Need help with EAP AKA Fast reauth
deepika parmar
parmardeepika9 at gmail.com
Fri May 5 04:58:23 UTC 2023
Hello,
I have configured *EAP-AKA virtual-server in FreeRADIUS to
perform authentication. *
*I could successfully authenticate the Users, However facing an issue
with fast reauth.*
*I have used eap cache to store the session state. I could load the
session state properly *
*On receiving a fast reauth ID. Still reauth is not continued, rather
it fails saying *
*can't calculate re-auth keys and falling back to full auth.*
I could see following logs :
..
Debug : (2) eap - Peer sent EAP-Identity. Returning 'ok' so we can
short-circuit the rest of authorize
Debug : (2) eap - Setting &control.Auth-Type = eap
Debug : (2) eap (ok)
Debug : (2) } # recv Access-Request (ok)
Debug : (2) default - Running 'authenticate eap' from file
/usr/local/etc/raddb/sites-enabled/default
Debug : (2) default - authenticate eap {
Debug : (2) eap - New EAP session started
Debug : (2) eap - Peer sent packet with EAP method Identity (1)
Debug : (2) eap - Calling submodule eap_aka
Debug : (2) eap - subrequest {
Debug : (2.0) h9-auth-server - recv Identity-Response {
Debug : (2.0) h9-auth-server - ok (ok)
Debug : (2.0) h9-auth-server - } # recv Identity-Response (ok)
Debug : (2.0) h9-auth-server - New EAP-AKA session
Debug : (2.0) h9-auth-server - Changed state INIT -> REAUTHENTICATION
Debug : (2.0) h9-auth-server - load session {
Debug : (2.0) eap_aka_cache - | eap-aka-sim.Session-ID
Debug : (2.0) eap_aka_cache - | %{eap-aka-sim.Session-ID}
Debug : (2.0) eap_aka_cache - | --> 0x346844533743546c516f736a376d62
Debug : (2.0) eap_aka_cache - --> 0x346844533743546c516f736a376d62
Debug : (2.0) eap_aka_cache - Found entry for
"0x346844533743546c516f736a376d62"
Debug : (2.0) eap_aka_cache - Merging cache entry into request
Debug : (2.0) eap_aka_cache - &session-State[0].Permanent-Identity
:= '10026000000000 at wlan.mnc11343.mcc0.3gppnetwork.org'
Debug : (2.0) eap_aka_cache - &session-State[0].Session-Data :=
0xab32a5be4d8309d4a40938e425ef1714d71cf87a
Debug : (2.0) eap_aka_cache - &session-State[0].Encr-Data.Counter :=
0
Debug : (2.0) h9-auth-server - eap_aka_cache (updated)
Debug : (2.0) h9-auth-server - ok (ok)
Debug : (2.0) h9-auth-server - } # load session (updated)
Debug : (2.0) h9-auth-server - send Reauthentication-Request {
Debug : (2.0) h9-auth-server - &reply.Encr-Data.Next-Reauth-Id :=
Debug : (2.0) h9-auth-server - &reply.Encr-Data.Next-Pseudonym :=
Debug : (2.0) h9-auth-server - | debug_attr
INFO : (2.0) h9-auth-server - Attributes matching "&session-state"
INFO : (2.0) h9-auth-server - &session-State.session-State = {
INFO : (2.0) h9-auth-server - Permanent-Identity =
10026000000000 at wlan.mnc11343.mcc0.3gppnetwork.org
INFO : (2.0) h9-auth-server - Session-Data =
0xab32a5be4d8309d4a40938e425ef1714d71cf87a
INFO : (2.0) h9-auth-server - Counter = 0
INFO : (2.0) h9-auth-server - }
Debug : (2.0) h9-auth-server - | %(debug_attr:{&session-state})
Debug : (2.0) h9-auth-server - | --> (null)
Debug : (2.0) h9-auth-server - ok (ok)
Debug : (2.0) h9-auth-server - } # send Reauthentication-Request (ok)
Debug : (2.0) h9-auth-server - Generating new session keys
Debug : (2.0) h9-auth-server - Neither &session-state.Session-Data or
&session-state.MK attributes found, can't calculate re-auth keys
>>>>>>>>>>>>>>>>>>>>> Getting this error, however I could see session-state
has Session-Data loaded.
Debug : (2.0) h9-auth-server - Composing EAP-Request/Reauthentication
failed. Clearing reply attributes and requesting additional Identity
Debug : (2.0) h9-auth-server - Changed state REAUTHENTICATION ->
AKA-IDENTITY
Debug : (2.0) h9-auth-server - send Identity-Request {
Debug : (2.0) h9-auth-server - ok (ok)
Debug : (2.0) h9-auth-server - } # send Identity-Request (ok)
And then it falls back to full authentication...
Summary of my setup:
* FreeRadius version4 - Configured, compiled and installed from
master Branch
* wpa_supplicant version 2.10
* Ubuntu 20.04 LTS
Any help would be greatly appreciated. Thank you in advance.
Thanks,
Deepika
More information about the Freeradius-Users
mailing list