[EXTERNAL] Help in Configuring EAP-SIM

Shane Guan shaneguan at microsoft.com
Sat Feb 12 00:28:53 UTC 2022


Hi everyone,

Thanks for the quick fix in master. I pulled the newest changes and rebuilt the freeradius binary. I noticed that if I do not explicitly set the SIM-Algo-Version, thus leaving it to the default of 1, then eapol_test client is able to authenticate (*default.log). However, when I do explictely set the SIM-Algo-Version to 1, then eapol_test is unable to authenticate, stating a MAC invalidation (*explicit_set_1.log). Can someone help me understand why this would be the case, when I am merely explicitly setting a variable to its default, instead of leaving it alone? Perhaps I misunderstood what the purpose of SIM-Algo-Version is.

Thanks again!
Shane
________________________________
From: Freeradius-Users <freeradius-users-bounces+shaneguan=microsoft.com at lists.freeradius.org> on behalf of Arran Cudbard-Bell <a.cudbardb at freeradius.org>
Sent: Friday, February 11, 2022 9:51 AM
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Cc: Davut Karabay <davutk at microsoft.com>; Corbin Phipps <corbinphipps at microsoft.com>; Paul Irwin <Irwin.Paul at microsoft.com>
Subject: Re: [EXTERNAL] Help in Configuring EAP-SIM



> On Feb 10, 2022, at 4:46 PM, Alan DeKok <aland at deployingradius.com> wrote:
>
> On Feb 10, 2022, at 3:11 PM, Shane Guan via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
>>
>> Thanks for the tip about libkqueue. I built and installed the latest version of that library and then was able to compile, install, and run the master branch with freeradius -Xf. However, I am still having difficulty with the configuration for eap-sim. For some reason the eapol_test client says that it can't process a packet? I have attached logs.
>
>  The eapol_test log says:
>
> EAP-SIM: Unexpected Challenge in state CONTINUE
> EAP-SIM: CONTINUE -> FAILURE
>
>  and FreeRADIUS says:
>
> Debug : (1.0)      eap-sim - New EAP-SIM session
> Debug : (1.0)      eap-sim - Changed state INIT -> SIM-CHALLENGE
> Debug : (1.0)      send Challenge-Request {
>
>  So FreeRADIUS is intending to do this, but eapol_test doesn't like it.  I'll have to defer to Arran about this.  :(

Yeah, my fault.  Moved to a unified state machine for all three EAP-Methods.

EAP-SIM requires you to always send EAP-SIM-START, EAP-AKA and EAP-AKA' allow you to jump straight
into the challenge round if you recognise the identity.

I've corrected the state machine to always enter SIM-Start, even when no identity is being requested when
we're running EAP-SIM.

f4c433d4ef1494cc40fbe84da91046d0333bb8c7 - Fixes the problem by always requesting an ID
6be2c02b3a12930e31f9a46bc677a8a562acea46 - Expands on the previous commit to allow SIM-Start
without identity requests.

I've tested locally and it appears to fix the issue, could you rebuild with HEAD and verify it corrects the
problem for you also.

-Arran
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeradius_explicit_set_1.log
Type: application/octet-stream
Size: 63634 bytes
Desc: freeradius_explicit_set_1.log
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20220212/5ca44548/attachment-0004.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeradius_default.log
Type: application/octet-stream
Size: 63798 bytes
Desc: freeradius_default.log
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20220212/5ca44548/attachment-0005.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: eapol_test_default.log
Type: application/octet-stream
Size: 18876 bytes
Desc: eapol_test_default.log
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20220212/5ca44548/attachment-0006.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: eapol_test_explicit_set_1.log
Type: application/octet-stream
Size: 16865 bytes
Desc: eapol_test_explicit_set_1.log
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20220212/5ca44548/attachment-0007.obj>


More information about the Freeradius-Users mailing list