Re: EAP-SIM on 2.2.0
I have manually parse EAP messages. EAP Identity and AT_IDENTITY are the same. EAP-Message from first Access-Request: 02 Code = 2 (EAP-Response) 00 Identifier = 0 00 38 Length = 56 01 Type = 1 (Identity) 31 33 30 32 37 32 30 34 30 34 34 Type-Data = 1302720404413...@wlan.mnc720.mcc302.3gppnetwork.org 31 33 38 39 30 40 77 6c 61 6e 2e 6d 6e 63 37 32 30 2e 6d 63 63 33 30 32 2e 33 67 70 70 6e 65 74 77 6f 72 6b 2e 6f 72 67 EAP-Message from second Access-Request: 02 Code = 2 (EAP-Response) f6 Identifier = 246 00 58 Length = 88 12 Type = 18 (EAP-SIM) 0a Subtype = 10 (SIM-Start) 00 00 Reserved 0e Attr Type = 14 (AT_IDENTITY) 0e Attr Length = 56 00 33 Identity Length = 51 31 33 30 32 Value = 1302720404413...@wlan.mnc720.mcc302.3gppnetwork.org 37 32 30 34 30 34 34 31 33 38 39 30 40 77 6c 61 6e 2e 6d 6e 63 37 32 30 2e 6d 63 63 33 30 32 2e 33 67 70 70 6e 65 74 77 6f 72 6b 2e 6f 72 67 00 10 Attr Type = 16 (AT_SELECTED_VERSION) 01 Attr Length = 4 00 01 Value = 1 07 Attr Type = 7 (AT_NONCE_MT) 05 Attr Length = 20 00 00 Reserved 7a e3 c3 b2 94 fa a5 fa Value = 16 random octets c8 5c 9c dc 58 73 7c 87 I see AT_IDENTITY is padded with single zero octet. Maybe rlm_eap_sim uses wrong length field, namely Attribute Length instead of Identity Length? Alan DeKok wrote: Francois Gaudreault wrote: Ok so I did bisect, and this commit appears to be the problematic one: 177dbabdcef84353768551c0a39d29c566538c06 is the first bad commit commit 177dbabdcef84353768551c0a39d29c566538c06 Author: Alan T. DeKok Date: Tue Feb 21 08:57:49 2012 +0100 Try to use identity from SIM protocol, not EAP-Identity Well, the SIM identity doesn't agree with the EAP-Identity. The patch went in because Microsoft ran into inter-operability issues. The SIM identity can change during the protocol exchange. The old way of always using the EAP-Identity was wrong. I'm not sure what to suggest here. You can delete the patch in your private branch. But that means you'll run into other inter-operability issues later. You should probably do a bit more digging to see exactly *what* is going on in the failing case. Knowing that will help come up with a decent solution. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-SIM on 2.2.0
Well you are probably right, but when providers will start pushing 3G/4G offload for real (if they ever do), there are not many ways of doing it... I think :P The reason of those tests on our side is to support WISPr and/or NewGen hotspots with our product. That's a big "if", IMO. EAP-SIM would in theory be quite nice for a number of reasons right now, even without offload. It's a built-in, secure credential. Yup indeed! Unfortunately, as our off-list emails suggests, you can't get easy access to SIM secrets in the general case (for obvious reasons). So unless someone (i.e. the mobile phone providers) starts running a radius server you can proxy *.3gppnetwork.org to, I can't see EAP-SIM being part of the solution. Well the way it should work is that RADIUS needs to proxy to a 3GPP compliant AAA server or proxy to an ITP (MAP proxy) to speak to the HLR using SS7 so the RAND comes from the HLR/AuC, and SRES/Kc is sent back to the HLR to perform the authorization check :) The only way to test it without having that kind of infra is to pre-compute stuff to simulate the HLR calculations (offlist message). Thanks! -- Francois Gaudreault, ing. jr fgaudrea...@inverse.ca :: +1.514.447.4918 (x130) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-SIM on 2.2.0
On 13/09/12 15:52, Francois Gaudreault wrote: Well you are probably right, but when providers will start pushing 3G/4G offload for real (if they ever do), there are not many ways of doing it... I think :P The reason of those tests on our side is to support WISPr and/or NewGen hotspots with our product. That's a big "if", IMO. EAP-SIM would in theory be quite nice for a number of reasons right now, even without offload. It's a built-in, secure credential. Unfortunately, as our off-list emails suggests, you can't get easy access to SIM secrets in the general case (for obvious reasons). So unless someone (i.e. the mobile phone providers) starts running a radius server you can proxy *.3gppnetwork.org to, I can't see EAP-SIM being part of the solution. Far more likely is manufacturer-installed X.509 certs and EAP-TLS or a variant, or even EAP-TEAP with PAC or cert provisioning. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-SIM on 2.2.0
I am not too familiar with that, so it's hard to comment. I can ask the MS EAP team if they want to share more. I guess they tested it working with their own stuff, but never re-tested with other device type. I believe it's another 3GPP/RFC understanding kind of thing. Probably. I just got back an answer from them. The reason of the patch was because when the supplicant was doing EAP negotiation between AKA-PRIME, AKA, and SIM, for some reason the server was using the wrong Identity. I asked them if they tested a "forced EAP-SIM" situation with their supplicant. We'll see I guess :P I tested with an iPhone 3GS device running 5.0.1. I still need some bytes to make it work and test with our Android (get the SRES/Kc from the Micro-SIM). I don't know if others on the list made it work with that patch on. I think few people are using EAP-SIM. Well you are probably right, but when providers will start pushing 3G/4G offload for real (if they ever do), there are not many ways of doing it... I think :P The reason of those tests on our side is to support WISPr and/or NewGen hotspots with our product. Thanks! -- Francois Gaudreault, ing. jr fgaudrea...@inverse.ca :: +1.514.447.4918 (x130) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: building FR3.0 jlibtool problem
On 13/09/12 14:03, Brian Julin wrote: Scott Armitage wrote: gmake[4]: /usr/local/src/freeradius-server/libtool: Command not found gmake[4]: *** [dict.lo] Error 127 gmake[3]: *** [lib] Error 2 gmake[2]: *** [all] Error 2 gmake[1]: *** [src] Error 2 make: *** [all] Error 2 IIRC running libtoolize cleared this up. I'm not sure if that's the way things are supposed to work, or whether the build system should be setting LIBTOOL to the system installed path. I think libtool is in the process of being removed from the tree because it's horrible and deserves to die. This is probably a result of that. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-SIM on 2.2.0
Francois Gaudreault wrote: > I am not too familiar with that, so it's hard to comment. I can ask the > MS EAP team if they want to share more. I guess they tested it working > with their own stuff, but never re-tested with other device type. I > believe it's another 3GPP/RFC understanding kind of thing. Probably. > I tested with an iPhone 3GS device running 5.0.1. I still need some > bytes to make it work and test with our Android (get the SRES/Kc from > the Micro-SIM). > > I don't know if others on the list made it work with that patch on. I think few people are using EAP-SIM. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: building FR3.0 jlibtool problem
Brian Julin wrote: > IIRC running libtoolize cleared this up. I'm not sure if that's the way > things are > supposed to work, or whether the build system should be setting LIBTOOL > to the system installed path. Libtool has been shot. It will not be missed. I'm going to remove *entirely* all references to libtool && libltdl from the "master" branch. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: building FR3.0 jlibtool problem
Scott Armitage wrote: > is anyone else having problems with using building FR3.0 I get the following: .. > Am I being an idiot? Nope. I've been using the new system in my sandbox, and didn't notice that the old system was borked. I've pushed some fixes. Both should work now from a default "configure". The next step is to make the new system the default. I'm also inclined to get rid of ALL references to libtool && jlibtool from the source. The downside is that you can no longer create statically linked versions of FreeRADIUS. Given that it's 2012, I'm not too worried about this. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: building FR3.0 jlibtool problem
> Scott Armitage wrote: > gmake[4]: /usr/local/src/freeradius-server/libtool: Command not found > gmake[4]: *** [dict.lo] Error 127 > gmake[3]: *** [lib] Error 2 > gmake[2]: *** [all] Error 2 > gmake[1]: *** [src] Error 2 > make: *** [all] Error 2 IIRC running libtoolize cleared this up. I'm not sure if that's the way things are supposed to work, or whether the build system should be setting LIBTOOL to the system installed path. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to add two ip pool
On Thu, Sep 13, 2012 at 7:25 PM, ranjan kumar wrote:
> Hi All,
>
> I am trying to add two default entries in users file for two ip pool.
Why?
Most likely you're trying to solve a problem the wrong way.
What EXACTLY do you want to do? Allocate IPs from two range of
noncontiguous IP address? or what?
> can it is possible to add two entries of default in users file ? If yes then
Yes, as long as they don't conflict each other.
> Please help me its very critical.
(sigh)
No, it's not.
If it's THAT critical, you would've either:
(1) get support from someone who knows what they're doing, or
(2) learn how to do it yourself, and ONLY implement what you've tested
You've done neither, so IMO it's not critical enough for you.
>
> I have configured two ippool which looks like:
> ===
> In Users file:
>
> DEFAULT Auth-Type := aag, Service-Type == Framed-User, Framed-Protocol == 7,
> Pool-Name := myippool
> DEFAULT Auth-Type := aag, Service-Type == Framed-User, Framed-Protocol == 7,
> Pool-Name := my_sec_ippool
I'm pretty sure that roughly means the second entry would never be
used. Did you read the docs (e.g. "man 5 users")?
Especially, look for "Fall-Through" and "operators".
> In radiusd.conf
>
> ippool myippool {
> session-db = ${raddbdir}/db.ippool
> ip-index = ${raddbdir}/db.ipindex
> ippool my_sec_ippool {
> session-db = ${raddbdir}/db.ippool1
> ip-index = ${raddbdir}/db.ipindex1
Did you read my earlier reply?
> When i am executing ./radiusd -X always getting IPs for only one ggsn.
At this point I usually ask "and the full output of debug log is ?",
... but in this case it'd probably be useless since it looks like
you're trying to solve your problems the wrong way.
Again, What EXACTLY do you want to do?
>
> Please help me its very critical.
No, it's not. And saying it over and over again won't get you faster
response. Instead, it will only annoy others, and discourage them from
trying to help you.
--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-SIM on 2.2.0
Hi, Ok so I did bisect, and this commit appears to be the problematic one: 177dbabdcef84353768551c0a39d29c566538c06 is the first bad commit commit 177dbabdcef84353768551c0a39d29c566538c06 Author: Alan T. DeKok Date: Tue Feb 21 08:57:49 2012 +0100 Try to use identity from SIM protocol, not EAP-Identity Well, the SIM identity doesn't agree with the EAP-Identity. The patch went in because Microsoft ran into inter-operability issues. The SIM identity can change during the protocol exchange. The old way of always using the EAP-Identity was wrong. I am not too familiar with that, so it's hard to comment. I can ask the MS EAP team if they want to share more. I guess they tested it working with their own stuff, but never re-tested with other device type. I believe it's another 3GPP/RFC understanding kind of thing. Might also be helpful to know what the supplicant is here, too? I tested with an iPhone 3GS device running 5.0.1. I still need some bytes to make it work and test with our Android (get the SRES/Kc from the Micro-SIM). I don't know if others on the list made it work with that patch on. -- Francois Gaudreault, ing. jr fgaudrea...@inverse.ca :: +1.514.447.4918 (x130) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
building FR3.0 jlibtool problem
All, is anyone else having problems with using building FR3.0 I get the following: [root@boppity-new freeradius-server]# ./configure --prefix=/usr --with-large-files --with-raddbdir=/etc/raddb --with-experimental-modules --enable-developer | grep WARN configure: WARNING: snmpget not found - Simultaneous-Use and checkrad.pl may not work configure: WARNING: snmpwalk not found - Simultaneous-Use and checkrad.pl may not work configure: WARNING: pcap library not found, silently disabling the RADIUS sniffer. configure: WARNING: silently not building rlm_counter. configure: WARNING: FAILURE: rlm_counter requires: libgdbm. configure: WARNING: FAILURE: rlm_dbm requires: (ndbm.h or gdbm/ndbm.h or gdbm-ndbm.h) (libndbm or libgdbm or libgdbm_compat). configure: WARNING: silently not building rlm_dbm. configure: WARNING: the TNCS library isn't found! configure: WARNING: silently not building rlm_eap_tnc. configure: WARNING: FAILURE: rlm_eap_tnc requires: -lTNCS. configure: WARNING: silently not building rlm_eap_pwd. configure: WARNING: FAILURE: rlm_eap_pwd requires: EC_GROUP_free. configure: WARNING: silently not building rlm_eap_ikev2. configure: WARNING: FAILURE: rlm_eap_ikev2 requires: libeap-ikev2 EAPIKEv2/connector.h. configure: WARNING: silently not building rlm_ippool. configure: WARNING: FAILURE: rlm_ippool requires: libgdbm. configure: WARNING: silently not building rlm_opendirectory. configure: WARNING: FAILURE: rlm_opendirectory requires: membership.h. configure: WARNING: silently not building rlm_pam. configure: WARNING: FAILURE: rlm_pam requires: libpam. configure: WARNING: silently not building rlm_python. configure: WARNING: FAILURE: rlm_python requires: Python.h libpython2.6. configure: WARNING: hiredis libraries not found. Use --with-redis-lib-dir=. configure: WARNING: hiredis headers not found. Use --with-redis-include-dir=. configure: WARNING: silently not building rlm_redis. configure: WARNING: FAILURE: rlm_redis requires: libhiredis hiredis.h. configure: WARNING: hiredis libraries not found. Use --with-redis-lib-dir=. configure: WARNING: hiredis headers not found. Use --with-redis-include-dir=. configure: WARNING: silently not building rlm_rediswho. configure: WARNING: FAILURE: rlm_rediswho requires: libhiredis hiredis.h. configure: WARNING: silently not building rlm_rest. configure: WARNING: FAILURE: rlm_rest requires: curl/curl.h. configure: WARNING: silently not building rlm_ruby. configure: WARNING: FAILURE: rlm_ruby requires: ruby-binary. configure: WARNING: silently not building rlm_sql_postgresql. configure: WARNING: FAILURE: rlm_sql_postgresql requires: libpq-fe.h libpq. configure: WARNING: silently not building rlm_sql_iodbc. configure: WARNING: FAILURE: rlm_sql_iodbc requires: libiodbc isql.h. configure: WARNING: Sqlite libraries not found. Use --with-sqlite-lib-dir=. configure: WARNING: Sqlite headers not found. Use --with-sqlite-include-dir=. configure: WARNING: silently not building rlm_sql_sqlite. configure: WARNING: FAILURE: rlm_sql_sqlite requires: libsqlite3 sqlite.h. configure: WARNING: silently not building rlm_sql_db2. configure: WARNING: FAILURE: rlm_sql_db2 requires: libdb2 sqlcli.h. configure: WARNING: oracle headers not found. Use --with-oracle-include-dir=. configure: WARNING: silently not building rlm_sql_oracle. configure: WARNING: FAILURE: rlm_sql_oracle requires: oci.h. configure: WARNING: silently not building rlm_sql_unixodbc. configure: WARNING: FAILURE: rlm_sql_unixodbc requires: libodbc sql.h. configure: WARNING: silently not building rlm_sql_firebird. configure: WARNING: FAILURE: rlm_sql_firebird requires: libfbclient ibase.h. configure: WARNING: MySQL libraries not found. Use --with-mysql-lib-dir=. configure: WARNING: MySQL headers not found. Use --with-mysql-include-dir=. configure: WARNING: silently not building rlm_sql_mysql. configure: WARNING: FAILURE: rlm_sql_mysql requires: libmysqlclient_r mysql.h. [root@boppity-new freeradius-server]# make Making all in src... Making all in src/include... gmake[4]: Nothing to be done for `all'. Making all in src/lib... CC dict.c gmake[4]: /usr/local/src/freeradius-server/libtool: Command not found gmake[4]: *** [dict.lo] Error 127 gmake[3]: *** [lib] Error 2 gmake[2]: *** [all] Error 2 gmake[1]: *** [src] Error 2 make: *** [all] Error 2 Even if I try: [root@boppity-new freeradius-server]# echo 'BOILER=yes' >> Make.inc [root@boppity-new freeradius-server]# make Making all in src... Making all in src/include... gmake[4]: Nothing to be done for `all'. Making all in src/lib... CC dict.c gmake[4]: /usr/local/src/freeradius-server/libtool: Command not found gmake[4]: *** [dict.lo] Error 127 gmake[3]: *** [lib] Error 2 gmake[2]: *** [all] Error 2 gmake[1]: *** [src] Error 2 make: *** [all] Error 2 Am I being an idiot? Regards Scott Armitage - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-SIM on 2.2.0
On 13/09/12 11:51, Alan DeKok wrote: Francois Gaudreault wrote: Ok so I did bisect, and this commit appears to be the problematic one: 177dbabdcef84353768551c0a39d29c566538c06 is the first bad commit commit 177dbabdcef84353768551c0a39d29c566538c06 Author: Alan T. DeKok Date: Tue Feb 21 08:57:49 2012 +0100 Try to use identity from SIM protocol, not EAP-Identity Well, the SIM identity doesn't agree with the EAP-Identity. The patch went in because Microsoft ran into inter-operability issues. The SIM identity can change during the protocol exchange. The old way of always using the EAP-Identity was wrong. Might also be helpful to know what the supplicant is here, too? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-SIM on 2.2.0
Francois Gaudreault wrote: > Ok so I did bisect, and this commit appears to be the problematic one: > > 177dbabdcef84353768551c0a39d29c566538c06 is the first bad commit > commit 177dbabdcef84353768551c0a39d29c566538c06 > Author: Alan T. DeKok > Date: Tue Feb 21 08:57:49 2012 +0100 > > Try to use identity from SIM protocol, not EAP-Identity Well, the SIM identity doesn't agree with the EAP-Identity. The patch went in because Microsoft ran into inter-operability issues. The SIM identity can change during the protocol exchange. The old way of always using the EAP-Identity was wrong. I'm not sure what to suggest here. You can delete the patch in your private branch. But that means you'll run into other inter-operability issues later. You should probably do a bit more digging to see exactly *what* is going on in the failing case. Knowing that will help come up with a decent solution. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem in configuring multiple IP pool
On Thu, Sep 13, 2012 at 4:55 PM, ranjan kumar wrote:
>
> Hi,
>
> I have created two ip pool in radiusd.conf which looks like below:
>
> ===
> In radiusd.conf
>
> ippool myippool {
Which version is this?
IIRC in 2.x ippool configuration is in raddb/modules/ipool.
If you're still using 1.1.x, then my best advice is good luck, or ask
whoever maintained your server (e.g. just in case you have some kind
of software support for your radius/OS)
--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: In Access-Request h323-remote-address Multiple times How to get it in SQL query
On Sep 12, 2012, at 11:57 PM, "Ankur - BillCall"
wrote:
> We are getting h323-remote-address multiple times. How can I get both
> attribute in sql query for authentication?
>
> I set sql_user_name = "%{h323-remote-address}". But I get sql_user_name =
> Trunk ID (000111) only. How can I get IP XXX.105.4.197?
You probably want this.
sql_user_name = "%{h323-remote-address[1]}"
Read "man unlang". Specifically section "String lengths and arrays".
--
Blake Covarrubias
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
