released
from the list
(1) eap: Peer sent packet with method EAP NAK (3)
(1) eap: Found mutually acceptable type SIM (18)
(1) eap: Calling submodule eap_sim to process data
(1) eap_sim: Generated following triplets for round 0:
(1) eap_sim: RAND : 0x5d61f008d4ac1c144f1dddc8a931c907
(1) eap_sim: SRES : 0xdedf6955
(1) eap_sim: Kc : 0x0b4525c2f63d1000
(1) eap_sim: Generated following triplets for round 1:
(1) eap_sim: RAND : 0x7890541386f3cf2d14f3adfd2626ae11
(1) eap_sim: SRES : 0xfc1d1efa
(1) eap_sim: Kc : 0x0ab936f3b77bc400
(1) eap_sim: Generated following triplets for round 2:
(1) eap_sim: RAND : 0x4073342dbfe58bc6129a7cb2341c599f
(1) eap_sim: SRES : 0xc24d23f8
(1) eap_sim: Kc : 0x90c7b3cfbb6f5400
(1) eap: Sending EAP Request (code 1) ID 52 length 20
(1) eap: EAP session adding &reply:State = 0x73d0173772e40581
(1) [eap] = handled
(1) } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(1) Challenge { ... } # empty sub-section is ignored
(1) Sent Access-Challenge Id 167 from 192.168.20.17:1812 to
192.168.20.19:54927 length 0
(1) EAP-Message = 0x01340014120a00000f0200020001000011010100
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0x73d0173772e405813979a7a15dbcab87
(1) Finished request
Waking up in 4.9 seconds.
(2) Received Access-Request Id 168 from 192.168.20.19:54927 to
192.168.20.17:1812 length 341
(2) User-Name = "1901700000020240 at wlan.mnc070.mcc901.3gppnetwork.org"
(2) NAS-IP-Address = 192.168.20.19
(2) NAS-Port = 0
(2) NAS-Identifier = "192.168.20.19"
(2) NAS-Port-Type = Wireless-802.11
(2) Calling-Station-Id = "c0eefb5acc11"
(2) Called-Station-Id = "000b86ee0268"
(2) Service-Type = Login-User
(2) Framed-MTU = 1100
(2) EAP-Message =
0x02340058120a00001001000107050000c3a7a7644e1d2568557e2ba3629074d40e0e00333139303137303030303030323032343040776c616e2e6d6e633037302e6d63633930312e336770706e6574776f726b2e6f726700
(2) State = 0x73d0173772e405813979a7a15dbcab87
(2) Aruba-Essid-Name = "Test EAP-SIM"
(2) Aruba-Location-Id = "00:0b:86:ee:02:68"
(2) Aruba-AP-Group = "instant-EE:02:68"
(2) Message-Authenticator = 0x81000bffb4c1c22f932980b64985a2ce
(2) session-state: No cached attributes
(2) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
(2) authorize {
(2) policy filter_username {
(2) if (&User-Name) {
(2) if (&User-Name) -> TRUE
(2) if (&User-Name) {
(2) if (&User-Name =~ / /) {
(2) if (&User-Name =~ / /) -> FALSE
(2) if (&User-Name =~ /@[^@]*@/ ) {
(2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(2) if (&User-Name =~ /\.\./ ) {
(2) if (&User-Name =~ /\.\./ ) -> FALSE
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(2) if (&User-Name =~ /\.$/) {
(2) if (&User-Name =~ /\.$/) -> FALSE
(2) if (&User-Name =~ /@\./) {
(2) if (&User-Name =~ /@\./) -> FALSE
(2) } # if (&User-Name) = notfound
(2) } # policy filter_username = notfound
(2) [preprocess] = ok
(2) [chap] = noop
(2) [mschap] = noop
(2) [digest] = noop
(2) suffix: Checking for suffix after "@"
(2) suffix: Looking up realm "wlan.mnc070.mcc901.3gppnetwork.org" for
User-Name = "1901700000020240 at wlan.mnc070.mcc901.3gppnetwork.org"
(2) suffix: No such realm "wlan.mnc070.mcc901.3gppnetwork.org"
(2) [suffix] = noop
(2) eap: Peer sent EAP Response (code 2) ID 52 length 88
(2) eap: No EAP Start, assuming it's an on-going EAP conversation
(2) [eap] = updated
(2) files: users: Matched entry
1901700000020240 at wlan.mnc070.mcc901.3gppnetwork.org at line 3
(2) [files] = ok
(2) if (User-Name =~ /^[0-9]+/) {
(2) if (User-Name =~ /^[0-9]+/) -> TRUE
(2) if (User-Name =~ /^[0-9]+/) {
(2) update reply {
(2) EXPAND %{control:EAP-Sim-Ki}
(2) --> 0xca0b8d177406d08cbfbed48b832f72db
(2) &EAP-Sim-Ki := 0xca0b8d177406d08cbfbed48b832f72db
(2) EXPAND %{control:EAP-Sim-Algo-Version}
(2) --> 1
(2) &EAP-Sim-Algo-Version := 1
(2) } # update reply = noop
(2) } # if (User-Name =~ /^[0-9]+/) = noop
(2) [expiration] = noop
(2) [logintime] = noop
(2) pap: WARNING: No "known good" password found for the user. Not setting
Auth-Type
(2) pap: WARNING: Authentication will fail unless a "known good" password
is available
(2) [pap] = noop
(2) } # authorize = updated
(2) Found Auth-Type = eap
(2) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(2) authenticate {
(2) eap: Expiring EAP session with state 0x73d0173772e40581
(2) eap: Finished EAP session with state 0x73d0173772e40581
(2) eap: Previous EAP request found for state 0x73d0173772e40581, released
from the list
(2) eap: Peer sent packet with method EAP SIM (18)
(2) eap: Calling submodule eap_sim to process data
(2) eap_sim: EAP-SIM decoded packet
(2) eap_sim: User-Name = "
1901700000020240 at wlan.mnc070.mcc901.3gppnetwork.org"
(2) eap_sim: NAS-IP-Address = 192.168.20.19
(2) eap_sim: NAS-Port = 0
(2) eap_sim: NAS-Identifier = "192.168.20.19"
(2) eap_sim: NAS-Port-Type = Wireless-802.11
(2) eap_sim: Calling-Station-Id = "c0eefb5acc11"
(2) eap_sim: Called-Station-Id = "000b86ee0268"
(2) eap_sim: Service-Type = Login-User
(2) eap_sim: Framed-MTU = 1100
(2) eap_sim: EAP-Message =
0x02340058120a00001001000107050000c3a7a7644e1d2568557e2ba3629074d40e0e00333139303137303030303030323032343040776c616e2e6d6e633037302e6d63633930312e336770706e6574776f726b2e6f726700
(2) eap_sim: State = 0x73d0173772e405813979a7a15dbcab87
(2) eap_sim: Aruba-Essid-Name = "Test EAP-SIM"
(2) eap_sim: Aruba-Location-Id = "00:0b:86:ee:02:68"
(2) eap_sim: Aruba-AP-Group = "instant-EE:02:68"
(2) eap_sim: Message-Authenticator = 0x81000bffb4c1c22f932980b64985a2ce
(2) eap_sim: Event-Timestamp = "Mar 23 2018 02:15:16 UTC"
(2) eap_sim: EAP-Type = SIM
(2) eap_sim: EAP-Sim-Subtype = Start
(2) eap_sim: EAP-Sim-SELECTED_VERSION = 0x0001
(2) eap_sim: EAP-Sim-NONCE_MT = 0x0000c3a7a7644e1d2568557e2ba3629074d4
(2) eap_sim: EAP-Sim-IDENTITY =
0x00333139303137303030303030323032343040776c616e2e6d6e633037302e6d63633930312e336770706e6574776f726b2e6f726700
(2) eap: Sending EAP Request (code 1) ID 53 length 80
(2) eap: EAP session adding &reply:State = 0x73d0173771e50581
(2) [eap] = handled
(2) } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(2) Challenge { ... } # empty sub-section is ignored
(2) Sent Access-Challenge Id 168 from 192.168.20.17:1812 to
192.168.20.19:54927 length 0
(2) EAP-Message =
0x01350050120b0000010d00005d61f008d4ac1c144f1dddc8a931c9077890541386f3cf2d14f3adfd2626ae114073342dbfe58bc6129a7cb2341c599f0b0500003d75b1bccfe08bd6ebedbff57c97cc7b
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0x73d0173771e505813979a7a15dbcab87
(2) Finished request
Waking up in 4.9 seconds.
(3) Received Access-Request Id 169 from 192.168.20.19:54927 to
192.168.20.17:1812 length 281
(3) User-Name = "1901700000020240 at wlan.mnc070.mcc901.3gppnetwork.org"
(3) NAS-IP-Address = 192.168.20.19
(3) NAS-Port = 0
(3) NAS-Identifier = "192.168.20.19"
(3) NAS-Port-Type = Wireless-802.11
(3) Calling-Station-Id = "c0eefb5acc11"
(3) Called-Station-Id = "000b86ee0268"
(3) Service-Type = Login-User
(3) Framed-MTU = 1100
(3) EAP-Message =
0x0235001c120b00000b050000135081247e24e3f87495a46f128a6e84
(3) State = 0x73d0173771e505813979a7a15dbcab87
(3) Aruba-Essid-Name = "Test EAP-SIM"
(3) Aruba-Location-Id = "00:0b:86:ee:02:68"
(3) Aruba-AP-Group = "instant-EE:02:68"
(3) Message-Authenticator = 0x6018a954af3ed8f82d4a20ff64a5479a
(3) session-state: No cached attributes
(3) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
(3) authorize {
(3) policy filter_username {
(3) if (&User-Name) {
(3) if (&User-Name) -> TRUE
(3) if (&User-Name) {
(3) if (&User-Name =~ / /) {
(3) if (&User-Name =~ / /) -> FALSE
(3) if (&User-Name =~ /@[^@]*@/ ) {
(3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(3) if (&User-Name =~ /\.\./ ) {
(3) if (&User-Name =~ /\.\./ ) -> FALSE
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(3) if (&User-Name =~ /\.$/) {
(3) if (&User-Name =~ /\.$/) -> FALSE
(3) if (&User-Name =~ /@\./) {
(3) if (&User-Name =~ /@\./) -> FALSE
(3) } # if (&User-Name) = notfound
(3) } # policy filter_username = notfound
(3) [preprocess] = ok
(3) [chap] = noop
(3) [mschap] = noop
(3) [digest] = noop
(3) suffix: Checking for suffix after "@"
(3) suffix: Looking up realm "wlan.mnc070.mcc901.3gppnetwork.org" for
User-Name = "1901700000020240 at wlan.mnc070.mcc901.3gppnetwork.org"
(3) suffix: No such realm "wlan.mnc070.mcc901.3gppnetwork.org"
(3) [suffix] = noop
(3) eap: Peer sent EAP Response (code 2) ID 53 length 28
(3) eap: No EAP Start, assuming it's an on-going EAP conversation
(3) [eap] = updated
(3) files: users: Matched entry
1901700000020240 at wlan.mnc070.mcc901.3gppnetwork.org at line 3
(3) [files] = ok
(3) if (User-Name =~ /^[0-9]+/) {
(3) if (User-Name =~ /^[0-9]+/) -> TRUE
(3) if (User-Name =~ /^[0-9]+/) {
(3) update reply {
(3) EXPAND %{control:EAP-Sim-Ki}
(3) --> 0xca0b8d177406d08cbfbed48b832f72db
(3) &EAP-Sim-Ki := 0xca0b8d177406d08cbfbed48b832f72db
(3) EXPAND %{control:EAP-Sim-Algo-Version}
(3) --> 1
(3) &EAP-Sim-Algo-Version := 1
(3) } # update reply = noop
(3) } # if (User-Name =~ /^[0-9]+/) = noop
(3) [expiration] = noop
(3) [logintime] = noop
(3) pap: WARNING: No "known good" password found for the user. Not setting
Auth-Type
(3) pap: WARNING: Authentication will fail unless a "known good" password
is available
(3) [pap] = noop
(3) } # authorize = updated
(3) Found Auth-Type = eap
(3) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(3) authenticate {
(3) eap: Expiring EAP session with state 0x73d0173771e50581
(3) eap: Finished EAP session with state 0x73d0173771e50581
(3) eap: Previous EAP request found for state 0x73d0173771e50581, released
from the list
(3) eap: Peer sent packet with method EAP SIM (18)
(3) eap: Calling submodule eap_sim to process data
(3) eap_sim: MAC check succeed
(3) eap_sim: ERROR: Failed decoding EAP-SIM packet:
(3) eap: Sending EAP Success (code 3) ID 54 length 4
(3) eap: Freeing handler
(3) [eap] = ok
(3) } # authenticate = ok
(3) # Executing section post-auth from file
/usr/local/etc/raddb/sites-enabled/default
(3) post-auth {
(3) update {
(3) No attributes updated
(3) } # update = noop
(3) [exec] = noop
(3) policy remove_reply_message_if_eap {
(3) if (&reply:EAP-Message && &reply:Reply-Message) {
(3) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(3) else {
(3) [noop] = noop
(3) } # else = noop
(3) } # policy remove_reply_message_if_eap = noop
(3) } # post-auth = noop
(3) Sent Access-Accept Id 169 from 192.168.20.17:1812 to 192.168.20.19:54927
length 0
(3) MS-MPPE-Recv-Key =
0x85ef573bb6603286724f0d6de5265eee5d0db5c58fc485b8a9100f64129facc3
(3) MS-MPPE-Send-Key =
0x2902f8530f324889e267b510c983ad40c9bed2c96ade0151830735299abcde9a
(3) EAP-Message = 0x03360004
(3) Message-Authenticator = 0x00000000000000000000000000000000
(3) User-Name = "1901700000020240 at wlan.mnc070.mcc901.3gppnetwork.org"
(3) Finished request
Waking up in 4.6 seconds.
(0) Cleaning up request packet ID 166 with timestamp +18
(1) Cleaning up request packet ID 167 with timestamp +18
(2) Cleaning up request packet ID 168 with timestamp +18
Waking up in 0.2 seconds.
(3) Cleaning up request packet ID 169 with timestamp +18
Ready to process requests
On Thu, Mar 22, 2018 at 6:19 PM, Alan DeKok <aland at deployingradius.com>
wrote:
> On Mar 22, 2018, at 4:58 PM, François Vergès <misterpaco21 at gmail.com>
> wrote:
> >
> > I have setup freeradius in my lab environment to authenticate an Android
> > cell phone using EAP-SIM and a SIM card.
> >
> > Performing a packet capture over the Wi-Fi, I was able to realize that
> the
> > phone receive the EAP-SIM challenge request but doesn't reply with a
> > EAP-SIM Challenge response. Instead, it replies with a EAP-SIM
> Client-Error
> > (0). I can also see the RAND values in the EAP-SIM Challenge Request
> packet.
> >
> > I have used this script to generate the triplets (RAND, SRES and KC)
> using
> > the Ki number of the SIM card:
> > https://github.com/skelsec/COMP128/blob/master/COMP128.py
>
> Hmm... use 3.0.16, and set EAP-SIM-Ki. The server will create the
> triplets automatically:
>
> # 'users' file
>
> 1901700000020240 at wlan.mnc070.mcc901.3gppnetwork.org EAP-SIM-Ki :=
> 0xabcdef0123...
>
> # 'users' file
>
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
>
--
*François Vergès*
*Tel*: +1 514 475-5305
*Email*: francoisverges at gmail.com
More information about the Freeradius-Users
mailing list