how to map attribute for EAP-SIM/EAP-AKA on Freeradius version4?
MJ Tan
mjdir.tan at gmail.com
Thu Apr 6 15:59:12 UTC 2023
Hi Experts,
I am testing EAP-SIM/EAP-AKA on Freeradius version-4 by reading the IMSI,
RAND, SRAND etc. from the rlm_passwd module password file which was working
in Version 3, but I am stuck with some attribute errors in version 4.
I believe that Version-4 has changed the attribute on EAP-SIM/EAP-AKA,
however, I have no idea how to map the attribute to make it works like
version-3.
I was trying to compare the dictionary file attribute between V3 and V4 but
still confusing.
here is a passwd format in v3 --> *"format =
"*User-Name:EAP-Sim-RAND1:EAP-Sim-SRES1:EAP-Sim-KC1:EAP-Sim-RAND2:EAP-Sim-SRES2:EAP-Sim-KC2:EAP-Sim-RAND3:EAP-Sim-SRES3:EAP-Sim-KC3:"*
*Can anyone advise the passwd format in version4?*
#############################################
(0) default {
(0) Received Access-Request ID 248 from 10.232.128.52:59140 to
10.200.11.154:1812 via ens160
(0) User-Name = "1525016105897825 at wlan.mnc001.mcc525.3gppnetwork.org"
(0) NAS-IP-Address = 10.232.128.52
(0) NAS-Port = 0
(0) NAS-Identifier = "10.232.128.52"
(0) NAS-Port-Type = Wireless-802.11
(0) Calling-Station-Id = "7e95f933088f"
(0) Called-Station-Id = "f05c19ca427c"
(0) Service-Type = Framed-User
(0) Framed-MTU = 1100
(0) EAP-Message =
0x02010038013135323530313631303538393738323540776c616e2e6d6e633030312e6d63633532352e336770706e6574776f726b2e6f7267
(0) Vendor-Specific.Aruba.Essid-Name = "airplay_sim"
(0) Vendor-Specific.Aruba.Location-Id = "AP325-SG-Home-1"
(0) Vendor-Specific.Aruba.AP-Group = "SG_SEATH_AOS10"
(0) Vendor-Specific.Aruba.AP-MAC-Address = "f05c19ca427c"
(0) Vendor-Specific.Aruba.Device-MAC-Address = "7e95f933088f"
(0) Message-Authenticator = 0x3fb0a416e7a90a56e60e2f4ab6a93933
(0) Packet-Type = Access-Request
(0) Running 'recv Access-Request' from file
/usr/local/etc/radv4/etc/raddb/sites-enabled/test
(0) recv Access-Request {
(0) chap (noop)
(0) mschap (noop)
(0) digest (noop)
*(0) sim_files - ERROR: Ignoring unknown attribute 'EAP-Sim-RAND1'*
*(0) sim_files - ERROR: Ignoring unknown attribute 'EAP-Sim-SRES1'*
*(0) sim_files - ERROR: Ignoring unknown attribute 'EAP-Sim-KC1'*
*(0) sim_files - ERROR: Ignoring unknown attribute 'EAP-Sim-RAND2'*
*(0) sim_files - ERROR: Ignoring unknown attribute 'EAP-Sim-SRES2'*
*(0) sim_files - ERROR: Ignoring unknown attribute 'EAP-Sim-KC2'*
*(0) sim_files - ERROR: Ignoring unknown attribute 'EAP-Sim-RAND3'*
*(0) sim_files - ERROR: Ignoring unknown attribute 'EAP-Sim-SRES3'*
*(0) sim_files - ERROR: Ignoring unknown attribute 'EAP-Sim-KC3'*
(0) sim_files (ok)
(0) eap - Peer sent EAP Response (code 2) ID 1 length 56
(0) eap - Peer sent EAP-Identity. Returning 'ok' so we can
short-circuit the rest of authorize
(0) eap - Setting &control.Auth-Type = eap
(0) eap (ok)
(0) } # recv Access-Request (ok)
(0) default - Running 'authenticate eap' from file
/usr/local/etc/radv4/etc/raddb/sites-enabled/test
(0) default - authenticate eap {
(0) eap - New EAP session started
(0) eap - Peer sent packet with EAP method Identity (1)
(0) eap - Calling submodule eap_sim
(0) eap - subrequest {
(0.0) eap-sim - Stripping 'hint' byte from Permanent-Identity
(0.0) eap-sim - &session-state.Permanent-Identity = "
525016105897825 at wlan.mnc001.mcc525.3gppnetwork.org"
(0.0) eap-sim - recv Identity-Response {
(0.0) eap-sim - | debug_attr
*(0.0) eap-sim - ERROR: Invalid input: Missing attribute reference*
(0.0) eap-sim - | %(debug_attr:{&session-state.})
(0.0) eap-sim - if (!&session-state.Tmp-String-0) {
(0.0) eap-sim - &reply.Any-ID-Req := yes
(0.0) eap-sim - &session-state.Tmp-String-0 := yes
(0.0) eap-sim - } # if (!&session-state.Tmp-String-0) (noop)
(0.0) eap-sim - ok (ok)
(0.0) eap-sim - } # recv Identity-Response (ok)
(0.0) eap-sim - New EAP-SIM session
(0.0) eap-sim - Previous section added &reply.Any-ID-Req = yes, will
request additional identity
(0.0) eap-sim - Changed state INIT -> SIM-START
(0.0) eap-sim - send Identity-Request {
(0.0) eap-sim - ok (ok)
(0.0) eap-sim - } # send Identity-Request (ok)
(0.0) eap.sim - eap-sim (handled)
(0.0) eap.sim - Encoding attributes
(0.0) eap.sim - Version-List = 1
(0.0) eap.sim - Any-ID-Req = yes
(0.0) eap.sim - Subtype = SIM-Start
(0.0) eap.sim (handled)
(0) eap - subrequest - Resuming execution
(0) eap - } # subrequest (noop)
(0) eap - Sending EAP Request (code 1) ID 220 length 20
(0) default - eap (handled)
(0) default - } # authenticate eap (handled)
(0) default - Running 'send Access-Challenge' from file
/usr/local/etc/radv4/etc/raddb/sites-enabled/test
(0) default - send Access-Challenge {
(0) attr_filter.access_challenge - | User-Name
(0) attr_filter.access_challenge - | %{User-Name}
(0) attr_filter.access_challenge - | -->
1525016105897825 at wlan.mnc001.mcc525.3gppnetwork.org
(0) attr_filter.access_challenge - -->
1525016105897825 at wlan.mnc001.mcc525.3gppnetwork.org
(0) attr_filter.access_challenge - Matched entry DEFAULT at line 12
(0) default - attr_filter.access_challenge (updated)
(0) default - handled (handled)
(0) default - } # send Access-Challenge (handled)
(0) default (ok)
(0) } # default (ok)
(0) Done request
(0) Sending Access-Challenge ID 248 from 0.0.0.0/0:1812 to
10.232.128.52:59140 length 78 via socket radius_udp server * port 1812
(0) EAP-Message = 0x01dc0014120a00000d0100000f02000200010000
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0x0101b1000f8fb7a6b591b1d5c40e716b
(0) Packet-Type = Access-Challenge
(0) Finished request
proto_radius_udp - cleaning up request in 5.000000s
proto_radius_udp - Received Access-Request ID 249 length 376 radius_udp
server * port 1812
(1) default {
(1) Received Access-Request ID 249 from 10.232.128.52:59140 to
10.200.11.154:1812 via ens160
(1) User-Name = "1525016105897825 at wlan.mnc001.mcc525.3gppnetwork.org"
(1) NAS-IP-Address = 10.232.128.52
(1) NAS-Port = 0
(1) NAS-Identifier = "10.232.128.52"
(1) NAS-Port-Type = Wireless-802.11
(1) Calling-Station-Id = "7e95f933088f"
(1) Called-Station-Id = "f05c19ca427c"
(1) Service-Type = Framed-User
(1) Framed-MTU = 1100
(1) EAP-Message =
0x02dc0058120a00000e0e00333135323530313631303538393738323540776c616e2e6d6e633030312e6d63633532352e336770706e6574776f726b2e6f72670010010001070500009f6d20ac890376a2b4f9d5ff806975c1
(1) State = 0x0101b1000f8fb7a6b591b1d5c40e716b
(1) Vendor-Specific.Aruba.Essid-Name = "airplay_sim"
(1) Vendor-Specific.Aruba.Location-Id = "AP325-SG-Home-1"
(1) Vendor-Specific.Aruba.AP-Group = "SG_SEATH_AOS10"
(1) Vendor-Specific.Aruba.AP-MAC-Address = "f05c19ca427c"
(1) Vendor-Specific.Aruba.Device-MAC-Address = "7e95f933088f"
(1) Message-Authenticator = 0xf44ed74a30d348832167c0fa3992617e
(1) Packet-Type = Access-Request
(1) Running 'recv Access-Request' from file
/usr/local/etc/radv4/etc/raddb/sites-enabled/test
(1) recv Access-Request {
(1) chap (noop)
(1) mschap (noop)
(1) digest (noop)
*(1) sim_files - ERROR: Ignoring unknown attribute 'EAP-Sim-RAND1'*
*(1) sim_files - ERROR: Ignoring unknown attribute 'EAP-Sim-SRES1'*
*(1) sim_files - ERROR: Ignoring unknown attribute 'EAP-Sim-KC1'*
*(1) sim_files - ERROR: Ignoring unknown attribute 'EAP-Sim-RAND2'*
*(1) sim_files - ERROR: Ignoring unknown attribute 'EAP-Sim-SRES2'*
*(1) sim_files - ERROR: Ignoring unknown attribute 'EAP-Sim-KC2'*
*(1) sim_files - ERROR: Ignoring unknown attribute 'EAP-Sim-RAND3'*
*(1) sim_files - ERROR: Ignoring unknown attribute 'EAP-Sim-SRES3'*
*(1) sim_files - ERROR: Ignoring unknown attribute 'EAP-Sim-KC3'*
(1) sim_files (ok)
(1) eap - Peer sent EAP Response (code 2) ID 220 length 88
(1) eap - Continuing on-going EAP conversation
(1) eap - Setting &control.Auth-Type = eap
(1) eap (updated)
(1) policy expiration {
(1) if (&control.Expiration) {
(1) ...
(1) }
(1) } # policy expiration (updated)
(1) logintime (noop)
(1) pap (noop)
(1) } # recv Access-Request (updated)
(1) default - Running 'authenticate eap' from file
/usr/local/etc/radv4/etc/raddb/sites-enabled/test
(1) default - authenticate eap {
(1) eap - Continuing EAP session
(1) eap - Peer sent packet with EAP method SIM (18)
(1) eap - Calling submodule eap_sim
(1) eap - subrequest {
(1.0) eap.sim - Decoded attributes
(1.0) eap.sim - EAP-Identity = "
1525016105897825 at wlan.mnc001.mcc525.3gppnetwork.org"
(1.0) eap.sim - EAP-Type = SIM
(1.0) eap.sim - Identity = "
1525016105897825 at wlan.mnc001.mcc525.3gppnetwork.org"
(1.0) eap.sim - Selected-Version = 1
(1.0) eap.sim - Nonce-MT = 0x9f6d20ac890376a2b4f9d5ff806975c1
(1.0) eap.sim - Subtype = SIM-Start
(1.0) eap.sim - Received EAP-Response/SIM-Start
(1.0) eap-sim - Stripping 'hint' byte from Permanent-Identity
(1.0) eap-sim - &session-state.Permanent-Identity = "
525016105897825 at wlan.mnc001.mcc525.3gppnetwork.org"
(1.0) eap-sim - recv Identity-Response {
(1.0) eap-sim - | debug_attr
*(1.0) eap-sim - ERROR: Invalid input: Missing attribute reference*
(1.0) eap-sim - | %(debug_attr:{&session-state.})
(1.0) eap-sim - if (!&session-state.Tmp-String-0) {
(1.0) eap-sim - ...
(1.0) eap-sim - }
(1.0) eap-sim - ok (ok)
(1.0) eap-sim - } # recv Identity-Response (ok)
(1.0) eap-sim - Changed state SIM-START -> SIM-CHALLENGE
(1.0) eap-sim - send Challenge-Request {
(1.0) eap-sim - &control.SIM-Ki := 0x465b5ce8b199b49faa5f0a2ee238a6bc
(1.0) eap-sim - &control.SIM-Opc := 0xcd63cb71954a9f4e48a5994e37a02baf
(1.0) eap-sim - &control.SIM-SQN := 3
(1.0) eap-sim - &reply.Encr-Data.Next-Reauth-Id :=
(1.0) eap-sim - &reply.Encr-Data.Next-Pseudonym :=
(1.0) eap-sim - ok (ok)
(1.0) eap-sim - } # send Challenge-Request (ok)
(1.0) eap-sim - Acquiring GSM vector(s)
(1.0) eap-sim - GSM vector[0]
(1.0) eap-sim - KC : 0xaa398ce1e9795b59
(1.0) eap-sim - RAND : 0xe72d740b34ec86183926485feda798d2
(1.0) eap-sim - SRES : 0x1a3b217a
(1.0) eap-sim - GSM vector[1]
(1.0) eap-sim - KC : 0xd8a60eaf3b6dc607
(1.0) eap-sim - RAND : 0x3358a1eefe5cef50d636c4619decb183
(1.0) eap-sim - SRES : 0x178e177d
(1.0) eap-sim - GSM vector[2]
(1.0) eap-sim - KC : 0xc1470a0aca5a6b47
(1.0) eap-sim - RAND : 0x2e911af2fe6c7dc599a031b92b2bd466
(1.0) eap-sim - SRES : 0x20aa55da
(1.0) eap-sim - store session {
(1.0) eap_sim_cache - | eap-aka-sim.Session-ID
(1.0) eap_sim_cache - | %{eap-aka-sim.Session-ID}
(1.0) eap_sim_cache - | --> 0x3578543934775962337a6c466c5569
(1.0) eap_sim_cache - --> 0x3578543934775962337a6c466c5569
(1.0) eap_sim_cache - No cache entry found for
"0x3578543934775962337a6c466c5569"
(1.0) eap_sim_cache - Creating new cache entry
(1.0) eap_sim_cache - &session-State.Encr-Data.Counter :=
&session-State.Encr-Data.Counter -> 0
(1.0) eap_sim_cache - Committed entry, TTL 15 seconds
(1.0) eap-sim - eap_sim_cache (updated)
(1.0) eap-sim - } # store session (updated)
(1.0) eap.sim - eap-sim (handled)
(1.0) eap.sim - Sending EAP-Request/SIM-Challenge
(1.0) eap.sim - Encoding attributes
(1.0) eap.sim - Encr-Data.Next-Reauth-ID = "5xT94wYb3zlFlUi"
(1.0) eap.sim - Encr-Data.Next-Pseudonym = "3NIu7O8CcaYW8Gy"
(1.0) eap.sim - RAND = 0xe72d740b34ec86183926485feda798d2
(1.0) eap.sim - RAND = 0x3358a1eefe5cef50d636c4619decb183
(1.0) eap.sim - RAND = 0x2e911af2fe6c7dc599a031b92b2bd466
(1.0) eap.sim - MAC = 0x
(1.0) eap.sim - Subtype = SIM-Challenge
(1.0) eap.sim (handled)
(1) eap - subrequest - Resuming execution
(1) eap - } # subrequest (noop)
(1) eap - Sending EAP Request (code 1) ID 221 length 152
(1) default - eap (handled)
(1) default - } # authenticate eap (handled)
(1) default - Running 'send Access-Challenge' from file
/usr/local/etc/radv4/etc/raddb/sites-enabled/test
(1) default - send Access-Challenge {
(1) attr_filter.access_challenge - | User-Name
(1) attr_filter.access_challenge - | %{User-Name}
(1) attr_filter.access_challenge - | -->
1525016105897825 at wlan.mnc001.mcc525.3gppnetwork.org
(1) attr_filter.access_challenge - -->
1525016105897825 at wlan.mnc001.mcc525.3gppnetwork.org
(1) attr_filter.access_challenge - Matched entry DEFAULT at line 12
(1) default - attr_filter.access_challenge (updated)
(1) default - handled (handled)
(1) default - } # send Access-Challenge (handled)
(1) default (ok)
(1) } # default (ok)
(1) Done request
(1) Sending Access-Challenge ID 249 from 0.0.0.0/0:1812 to
10.232.128.52:59140 length 210 via socket radius_udp server * port 1812
(1) EAP-Message =
0x01dd0098120b00000b0500009f3cb5a97002c186c2ea1dbb34f1f55d010d0000e72d740b34ec86183926485feda798d23358a1eefe5cef50d636c4619decb1832e911af2fe6c7dc599a031b92b2bd46681050000b682371842b5bdacd12a69d27c43f143820d0000d96237c725f160660f4670be81b1a2a8a59335517b52b39b5ed0dcdcd185e11d02a9a7a8d3f12b82d56234aba8d5e0f1
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0x0203b10097741f88b591b1d5c40e716b
(1) Packet-Type = Access-Challenge
(1) Finished request
proto_radius_udp - cleaning up request in 5.000000s
proto_radius_udp - Received Access-Request ID 250 length 300 radius_udp
server * port 1812
(2) default {
(2) Received Access-Request ID 250 from 10.232.128.52:59140 to
10.200.11.154:1812 via ens160
(2) User-Name = "1525016105897825 at wlan.mnc001.mcc525.3gppnetwork.org"
(2) NAS-IP-Address = 10.232.128.52
(2) NAS-Port = 0
(2) NAS-Identifier = "10.232.128.52"
(2) NAS-Port-Type = Wireless-802.11
(2) Calling-Station-Id = "7e95f933088f"
(2) Called-Station-Id = "f05c19ca427c"
(2) Service-Type = Framed-User
(2) Framed-MTU = 1100
(2) EAP-Message = 0x02dd000c120e000016010000
(2) State = 0x0203b10097741f88b591b1d5c40e716b
(2) Vendor-Specific.Aruba.Essid-Name = "airplay_sim"
(2) Vendor-Specific.Aruba.Location-Id = "AP325-SG-Home-1"
(2) Vendor-Specific.Aruba.AP-Group = "SG_SEATH_AOS10"
(2) Vendor-Specific.Aruba.AP-MAC-Address = "f05c19ca427c"
(2) Vendor-Specific.Aruba.Device-MAC-Address = "7e95f933088f"
(2) Message-Authenticator = 0xf261d6f34752fc6d83c80cd10389650c
(2) Packet-Type = Access-Request
(2) Running 'recv Access-Request' from file
/usr/local/etc/radv4/etc/raddb/sites-enabled/test
(2) recv Access-Request {
(2) chap (noop)
(2) mschap (noop)
(2) digest (noop)
*(2) sim_files - ERROR: Ignoring unknown attribute 'EAP-Sim-RAND1'*
*(2) sim_files - ERROR: Ignoring unknown attribute 'EAP-Sim-SRES1'*
*(2) sim_files - ERROR: Ignoring unknown attribute 'EAP-Sim-KC1'*
*(2) sim_files - ERROR: Ignoring unknown attribute 'EAP-Sim-RAND2'*
*(2) sim_files - ERROR: Ignoring unknown attribute 'EAP-Sim-SRES2'*
*(2) sim_files - ERROR: Ignoring unknown attribute 'EAP-Sim-KC2'*
*(2) sim_files - ERROR: Ignoring unknown attribute 'EAP-Sim-RAND3'*
*(2) sim_files - ERROR: Ignoring unknown attribute 'EAP-Sim-SRES3'*
*(2) sim_files - ERROR: Ignoring unknown attribute 'EAP-Sim-KC3'*
(2) sim_files (ok)
(2) eap - Peer sent EAP Response (code 2) ID 221 length 12
(2) eap - Continuing on-going EAP conversation
(2) eap - Setting &control.Auth-Type = eap
(2) eap (updated)
(2) policy expiration {
(2) if (&control.Expiration) {
(2) ...
(2) }
(2) } # policy expiration (updated)
(2) logintime (noop)
(2) pap (noop)
(2) } # recv Access-Request (updated)
(2) default - Running 'authenticate eap' from file
/usr/local/etc/radv4/etc/raddb/sites-enabled/test
(2) default - authenticate eap {
(2) eap - Continuing EAP session
(2) eap - Peer sent packet with EAP method SIM (18)
(2) eap - Calling submodule eap_sim
(2) eap - subrequest {
(2.0) eap.sim - Decoded attributes
(2.0) eap.sim - EAP-Identity = "
1525016105897825 at wlan.mnc001.mcc525.3gppnetwork.org"
(2.0) eap.sim - EAP-Type = SIM
(2.0) eap.sim - Client-Error-Code = Unable-To-Process-Packet
(2.0) eap.sim - Subtype = AKA-SIM-Client-Error
(2.0) eap.sim - Received EAP-Response/AKA-SIM-Client-Error
*(2.0) eap-sim - ERROR: Peer rejected request with error: 0
(Unable-To-Process-Packet)*
(2.0) eap-sim - clear session {
(2.0) eap_sim_cache - | eap-aka-sim.Session-ID
(2.0) eap_sim_cache - | %{eap-aka-sim.Session-ID}
(2.0) eap_sim_cache - | --> 0x3578543934775962337a6c466c5569
(2.0) eap_sim_cache - --> 0x3578543934775962337a6c466c5569
(2.0) eap_sim_cache - Found entry for
"0x3578543934775962337a6c466c5569"
(2.0) eap_sim_cache - Expiring cache entry
(2.0) eap-sim - eap_sim_cache (ok)
(2.0) eap-sim - } # clear session (ok)
(2.0) eap-sim - Changed state SIM-CHALLENGE -> EAP-FAILURE
(2.0) eap-sim - Sending EAP-Failure
(2.0) eap.sim - eap-sim (reject)
(2.0) eap.sim (reject)
(2) eap - subrequest - Resuming execution
(2) eap - } # subrequest (noop)
(2) eap - Sending EAP Failure (code 4) ID 221 length 4
(2) eap - Cleaning up EAP session
(2) default - eap (reject)
(2) default - } # authenticate eap (reject)
(2) default - Failed to authenticate the user
(2) default - Running 'send Access-Reject' from file
/usr/local/etc/radv4/etc/raddb/sites-enabled/test
(2) default - send Access-Reject {
(2) attr_filter.access_reject - | User-Name
(2) attr_filter.access_reject - | %{User-Name}
(2) attr_filter.access_reject - | -->
1525016105897825 at wlan.mnc001.mcc525.3gppnetwork.org
(2) attr_filter.access_reject - -->
1525016105897825 at wlan.mnc001.mcc525.3gppnetwork.org
(2) attr_filter.access_reject - Matched entry DEFAULT at line 11
(2) default - attr_filter.access_reject (updated)
(2) default - eap (noop)
(2) default - policy remove_reply_message_if_eap {
(2) default - if (&reply.EAP-Message && &reply.Reply-Message) {
(2) default - ...
(2) default - }
(2) default - else {
(2) default - noop (noop)
(2) default - } # else (noop)
(2) default - } # policy remove_reply_message_if_eap (noop)
(2) delay_reject - | (null)
(2) delay_reject - | reply.FreeRADIUS-Response-Delay
(2) delay_reject - | %{reply.FreeRADIUS-Response-Delay}
(2) delay_reject - | -->
(2) delay_reject - | %{%{reply.FreeRADIUS-Response-Delay}:-1}
(2) delay_reject - | --> 1
(2) delay_reject - Delaying request by ~0.991348969s
(2) delay_reject - Delay done
(2) delay_reject - delay_reject - Resuming execution
(2) default - delay_reject (ok)
(2) default - } # send Access-Reject (updated)
(2) default (ok)
(2) } # default (ok)
(2) Done request
(2) Sending Access-Reject ID 250 from 0.0.0.0/0:1812 to
10.232.128.52:59140 length
44 via socket radius_udp server * port 1812
(2) EAP-Message = 0x04dd0004
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) Packet-Type = Access-Reject
(2) Finished request
proto_radius_udp - cleaning up request in 5.000000s
#############################################
*-MJ*
More information about the Freeradius-Users
mailing list