Re: EAP-SIM on 2.2.0

Tue, 11 Sep 2012 13:34:35 -0700 

Hi,

On 2012-09-11 4:05 PM, Phil Mayers wrote:

On 09/11/2012 07:49 PM, Francois Gaudreault wrote:

Hi,

I am playing with EAP-SIM on 2.2.0, but I am facing an issue I cannot
even understand :S  Not because I don't want to, but the error messages
are not talking much.

I did compute SRES/Kc for my SIM, but after the third triplet, I just
have:


Don't trim the debug. Critical info is higher up - like the actual
radius packet!
I always trim it the first time, I don't want to spam the planet in case the issue is simple :) Here is the entire debug (with my IMSI trimmed):
rad_recv: Access-Request packet from host 10.0.0.24 port 1051, id=15, length=298 
        User-Name = "i...@wlan.mnc720.mcc302.3gppnetwork.org"
        Calling-Station-Id = "5C-59-48-ED-C4-96"
        NAS-IP-Address = 10.0.0.24
        NAS-Port = 1
        Called-Station-Id = "50-A7-33-31-CF-B8:PacketFence-Ruckus"
        Service-Type = Framed-User
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        NAS-Identifier = "50-A7-33-31-CF-B8"
        Connect-Info = "CONNECT 802.11g"
EAP-Message = 0x02000038013133303237323034303434313338393040776c616e2e6d6e633732302e6d63633330322e336770706e6574776f726b2e6f7267 
        Vendor-25053-Attr-3 = 0x5061636b657446656e63652d5275636b7573
        Message-Authenticator = 0x8a5c5a80c992696a2eb8b097b865b86f
server packetfence {
# Executing section authorize from file /usr/local/pf/raddb//sites-enabled/packetfence 
+- entering group authorize {...}
[suffix] Looking up realm "wlan.mnc720.mcc302.3gppnetwork.org" for User-Name = "i...@wlan.mnc720.mcc302.3gppnetwork.org" 
[suffix] No such realm "wlan.mnc720.mcc302.3gppnetwork.org"
++[suffix] returns noop
++[preprocess] returns ok
rlm_sim_files: authorized user/imsi i...@wlan.mnc720.mcc302.3gppnetwork.org
rlm_sim_files: Adding EAP-Type: eap-sim
++[sim_files] returns ok
[eap] EAP packet type response id 0 length 56
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
rlm_perl: Added pair NAS-Port-Type = Wireless-802.11
rlm_perl: Added pair Service-Type = Framed-User
rlm_perl: Added pair Called-Station-Id = 50-A7-33-31-CF-B8:PacketFence-Ruckus 
rlm_perl: Added pair Calling-Station-Id = 5C-59-48-ED-C4-96
rlm_perl: Added pair Message-Authenticator = 0x8a5c5a80c992696a2eb8b097b865b86f rlm_perl: Added pair Vendor-25053-Attr-3 = 0x5061636b657446656e63652d5275636b7573 
rlm_perl: Added pair User-Name = i...@wlan.mnc720.mcc302.3gppnetwork.org
rlm_perl: Added pair NAS-Identifier = 50-A7-33-31-CF-B8
rlm_perl: Added pair EAP-Message = 0x02000038013133303237323034303434313338393040776c616e2e6d6e633732302e6d63633330322e336770706e6574776f726b2e6f7267 
rlm_perl: Added pair Connect-Info = CONNECT 802.11g
rlm_perl: Added pair EAP-Type = Identity
rlm_perl: Added pair NAS-IP-Address = 10.0.0.24
rlm_perl: Added pair NAS-Port = 1
rlm_perl: Added pair Framed-MTU = 1400
rlm_perl: Added pair EAP-Sim-Rand3 = 0xff626ed6104164234aabebecafecafe3
rlm_perl: Added pair EAP-Sim-Rand2 = 0x771634015641aabcd4e5a2a3ab521242
rlm_perl: Added pair EAP-Sim-SRES1 = 0xa0a116fe
rlm_perl: Added pair EAP-Sim-SRES2 = 0xc891c365
rlm_perl: Added pair EAP-Sim-KC1 = 0x603c63ecd59340cb
rlm_perl: Added pair EAP-Sim-Rand1 = 0xab521824610aca27814bbde2810347a1
rlm_perl: Added pair EAP-Sim-KC3 = 0xa62f0f3aca277041
rlm_perl: Added pair EAP-Sim-KC2 = 0xbdaf3f47b1fc2520
rlm_perl: Added pair EAP-Sim-SRES3 = 0x6daeb494
rlm_perl: Added pair Auth-Type = EAP
rlm_perl: Added pair EAP-Type = SIM
++[packetfence] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/pf/raddb//sites-enabled/packetfence
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type sim
[eap] Underlying EAP-Type set EAP ID to 246
++[eap] returns handled
} # server packetfence
Sending Access-Challenge of id 15 to 10.0.0.24 port 1051
        EAP-Message = 0x01f60014120a00000f0200020001000011010100
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x8c646e1d8c927cd94949c1e5aaf22aa6
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.0.24 port 1051, id=16, length=348 
        User-Name = "i...@wlan.mnc720.mcc302.3gppnetwork.org"
        Calling-Station-Id = "5C-59-48-ED-C4-96"
        NAS-IP-Address = 10.0.0.24
        NAS-Port = 1
        Called-Station-Id = "50-A7-33-31-CF-B8:PacketFence-Ruckus"
        Service-Type = Framed-User
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        NAS-Identifier = "50-A7-33-31-CF-B8"
        Connect-Info = "CONNECT 802.11g"
EAP-Message = 0x02f60058120a00000e0e00333133303237323034303434313338393040776c616e2e6d6e633732302e6d63633330322e336770706e6574776f726b2e6f72670010010001070500007ae3c3b294faa5fac85c9cdc58737c87 
        State = 0x8c646e1d8c927cd94949c1e5aaf22aa6
        Vendor-25053-Attr-3 = 0x5061636b657446656e63652d5275636b7573
        Message-Authenticator = 0x88694e884a0ddf10baa7b004fb336f9a
server packetfence {
# Executing section authorize from file /usr/local/pf/raddb//sites-enabled/packetfence 
+- entering group authorize {...}
[suffix] Looking up realm "wlan.mnc720.mcc302.3gppnetwork.org" for User-Name = "i...@wlan.mnc720.mcc302.3gppnetwork.org" 
[suffix] No such realm "wlan.mnc720.mcc302.3gppnetwork.org"
++[suffix] returns noop
++[preprocess] returns ok
rlm_sim_files: authorized user/imsi i...@wlan.mnc720.mcc302.3gppnetwork.org
rlm_sim_files: Adding EAP-Type: eap-sim
++[sim_files] returns ok
[eap] EAP packet type response id 246 length 88
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
rlm_perl: Added pair NAS-Port-Type = Wireless-802.11
rlm_perl: Added pair Service-Type = Framed-User
rlm_perl: Added pair State = 0x8c646e1d8c927cd94949c1e5aaf22aa6
rlm_perl: Added pair Called-Station-Id = 50-A7-33-31-CF-B8:PacketFence-Ruckus 
rlm_perl: Added pair Calling-Station-Id = 5C-59-48-ED-C4-96
rlm_perl: Added pair Message-Authenticator = 0x88694e884a0ddf10baa7b004fb336f9a rlm_perl: Added pair Vendor-25053-Attr-3 = 0x5061636b657446656e63652d5275636b7573 
rlm_perl: Added pair User-Name = i...@wlan.mnc720.mcc302.3gppnetwork.org
rlm_perl: Added pair NAS-Identifier = 50-A7-33-31-CF-B8
rlm_perl: Added pair EAP-Message = 0x02f60058120a00000e0e00333133303237323034303434313338393040776c616e2e6d6e633732302e6d63633330322e336770706e6574776f726b2e6f72670010010001070500007ae3c3b294faa5fac85c9cdc58737c87 
rlm_perl: Added pair Connect-Info = CONNECT 802.11g
rlm_perl: Added pair EAP-Type = SIM
rlm_perl: Added pair NAS-IP-Address = 10.0.0.24
rlm_perl: Added pair NAS-Port = 1
rlm_perl: Added pair Framed-MTU = 1400
rlm_perl: Added pair EAP-Sim-Rand3 = 0xff626ed6104164234aabebecafecafe3
rlm_perl: Added pair EAP-Sim-Rand2 = 0x771634015641aabcd4e5a2a3ab521242
rlm_perl: Added pair EAP-Sim-SRES1 = 0xa0a116fe
rlm_perl: Added pair EAP-Sim-SRES2 = 0xc891c365
rlm_perl: Added pair EAP-Sim-KC1 = 0x603c63ecd59340cb
rlm_perl: Added pair EAP-Sim-Rand1 = 0xab521824610aca27814bbde2810347a1
rlm_perl: Added pair EAP-Sim-KC3 = 0xa62f0f3aca277041
rlm_perl: Added pair EAP-Sim-KC2 = 0xbdaf3f47b1fc2520
rlm_perl: Added pair EAP-Sim-SRES3 = 0x6daeb494
rlm_perl: Added pair Auth-Type = EAP
rlm_perl: Added pair EAP-Type = SIM
++[packetfence] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/pf/raddb//sites-enabled/packetfence
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/sim
[eap] processing type sim
+++> EAP-sim decoded packet:
        NAS-Port-Type = Wireless-802.11
        Service-Type = Framed-User
        State = 0x8c646e1d8c927cd94949c1e5aaf22aa6
        Called-Station-Id = "50-A7-33-31-CF-B8:PacketFence-Ruckus"
        Calling-Station-Id = "5C-59-48-ED-C4-96"
        Message-Authenticator = 0x88694e884a0ddf10baa7b004fb336f9a
        Vendor-25053-Attr-3 = 0x5061636b657446656e63652d5275636b7573
        User-Name = "i...@wlan.mnc720.mcc302.3gppnetwork.org"
        NAS-Identifier = "50-A7-33-31-CF-B8"
EAP-Message = 0x02f60058120a00000e0e00333133303237323034303434313338393040776c616e2e6d6e633732302e6d63633330322e336770706e6574776f726b2e6f72670010010001070500007ae3c3b294faa5fac85c9cdc58737c87 
        Connect-Info = "CONNECT 802.11g"
        EAP-Type = SIM
        NAS-IP-Address = 10.0.0.24
        NAS-Port = 1
        Framed-MTU = 1400
        EAP-Sim-Subtype = Start
EAP-Sim-IDENTITY = 0x00333133303237323034303434313338393040776c616e2e6d6e633732302e6d63633330322e336770706e6574776f726b2e6f726700 
        EAP-Sim-SELECTED_VERSION = 0x0001
        EAP-Sim-NONCE_MT = 0x00007ae3c3b294faa5fac85c9cdc58737c87
[eap] Underlying EAP-Type set EAP ID to 247
++[eap] returns handled
} # server packetfence
Sending Access-Challenge of id 16 to 10.0.0.24 port 1051
EAP-Message = 0x01f70050120b0000010d0000ab521824610aca27814bbde2810347a1771634015641aabcd4e5a2a3ab521242ff626ed6104164234aabebecafecafe30b0500002df305602586daa58dd2298a30c3716f 
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x8c646e1d8d937cd94949c1e5aaf22aa6
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.0.24 port 1051, id=17, length=272 
        User-Name = "im...@wlan.mnc720.mcc302.3gppnetwork.org"
        Calling-Station-Id = "5C-59-48-ED-C4-96"
        NAS-IP-Address = 10.0.0.24
        NAS-Port = 1
        Called-Station-Id = "50-A7-33-31-CF-B8:PacketFence-Ruckus"
        Service-Type = Framed-User
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        NAS-Identifier = "50-A7-33-31-CF-B8"
        Connect-Info = "CONNECT 802.11g"
        EAP-Message = 0x02f7000c120e000016010000
        State = 0x8c646e1d8d937cd94949c1e5aaf22aa6
        Vendor-25053-Attr-3 = 0x5061636b657446656e63652d5275636b7573
        Message-Authenticator = 0x047a99ca66948ebc4867a1fba43ac0ad
server packetfence {
# Executing section authorize from file /usr/local/pf/raddb//sites-enabled/packetfence 
+- entering group authorize {...}
[suffix] Looking up realm "wlan.mnc720.mcc302.3gppnetwork.org" for User-Name = "i...@wlan.mnc720.mcc302.3gppnetwork.org" 
[suffix] No such realm "wlan.mnc720.mcc302.3gppnetwork.org"
++[suffix] returns noop
++[preprocess] returns ok
rlm_sim_files: authorized user/imsi i...@wlan.mnc720.mcc302.3gppnetwork.org
rlm_sim_files: Adding EAP-Type: eap-sim
++[sim_files] returns ok
[eap] EAP packet type response id 247 length 12
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
rlm_perl: Added pair NAS-Port-Type = Wireless-802.11
rlm_perl: Added pair Service-Type = Framed-User
rlm_perl: Added pair State = 0x8c646e1d8d937cd94949c1e5aaf22aa6
rlm_perl: Added pair Called-Station-Id = 50-A7-33-31-CF-B8:PacketFence-Ruckus 
rlm_perl: Added pair Calling-Station-Id = 5C-59-48-ED-C4-96
rlm_perl: Added pair Message-Authenticator = 0x047a99ca66948ebc4867a1fba43ac0ad rlm_perl: Added pair Vendor-25053-Attr-3 = 0x5061636b657446656e63652d5275636b7573 
rlm_perl: Added pair User-Name = i...@wlan.mnc720.mcc302.3gppnetwork.org
rlm_perl: Added pair NAS-Identifier = 50-A7-33-31-CF-B8
rlm_perl: Added pair EAP-Message = 0x02f7000c120e000016010000
rlm_perl: Added pair Connect-Info = CONNECT 802.11g
rlm_perl: Added pair EAP-Type = SIM
rlm_perl: Added pair NAS-IP-Address = 10.0.0.24
rlm_perl: Added pair NAS-Port = 1
rlm_perl: Added pair Framed-MTU = 1400
rlm_perl: Added pair EAP-Sim-Rand3 = 0xff626ed6104164234aabebecafecafe3
rlm_perl: Added pair EAP-Sim-Rand2 = 0x771634015641aabcd4e5a2a3ab521242
rlm_perl: Added pair EAP-Sim-SRES1 = 0xa0a116fe
rlm_perl: Added pair EAP-Sim-SRES2 = 0xc891c365
rlm_perl: Added pair EAP-Sim-KC1 = 0x603c63ecd59340cb
rlm_perl: Added pair EAP-Sim-Rand1 = 0xab521824610aca27814bbde2810347a1
rlm_perl: Added pair EAP-Sim-KC3 = 0xa62f0f3aca277041
rlm_perl: Added pair EAP-Sim-KC2 = 0xbdaf3f47b1fc2520
rlm_perl: Added pair EAP-Sim-SRES3 = 0x6daeb494
rlm_perl: Added pair Auth-Type = EAP
rlm_perl: Added pair EAP-Type = SIM
++[packetfence] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/pf/raddb//sites-enabled/packetfence
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/sim
[eap] processing type sim
[eap] Handler failed in EAP/sim
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
} # server packetfence
Using Post-Auth-Type REJECT
# Executing group from file /usr/local/pf/raddb//sites-enabled/packetfence
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> i...@wlan.mnc720.mcc302.3gppnetwork.org 
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 2 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 2
Sending Access-Reject of id 17 to 10.0.0.24 port 1051
        EAP-Message = 0x04f70004
        Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 2.9 seconds.

--
Francois Gaudreault, ing. jr
fgaudrea...@inverse.ca  ::  +1.514.447.4918 (x130) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) 
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to