Re: eap sim authorization problem

[raptor raptor]

Hi IIiya,
thanx for your quick response

here is my log debug

rad_recv: Access-Request packet from host 192.168.2.1 port 2048, id=0,
length=215

            User-Name = "1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org
"

            NAS-IP-Address = 192.168.2.1

            Called-Station-Id = "48f8b315461a"

            Calling-Station-Id = "1814563e5189"

            NAS-Identifier = "48f8b315461a"

            NAS-Port = 38

            Framed-MTU = 1400

            NAS-Port-Type = Wireless-802.11

            EAP-Message =
0x02000038013135313030313937363038303633393140776c616e2e6d6e633030312e6d63633531302e336770706e6574776f726b2e6f7267

            Message-Authenticator = 0x1e692ae9b93631a0f54bda0997d713f2

# Executing section authorize from file
/etc/freeradius/sites-enabled/default

+- entering group authorize {...}

++[preprocess] returns ok

++[chap] returns noop

++[mschap] returns noop

++[digest] returns noop

[suffix] Looking up realm "wlan.mnc001.mcc510.3gppnetwork.org" for
User-Name = "1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org"

[suffix] No such realm "wlan.mnc001.mcc510.3gppnetwork.org"

++[suffix] returns noop

rlm_sim_files: authorized user/imsi
1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org

rlm_sim_files: Adding EAP-Type: eap-sim

++[sim_files] returns ok

[eap] EAP packet type response id 0 length 56

[eap] No EAP Start, assuming it's an on-going EAP conversation

++[eap] returns updated

[files] users: Matched entry
1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org at line 1

++[files] returns ok

++[sql] returns notfound

++[expiration] returns noop

++[logintime] returns noop

[pap] WARNING! No "known good" password found for the user.  Authentication
may fail because of this.

++[pap] returns noop

Found Auth-Type = EAP

# Executing group from file /etc/freeradius/sites-enabled/default

+- entering group authenticate {...}

[eap] EAP Identity

[eap] processing type sim

[eap] Underlying EAP-Type set EAP ID to 116

++[eap] returns handled

Sending Access-Challenge of id 0 to 192.168.2.1 port 2048

            EAP-Message = 0x01740014120a00000f0200020001000011010100

            Message-Authenticator = 0x00000000000000000000000000000000

            State = 0x2e42338f2e362191820b0799859172e9

Finished request 0.

Going to the next request

Waking up in 4.9 seconds.

rad_recv: Access-Request packet from host 192.168.2.1 port 2048, id=0,
length=265

Cleaning up request 0 ID 0 with timestamp +10

            User-Name = "1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org
"

            NAS-IP-Address = 192.168.2.1

            Called-Station-Id = "48f8b315461a"

            Calling-Station-Id = "1814563e5189"

            NAS-Identifier = "48f8b315461a"

            NAS-Port = 38

            Framed-MTU = 1400

            State = 0x2e42338f2e362191820b0799859172e9

            NAS-Port-Type = Wireless-802.11

            EAP-Message =
0x02740058120a000007050000c857b63e06e1bb7341a729ea36de8804100100010e0e00333135313030313937363038303633393140776c616e2e6d6e633030312e6d63633531302e336770706e6574776f726b2e6f726700

            Message-Authenticator = 0x4228372d93c4496516a4c62a6b0d1f84

# Executing section authorize from file
/etc/freeradius/sites-enabled/default

+- entering group authorize {...}

++[preprocess] returns ok

++[chap] returns noop

++[mschap] returns noop

++[digest] returns noop

[suffix] Looking up realm "wlan.mnc001.mcc510.3gppnetwork.org" for
User-Name = "1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org"

[suffix] No such realm "wlan.mnc001.mcc510.3gppnetwork.org"

++[suffix] returns noop

rlm_sim_files: authorized user/imsi
1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org

rlm_sim_files: Adding EAP-Type: eap-sim

++[sim_files] returns ok

[eap] EAP packet type response id 116 length 88

[eap] No EAP Start, assuming it's an on-going EAP conversation

++[eap] returns updated

[files] users: Matched entry
1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org at line 1

++[files] returns ok

 [sql] User 1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org not found

++[sql] returns notfound

++[expiration] returns noop

++[logintime] returns noop

[pap] WARNING! No "known good" password found for the user.  Authentication
may fail because of this.

++[pap] returns noop

Found Auth-Type = EAP

# Executing group from file /etc/freeradius/sites-enabled/default

+- entering group authenticate {...}

[eap] Request found, released from the list

[eap] EAP/sim

[eap] processing type sim

+++> EAP-sim decoded packet:

            User-Name = "1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org
"

            NAS-IP-Address = 192.168.2.1

            Called-Station-Id = "48f8b315461a"

            Calling-Station-Id = "1814563e5189"

            NAS-Identifier = "48f8b315461a"

            NAS-Port = 38

            Framed-MTU = 1400

            State = 0x2e42338f2e362191820b0799859172e9

            NAS-Port-Type = Wireless-802.11

            EAP-Message =
0x02740058120a000007050000c857b63e06e1bb7341a729ea36de8804100100010e0e00333135313030313937363038303633393140776c616e2e6d6e633030312e6d63633531302e336770706e6574776f726b2e6f726700

            Message-Authenticator = 0x4228372d93c4496516a4c62a6b0d1f84

            EAP-Type = SIM

            EAP-Sim-Subtype = Start

            EAP-Sim-NONCE_MT = 0x0000c857b63e06e1bb7341a729ea36de8804

            EAP-Sim-SELECTED_VERSION = 0x0001

            EAP-Sim-IDENTITY =
0x3135313030313937363038303633393140776c616e2e6d6e633030312e6d63633531302e336770706e6574776f726b2e6f7267

[eap] Underlying EAP-Type set EAP ID to 117

++[eap] returns handled

Sending Access-Challenge of id 0 to 192.168.2.1 port 2048

            EAP-Message =
0x01750050120b0000010d000033c0caad1ca74b91b8c4c597a497c951ec28a5ea58bf4f7d9a15fb267c80bc6cf51e6dc5eeb149028f5cba3779f2b9160b050000128bccbc8968ba6d16040402b139d839

            Message-Authenticator = 0x00000000000000000000000000000000

            State = 0x2e42338f2f372191820b0799859172e9

Finished request 1.

Going to the next request

Waking up in 4.9 seconds.

rad_recv: Access-Request packet from host 192.168.2.1 port 2048, id=0,
length=205

Cleaning up request 1 ID 0 with timestamp +10

            User-Name = "1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org
"

            NAS-IP-Address = 192.168.2.1

            Called-Station-Id = "48f8b315461a"

            Calling-Station-Id = "1814563e5189"

            NAS-Identifier = "48f8b315461a"

            NAS-Port = 38

            Framed-MTU = 1400

            State = 0x2e42338f2f372191820b0799859172e9

            NAS-Port-Type = Wireless-802.11

            EAP-Message =
0x0275001c120b00000b050000fe0ad02adb05fa535c5e7beaa8810f69

            Message-Authenticator = 0x17809a1e9fcb50736607e844ac964694

# Executing section authorize from file
/etc/freeradius/sites-enabled/default

+- entering group authorize {...}

++[preprocess] returns ok

++[chap] returns noop

++[mschap] returns noop

++[digest] returns noop

[suffix] Looking up realm "wlan.mnc001.mcc510.3gppnetwork.org" for
User-Name = "1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org"

[suffix] No such realm "wlan.mnc001.mcc510.3gppnetwork.org"

++[suffix] returns noop

rlm_sim_files: authorized user/imsi
1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org

rlm_sim_files: Adding EAP-Type: eap-sim

++[sim_files] returns ok

[eap] EAP packet type response id 117 length 28

[eap] No EAP Start, assuming it's an on-going EAP conversation

++[eap] returns updated

[files] users: Matched entry
1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org at line 1

++[files] returns ok

++[sql] returns notfound

++[expiration] returns noop

++[logintime] returns noop

[pap] WARNING! No "known good" password found for the user.  Authentication
may fail because of this.

++[pap] returns noop

Found Auth-Type = EAP

# Executing group from file /etc/freeradius/sites-enabled/default

+- entering group authenticate {...}

[eap] Request found, released from the list

[eap] EAP/sim

[eap] processing type sim

MAC check succeed

[eap] Underlying EAP-Type set EAP ID to 118

[eap] Freeing handler

++[eap] returns ok

# Executing section post-auth from file
/etc/freeradius/sites-enabled/default

+- entering group post-auth {...}

++[sql] returns ok

++[exec] returns noop

Sending Access-Accept of id 0 to 192.168.2.1 port 2048

            MS-MPPE-Recv-Key =
0x9d0b6b0a9151822473399a9fed44e8f0d74df083532a7d437e436f60866252d8

            MS-MPPE-Send-Key =
0xebf07da25ca3cd97267d1fc6a1ce18d68ad2737902f610284bdb45c6eed0cb7f

            EAP-Message = 0x03760004

            Message-Authenticator = 0x00000000000000000000000000000000

            User-Name = "1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org
"

Finished request 2.

Going to the next request

Waking up in 4.9 seconds.

Cleaning up request 2 ID 0 with timestamp +11

Ready to process requests.

this is my log with 1 client


thanx very much for your help
best regards


On Thu, Jun 20, 2013 at 2:53 PM, Iliya Peregoudov <iperegu...@cboss.ru>wrote:

> On 20.06.2013 8:38, raptor raptor wrote:
>
>> i just try one client and success but when i use another client and it
>> fails
>>
>
> Post debug log if you want to diagnose authentication failure.
>
>
>  is it correct if i add other client in users and simtriplets.dat?
>>
>
> Yes, you should add auth vectors for all your SIM cards into users file,
> one stanza for every SIM card.
>
> If you still get "insufficient number of challenges" message then your
> simtriplets.dat is not relevant. Just forget about it. Auth vectors from
> users file are sufficient.
>
> Freeradius is very flexible. There is no one single way of correctly
> configure it. But there are indefinite number of ways to misconfigure it.
> If you prefer not to diagnose authentication failures but insert random
> stuff into randomly selected configuration files it's unlikely you
> accidentally configure it correctly.
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/**
> list/users.html <http://www.freeradius.org/list/users.html>
>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html