EAP Fast Reauth fails

deepika parmar parmardeepika9 at gmail.com
Mon May 27 06:15:27 UTC 2024 

Hello,

        I have configured *EAP-AKA virtual-server in FreeRADIUS to
perform authentication. I have enabled eap cache so that fast reauth will
work and
session data will be stored in cache. However during store session i could
not restore Counter and hence reauth fails.


Logs are:
Debug : (0.0)      h9-auth-server - store session {
Debug : (0.0)        h9-auth-server - | debug_attr
INFO  : (0.0)          h9-auth-server - Attributes matching "&session-state"
INFO  : (0.0)            h9-auth-server - &session-State.session-State = {
INFO  : (0.0)              h9-auth-server - Permanent-Identity =
10026000000000 at wlan.mnc11343.mcc0.3gppnetwork.org
INFO  : (0.0)              h9-auth-server - SIM-Ki =
0x465b5ce8b199b49faa5f0a2ee238a6bc
INFO  : (0.0)              h9-auth-server - SIM-OPc =
0xcd63cb71954a9f4e48a5994e37a02baf
INFO  : (0.0)              h9-auth-server - SIM-SQN = 528
INFO  : (0.0)              h9-auth-server - Identity =
27CL9C1yARfBU1l at wlan.mnc11343.mcc0.3gppnetwork.org
INFO  : (0.0)              h9-auth-server - Session-Data =
0xd9407284e28f09c788dd047dbd2350adcf91a5ef
INFO  : (0.0)              h9-auth-server - Counter = 0
 >>>>>>>>>>>>>>>>> Counter is available here....>>>>>>
INFO  : (0.0)            h9-auth-server - }
Debug : (0.0)        h9-auth-server - | eap-aka-sim.Session-ID
Debug : (0.0)          h9-auth-server - | %{eap-aka-sim.Session-ID}
Debug : (0.0)          h9-auth-server - | -->
0x34374631353345367a547775664157
Debug : (0.0)        eap_aka_cache - No cache entry found for
"47F153E6zTwufAW"
Debug : (0.0)        eap_aka_cache - Creating new cache entry
Debug : (0.0)          eap_aka_cache - &session-State.Session-Data :=
&session-State.Session-Data -> 0xd9407284e28f09c788dd047dbd2350adcf91a5ef
Debug : (0.0)        eap_aka_cache - EXPAND
%{session-state.Permanent-Identity}
Debug : (0.0)          eap_aka_cache - | session-state.Permanent-Identity
Debug : (0.0)            eap_aka_cache - |
%{session-state.Permanent-Identity}
Debug : (0.0)            eap_aka_cache - | -->
10026000000000 at wlan.mnc11343.mcc0.3gppnetwork.org
Debug : (0.0)        eap_aka_cache - -->
10026000000000 at wlan.mnc11343.mcc0.3gppnetwork.org
Debug : (0.0)          eap_aka_cache - &session-State.Permanent-Identity :=
"10026000000000 at wlan.mnc11343.mcc0.3gppnetwork.org"
Debug : (0.0)        eap_aka_cache - EXPAND
%{session-state.Encr-Data.Counter}
Debug : (0.0)          eap_aka_cache - | session-state.Encr-Data.Counter
Debug : (0.0)            eap_aka_cache - |
%{session-state.Encr-Data.Counter}
Debug : (0.0)            eap_aka_cache - (null)
Debug : (0.0)        eap_aka_cache - -->
Debug : (0.0)        eap_aka_cache - Skipping
%{session-state.Encr-Data.Counter}
Debug : (0.0)        eap_aka_cache - Committed entry, TTL 150 seconds
Debug : (0.0)        h9-auth-server - eap_aka_cache (updated)


Session is stored in eap cache however it could not store Counter as its
value is nil in Encr-Data and direct access to Counter in session-state is
failing.

During Reauth request , it could fetch the session from the cache but as
Counter is not there, fast reauth is failing...
Debug : (2.0)      h9-auth-server - New EAP-AKA session
Debug : (2.0)      h9-auth-server - Changed state INIT -> REAUTHENTICATION
Debug : (2.0)      h9-auth-server - load session {
Debug : (2.0)        h9-auth-server - | eap-aka-sim.Session-ID
Debug : (2.0)          h9-auth-server - | %{eap-aka-sim.Session-ID}
Debug : (2.0)          h9-auth-server - | -->
0x34374631353345367a547775664157
Debug : (2.0)        eap_aka_cache - Found entry for "47F153E6zTwufAW"
Debug : (2.0)        eap_aka_cache - Merging cache entry into request
Debug : (2.0)          eap_aka_cache - &session-State.Session-Data :=
0xd9407284e28f09c788dd047dbd2350adcf91a5ef
Debug : (2.0)          eap_aka_cache - &session-State.Permanent-Identity :=
'10026000000000 at wlan.mnc11343.mcc0.3gppnetwork.org'
Debug : (2.0)        h9-auth-server - eap_aka_cache (updated)
Debug : (2.0)        h9-auth-server - ok (ok)
Debug : (2.0)        h9-auth-server - | debug_attr
INFO  : (2.0)          h9-auth-server - Attributes matching "&session-state"
INFO  : (2.0)            h9-auth-server - &session-State.session-State = {
INFO  : (2.0)              h9-auth-server - Session-Data =
0xd9407284e28f09c788dd047dbd2350adcf91a5ef
INFO  : (2.0)              h9-auth-server - Permanent-Identity =
10026000000000 at wlan.mnc11343.mcc0.3gppnetwork.org
INFO  : (2.0)            h9-auth-server - }
Debug : (2.0)        h9-auth-server - | %debug_attr({&session-state})

Debug : (2.0)      h9-auth-server - } # send Reauthentication-Request (ok)
Debug : (2.0)      h9-auth-server - Generating new session keys
Debug : (2.0)      h9-auth-server - No &session-state.Counter attribute
found, can't calculate re-auth keys
Debug : (2.0)      h9-auth-server - Composing EAP-Request/Reauthentication
failed.  Clearing reply attributes and requesting additional Identity
Debug : (2.0)      h9-auth-server - Changed state REAUTHENTICATION ->
AKA-IDENTITY
Debug : (2.0)      h9-auth-server - send Identity-Request {


Store session setting in virtual server:

        store session {
                "%(debug_attr:&session-state)"

                eap_aka_cache

                "%(debug_attr:&session-state)"
                ok
        }
Currently my eap_cache is
cache eap_aka_cache {
        #
        #  key:: Cache key.
        #
        key = "%{eap-aka-sim.Session-ID}"

        #
        #  ttl:: TTL for cache entries.
        #
        ttl = 150
        #
        #  update <section> { ... }::
        #
        update session-state {
                &session-state.Session-Data             :=
&session-state.Session-Data

                &Permanent-Identity := "%{session-state.Permanent-Identity}"
                &Encr-Data.Counter      :=
"%{session-state.Encr-Data.Counter}"
        }
}


If i add accessing Counter, it fails as follows:
 &session-state.Counter  := &session-state.Counter


Debug : Compiling policies in - store session {...}
Error : /usr/local/etc/raddb/mods-enabled/eap-cache[22]: Failed parsing
attribute reference &session-state.Counter - Unresolved attributes are not
allowed here
Error : /usr/local/etc/raddb/mods-enabled/eap-cache[22]:
&session-state.Counter
Error : /usr/local/etc/raddb/mods-enabled/eap-cache[22]:                 ^
Error : /usr/local/etc/raddb/mods-enabled/eap-cache[22]: Failed creating
map from '&session-state.Counter = &session-state.Counter'
Error : /usr/local/etc/raddb/mods-enabled/eap-cache[1]: Failed parsing
configuration section update
Error : /usr/local/etc/raddb/sites-enabled/h9-auth-server[1006]: Invalid
keyword "eap_aka_cache".

Am i missing any configuration? Can anyone help?


Summary of my setup:

  *   FreeRadius version4 -  Configured, compiled and installed from
master Branch synced on 10th May 2024.

  *   wpa_supplicant version 2.10

  *   Ubuntu 20.04 LTS

Thanks,

Deepika

More information about the Freeradius-Users mailing list