EAP Fast Reauth fails

deepika parmar parmardeepika9 at gmail.com
Fri May 31 08:08:50 UTC 2024


Thanks for the reply.
EAP-AKA authentication is working on the latest master branch.
I'm using updated syntax for debug statements, but I accidentally sent the
old statement.

As suggested, I tried adding Tmp-Group-0 attribute to store the Counter,
however its failing while starting the freeradius..
 store session {
                "%debug_attr(&session-state)"
              &session-state.Tmp-Group-0 := {
                   &Counter = &Counter
              }
                eap_aka_cache
              ok
}

Error is:
Debug : Compiling policies in - send EAP-Success {...}
Debug : Compiling policies in - store session {...}
Error : /usr/local/etc/raddb/sites-enabled/h9-auth-server[1008]: Failed
parsing attribute reference &Counter - Unresolved attributes are not
allowed here
Error : /usr/local/etc/raddb/sites-enabled/h9-auth-server[1008]: &Counter
Error : /usr/local/etc/raddb/sites-enabled/h9-auth-server[1008]:   ^
Error : /usr/local/etc/raddb/sites-enabled/h9-auth-server[1008]: Failed
creating map from '&Counter = &Counter'

Even printing session-state.Counter with
"%debug_attr(&session-state.Counter)" fails...

Debug : Compiling policies in - store session {...}
Error : /usr/local/etc/raddb/mods-enabled/eap-cache[18]: Failed parsing
attribute reference &session-state.Counter - Unresolved attributes are not
allowed here
Error : /usr/local/etc/raddb/mods-enabled/eap-cache[18]:
&session-state.Counter
Error : /usr/local/etc/raddb/mods-enabled/eap-cache[18]:                 ^
Error : /usr/local/etc/raddb/mods-enabled/eap-cache[18]: Failed creating
map from '&session-state.Counter = &session-state.Counter'
Error : /usr/local/etc/raddb/mods-enabled/eap-cache[1]: Failed parsing
configuration section update
Error : /usr/local/etc/raddb/sites-enabled/h9-auth-server[1013]: Invalid
keyword "eap_aka_cache".

Thanks,
Deepika

On May 27, 2024, at 2:15 AM, deepika parmar <parmardeepika9 at
gmail.com <https://lists.freeradius.org/mailman/listinfo/freeradius-users>>
wrote:
>*        I have configured *EAP-AKA virtual-server in FreeRADIUS to
*>* perform authentication. I have enabled eap cache so that fast reauth will
*>* work and
*>* session data will be stored in cache. However during store session i could
*>* not restore Counter and hence reauth fails.
*
  This is for v4, which is still not quite done.  If it works, great.
If not, please submit patches.

>* Logs are:
*>* Debug : (0.0)      h9-auth-server - store session {
*>* Debug : (0.0)        h9-auth-server - | debug_attr
*
  What's wrong with "radiusd -X" as recommended by all

>* Store session setting in virtual server:
*> >*        store session {
*>*                "%(debug_attr:&session-state)"
*
  You should use a more recent version of v4.  The function syntax has
changed to make more sense, and we've fixed a number of other issues,

  Or at least update the configuration to use the new syntax.  At some
point the old syntax will cause errors.

>* If i add accessing Counter, it fails as follows:
*>* &session-state.Counter  := &session-state.Counter
*> >* Debug : Compiling policies in - store session {...}
*>* Error : /usr/local/etc/raddb/mods-enabled/eap-cache[22]: Failed parsing
*>* attribute reference &session-state.Counter - Unresolved attributes are not
*>* allowed here
*
  When the module is bootstrapped, it doesn't know that it's supposed
to be used in EAP-AKA.  So it can't find the "Counter" attribute.
This is an issue we're fixing.

  An alternative is to edit the EAP-AKA virtual server to copy the
necessary attributes to a group:

	&session-state.Tmp-Group-0 := {
		&Counter = &Counter
		...
	}

	eap_cache
	...

  Then update the "eap_cache" module to save the Tmp-Group-0 attribute.

  And also copy the Counter attributes (etc.) back to their correct
place after the eap_cache module restores the cached Tmp-Group-0

  Alan DeKok.


On Mon, May 27, 2024 at 11:45 AM deepika parmar <parmardeepika9 at gmail.com>
wrote:

> Hello,
>
>         I have configured *EAP-AKA virtual-server in FreeRADIUS to
> perform authentication. I have enabled eap cache so that fast reauth will
> work and
> session data will be stored in cache. However during store session i could
> not restore Counter and hence reauth fails.
>
>
> Logs are:
> Debug : (0.0)      h9-auth-server - store session {
> Debug : (0.0)        h9-auth-server - | debug_attr
> INFO  : (0.0)          h9-auth-server - Attributes matching
> "&session-state"
> INFO  : (0.0)            h9-auth-server - &session-State.session-State = {
> INFO  : (0.0)              h9-auth-server - Permanent-Identity =
> 10026000000000 at wlan.mnc11343.mcc0.3gppnetwork.org
> INFO  : (0.0)              h9-auth-server - SIM-Ki =
> 0x465b5ce8b199b49faa5f0a2ee238a6bc
> INFO  : (0.0)              h9-auth-server - SIM-OPc =
> 0xcd63cb71954a9f4e48a5994e37a02baf
> INFO  : (0.0)              h9-auth-server - SIM-SQN = 528
> INFO  : (0.0)              h9-auth-server - Identity =
> 27CL9C1yARfBU1l at wlan.mnc11343.mcc0.3gppnetwork.org
> INFO  : (0.0)              h9-auth-server - Session-Data =
> 0xd9407284e28f09c788dd047dbd2350adcf91a5ef
> INFO  : (0.0)              h9-auth-server - Counter = 0
>  >>>>>>>>>>>>>>>>> Counter is available here....>>>>>>
> INFO  : (0.0)            h9-auth-server - }
> Debug : (0.0)        h9-auth-server - | eap-aka-sim.Session-ID
> Debug : (0.0)          h9-auth-server - | %{eap-aka-sim.Session-ID}
> Debug : (0.0)          h9-auth-server - | -->
> 0x34374631353345367a547775664157
> Debug : (0.0)        eap_aka_cache - No cache entry found for
> "47F153E6zTwufAW"
> Debug : (0.0)        eap_aka_cache - Creating new cache entry
> Debug : (0.0)          eap_aka_cache - &session-State.Session-Data :=
> &session-State.Session-Data -> 0xd9407284e28f09c788dd047dbd2350adcf91a5ef
> Debug : (0.0)        eap_aka_cache - EXPAND
> %{session-state.Permanent-Identity}
> Debug : (0.0)          eap_aka_cache - | session-state.Permanent-Identity
> Debug : (0.0)            eap_aka_cache - |
> %{session-state.Permanent-Identity}
> Debug : (0.0)            eap_aka_cache - | -->
> 10026000000000 at wlan.mnc11343.mcc0.3gppnetwork.org
> Debug : (0.0)        eap_aka_cache - -->
> 10026000000000 at wlan.mnc11343.mcc0.3gppnetwork.org
> Debug : (0.0)          eap_aka_cache - &session-State.Permanent-Identity
> := "10026000000000 at wlan.mnc11343.mcc0.3gppnetwork.org"
> Debug : (0.0)        eap_aka_cache - EXPAND
> %{session-state.Encr-Data.Counter}
> Debug : (0.0)          eap_aka_cache - | session-state.Encr-Data.Counter
> Debug : (0.0)            eap_aka_cache - |
> %{session-state.Encr-Data.Counter}
> Debug : (0.0)            eap_aka_cache - (null)
> Debug : (0.0)        eap_aka_cache - -->
> Debug : (0.0)        eap_aka_cache - Skipping
> %{session-state.Encr-Data.Counter}
> Debug : (0.0)        eap_aka_cache - Committed entry, TTL 150 seconds
> Debug : (0.0)        h9-auth-server - eap_aka_cache (updated)
>
>
> Session is stored in eap cache however it could not store Counter as its
> value is nil in Encr-Data and direct access to Counter in session-state is
> failing.
>
> During Reauth request , it could fetch the session from the cache but as
> Counter is not there, fast reauth is failing...
> Debug : (2.0)      h9-auth-server - New EAP-AKA session
> Debug : (2.0)      h9-auth-server - Changed state INIT -> REAUTHENTICATION
> Debug : (2.0)      h9-auth-server - load session {
> Debug : (2.0)        h9-auth-server - | eap-aka-sim.Session-ID
> Debug : (2.0)          h9-auth-server - | %{eap-aka-sim.Session-ID}
> Debug : (2.0)          h9-auth-server - | -->
> 0x34374631353345367a547775664157
> Debug : (2.0)        eap_aka_cache - Found entry for "47F153E6zTwufAW"
> Debug : (2.0)        eap_aka_cache - Merging cache entry into request
> Debug : (2.0)          eap_aka_cache - &session-State.Session-Data :=
> 0xd9407284e28f09c788dd047dbd2350adcf91a5ef
> Debug : (2.0)          eap_aka_cache - &session-State.Permanent-Identity
> := '10026000000000 at wlan.mnc11343.mcc0.3gppnetwork.org'
> Debug : (2.0)        h9-auth-server - eap_aka_cache (updated)
> Debug : (2.0)        h9-auth-server - ok (ok)
> Debug : (2.0)        h9-auth-server - | debug_attr
> INFO  : (2.0)          h9-auth-server - Attributes matching
> "&session-state"
> INFO  : (2.0)            h9-auth-server - &session-State.session-State = {
> INFO  : (2.0)              h9-auth-server - Session-Data =
> 0xd9407284e28f09c788dd047dbd2350adcf91a5ef
> INFO  : (2.0)              h9-auth-server - Permanent-Identity =
> 10026000000000 at wlan.mnc11343.mcc0.3gppnetwork.org
> INFO  : (2.0)            h9-auth-server - }
> Debug : (2.0)        h9-auth-server - | %debug_attr({&session-state})
>
> Debug : (2.0)      h9-auth-server - } # send Reauthentication-Request (ok)
> Debug : (2.0)      h9-auth-server - Generating new session keys
> Debug : (2.0)      h9-auth-server - No &session-state.Counter attribute
> found, can't calculate re-auth keys
> Debug : (2.0)      h9-auth-server - Composing EAP-Request/Reauthentication
> failed.  Clearing reply attributes and requesting additional Identity
> Debug : (2.0)      h9-auth-server - Changed state REAUTHENTICATION ->
> AKA-IDENTITY
> Debug : (2.0)      h9-auth-server - send Identity-Request {
>
>
> Store session setting in virtual server:
>
>         store session {
>                 "%(debug_attr:&session-state)"
>
>                 eap_aka_cache
>
>                 "%(debug_attr:&session-state)"
>                 ok
>         }
> Currently my eap_cache is
> cache eap_aka_cache {
>         #
>         #  key:: Cache key.
>         #
>         key = "%{eap-aka-sim.Session-ID}"
>
>         #
>         #  ttl:: TTL for cache entries.
>         #
>         ttl = 150
>         #
>         #  update <section> { ... }::
>         #
>         update session-state {
>                 &session-state.Session-Data             :=
> &session-state.Session-Data
>
>                 &Permanent-Identity :=
> "%{session-state.Permanent-Identity}"
>                 &Encr-Data.Counter      :=
> "%{session-state.Encr-Data.Counter}"
>         }
> }
>
>
> If i add accessing Counter, it fails as follows:
>  &session-state.Counter  := &session-state.Counter
>
>
> Debug : Compiling policies in - store session {...}
> Error : /usr/local/etc/raddb/mods-enabled/eap-cache[22]: Failed parsing
> attribute reference &session-state.Counter - Unresolved attributes are not
> allowed here
> Error : /usr/local/etc/raddb/mods-enabled/eap-cache[22]:
> &session-state.Counter
> Error : /usr/local/etc/raddb/mods-enabled/eap-cache[22]:                 ^
> Error : /usr/local/etc/raddb/mods-enabled/eap-cache[22]: Failed creating
> map from '&session-state.Counter = &session-state.Counter'
> Error : /usr/local/etc/raddb/mods-enabled/eap-cache[1]: Failed parsing
> configuration section update
> Error : /usr/local/etc/raddb/sites-enabled/h9-auth-server[1006]: Invalid
> keyword "eap_aka_cache".
>
> Am i missing any configuration? Can anyone help?
>
>
> Summary of my setup:
>
>   *   FreeRadius version4 -  Configured, compiled and installed from
> master Branch synced on 10th May 2024.
>
>   *   wpa_supplicant version 2.10
>
>   *   Ubuntu 20.04 LTS
>
> Thanks,
>
> Deepika
>
>
>
>
>
>
>


More information about the Freeradius-Users mailing list