Re: eap sim authorization problem

2013-06-08 Thread raptor raptor 
simtriplets.dat format that i wite:

1,,,
1510019760806391,AAC0FAFDC47D4524AC9E2A3D51BDBA39,2A71bac3,7868589a75fdc000
1510019760806391,BF9A9F6EEB36422895D010927D76972C,F49dd880,3Afbcf2fA9b0a000
1510019760806391,C63837CFECD348deB119C35CFECD4898,49312999,FD488938B6f2a000

i add in users file:

DEFAULT   Auth-Type := EAP,  EAP-Type := SIM
  EAP-Sim-Rand1 = 0x101112131415161718191a1b1c1d1e1f,
  EAP-Sim-SRES1 = 0xd1d2d3d4,
  EAP-Sim-Rand2 = 0x202122232425262728292a2b2c2d2e2f,
  EAP-Sim-SRES2 = 0xe1e2e3e4,
  EAP-Sim-Rand3 = 0x303132333435363738393a3b3c3d3e3f,
  EAP-Sim-SRES3 = 0xf1f2f3f4,
  EAP-Sim-KC1 = 0xa0a1a2a3a4a5a6a7,
  EAP-Sim-KC2 = 0xb0b1b2b3b4b5b6b7,
  EAP-Sim-KC3 = 0xc0c1c2c3c4c5c6c7,
 i think number of RAND in simtriplets.dat is same in EAP-Sim-Rand1 (32
octet)
is my format wrong?


i'm using freeradius-server-2.1.9 and nokia e63
and i run freeradius so here the log:

Ready to process requests.

rad_recv: Access-Request packet from host 192.168.1.1 port 2048, id=0,
length=215

User-Name = "1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org
"

NAS-IP-Address = 192.168.1.1

Called-Station-Id = "48f8b315461a"

Calling-Station-Id = "1814563e5189"

NAS-Identifier = "48f8b315461a"

NAS-Port = 38

Framed-MTU = 1400

NAS-Port-Type = Wireless-802.11

EAP-Message =
0x0238013135313030313937363038303633393140776c616e2e6d6e633030312e6d63633531302e336770706e6574776f726b2e6f7267

Message-Authenticator = 0xa01e03afe31bdb73b9c01a64096ec87a

+- entering group authorize {...}

++[preprocess] returns ok

[suffix] Looking up realm "wlan.mnc001.mcc510.3gppnetwork.org" for
User-Name = "1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org"

[suffix] Found realm "wlan.mnc001.mcc510.3gppnetwork.org"

[suffix] Adding Stripped-User-Name = "1510019760806391"

[suffix] Adding Realm = "wlan.mnc001.mcc510.3gppnetwork.org"

[suffix] Authentication realm is LOCAL.

++[suffix] returns ok

rlm_sim_files: insufficient number of challenges for imsi 1510019760806391:
0

++[sim_files] returns notfound

[eap] EAP packet type response id 0 length 56

[eap] No EAP Start, assuming it's an on-going EAP conversation

++[eap] returns updated

++[unix] returns notfound

[files] users: Matched entry DEFAULT at line 205

++[files] returns ok

++[expiration] returns noop

++[logintime] returns noop

Found Auth-Type = EAP

+- entering group authenticate {...}

[eap] EAP Identity

[eap] processing type sim

[eap] Underlying EAP-Type set EAP ID to 26

++[eap] returns handled

Sending Access-Challenge of id 0 to 192.168.1.1 port 2048

EAP-Message = 0x011a0014120a0f020002000111010100

Message-Authenticator = 0x

State = 0x019a1a23018008ce78acd4b07bc4c4ac

Finished request 0.

Going to the next request

Waking up in 4.9 seconds.

rad_recv: Access-Request packet from host 192.168.1.1 port 2048, id=0,
length=265

Cleaning up request 0 ID 0 with timestamp +227

User-Name = "1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org
"

NAS-IP-Address = 192.168.1.1

Called-Station-Id = "48f8b315461a"

Calling-Station-Id = "1814563e5189"

NAS-Identifier = "48f8b315461a"

NAS-Port = 38

Framed-MTU = 1400

State = 0x019a1a23018008ce78acd4b07bc4c4ac

NAS-Port-Type = Wireless-802.11

EAP-Message =
0x021a0058120a070543837c0b63fd6c4dc3fccbebc8439b04100100010e0e00333135313030313937363038303633393140776c616e2e6d6e633030312e6d63633531302e336770706e6574776f726b2e6f726700

Message-Authenticator = 0x441da87c8c81ad6b22b7596fba8b9098

+- entering group authorize {...}

++[preprocess] returns ok

[suffix] Looking up realm "wlan.mnc001.mcc510.3gppnetwork.org" for
User-Name = "1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org"

[suffix] Found realm "wlan.mnc001.mcc510.3gppnetwork.org"

[suffix] Adding Stripped-User-Name = "1510019760806391"

[suffix] Adding Realm = "wlan.mnc001.mcc510.3gppnetwork.org"

[suffix] Authentication realm is LOCAL.

++[suffix] returns ok

rlm_sim_files: insufficient number of challenges for imsi 1510019760806391:
0

++[sim_files] returns notfound

[eap] EAP packet type response id 26 length 88

[eap] No EAP Start, assuming it's an on-going EAP conversation

++[eap] returns updated

++[unix] returns notfound

[files] users: Matched entry DEFAULT at line 205

++[files] returns ok

++[expiration] returns noop

++[logintime] returns noop

Found Auth-Type = EAP

+- entering group authenticate {...}

[eap] Request found, released from the list

[eap] EAP/sim

[eap] processing type sim

rlm_eap_sim: subtype= 10

   start.

+++> EAP-sim decoded packet:

User-Name = "1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org
"

NAS-IP-Address = 192.168.1.1

Called-Stati

Re: eap sim authorization problem

2013-06-08 Thread raptor raptor 
my simtriplets.dat :

1
1510019760806391,AAC0FAFDC47D4524AC9E2A3D51BDBA39,2A71bac3,7868589a75fdc000
1510019760806391,BF9A9F6EEB36422895D010927D76972C,F49dd880,3Afbcf2fA9b0a000
1510019760806391,C63837CFECD348deB119C35CFECD4898,49312999,FD488938B6f2a000



On Mon, Jun 3, 2013 at 9:26 PM, Alan DeKok wrote:

> Iliya Peregoudov wrote:
> > Apparently there is an error in simtriplets.dat. Format is
> >
> > 1,,,
> >
> > , , and  should be in hexadecimal digits, without 0x
> > prefix. An even number of hexadecimal digits should be in there.
>
>   The simtriplets.dat dile doesn't have "0x" prefixes in its examples
>
>   In any case, hitting an assertion because of a format error is stupid.
>  I've pushed a fix.  It will now complain about syntax errors instead.
>
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

[no subject]

2013-06-08 Thread martin robertino 

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS 3.0 : mschap module fails to execute ntlm_auth

2013-06-08 Thread Bjarni Hardarson 
On 7 jun 2013 17:01 "John Dennis"  wrote:

> 
> Please don't send more that one email, we heard you the first time.
> 

Sorry about that, i had some trouble with my e-mail client and thought i failed 
to send it the first time.

>
> This sounds like a permission problem. Make sure when you run your
> test
> manually you do so as the same user and group radiusd is running as,
> you'll find those values in your radiusd.cong file.
> 
> Also if your system is running SELinux check for the presence of AVC's
> 

I am pretty sure that permissions are not the problem. While testing i am 
running FreeRADIUS as root and i am not running SELinux.

The OS is Ubuntu 12.04. I tried building deb packages with the debian rules but 
that creates a broken installation. I guess the rules need some work. :)

I thought my OS might be broken so i reinstalled Ubuntu and build the server 
with.

apt-get build-dep freeradius
apt-get install libssl-dev
./configure && make && make install

The result is the same. The first time i try to authenticate the mschap module 
says "ERROR: (0) ERROR: mschap : Abnormal child exit: No such file or 
directory". The second time it says " ERROR: (1) ERROR: mschap : External 
script says: ?[1m?[33mSun Jun  9 01:11:39 2013 : WARNING: (21) WARNING: mschap 
: Failed to execute /usr/bin/ntlm_auth: Bad address?[0m".

I guess i will wait for a 3.0 build on launchpad.

Bjarni
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: stripped-username for eap sim

2013-06-08 Thread raptor raptor 
hi, i have same problem with you about
rlm_sim_files : insufficient number of challenges for imsi

i read in rlm_sim_files.c that problem is imsicount < 3
i also read in rfc 4186 says that:

"If the number of RAND challenges is smaller than what is required by
peer’s local policy when processing the AT_RAND attribute, the peer
MUST send the EAP-Response/SIM/Client-Error packet with the error
code "insufficient number of challenges". "

and i try to add  # raddb/proxy.conf
realm wlan.mncXXX.mccYYY.3gppnetwork.org {
}

but the result is same

could you solve my problem?

thanx
best regard


On 6/3/13, Iliya Peregoudov  wrote:
> suffix (a preconfigured instance of rlm_realm module) will do User-Name
> splitting into Stripped-User-Name and Realm. You'll need to configure
> locally served realm in raddb/proxy.conf:
>
> # raddb/proxy.conf
> realm wlan.mncXXX.mccYYY.3gppnetwork.org {
> }
>
> suffix should be called before sim_files in authorize section:
>
> # raddb/sites-available/default:
> authorize {
> suffix
> sim_files
> }
>
>
> On 01.06.2013 11:44, martin robertino wrote:
>> Hi all,
>> i'm using freeradius 2.1.9 for eap sim testing
>> i have simtriplets.dat with format : imsi.RAND,SRES,Kc
>> and i'm having message probleme:
>> rlm_sim_files : insufficient number of challenges for imsi
>> 151008xx...@wlan.mnc008.mcc310.3gppnetwork.org
>> 
>> [sim_files] : returnnot found
>>
>> i read that we should strip that full username
>> :151008xx...@wlan.mnc008.mcc310.3gppnetwork.org
>> 
>> into strip username: 131008x and realm
>> wlan.mnc008.mcc310.3gppnetwork.org
>> 
>> am i correct?
>>
>> so how do i configure that strip username for authorizing into
>> rlm_sim_files and to simtriplets.dat?
>>
>> thanx
>>
>> best regards,
>> martin
>>
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem after upgrade from 2.1 to 2.2

2013-06-08 Thread Nadir Aliyev 
Yes i found problem 20 minutes ago. Seems to be syntax again change to
%{%{foo}:-0} last time %{foo:-0} worked with 2.1

Thanks Alan :)


On Sun, Jun 9, 2013 at 2:26 AM, Alan DeKok wrote:

> Nadir Aliyev wrote:
> > Dear All i have problem after upgrade from 2.1 to 2.2!
> >
> > I use postgresql module. After upgrade to 2.2 i get sql errors of
> accounting updates!
> >
> > I checked logs and i see that Acct-Input-Gigawords Acct-Output-Gigawords
> values are NULL.
>
>  Those attributes are sent by the NAS.
>
> > [sql] expand: UPDATE radacct
> > SET AcctStopTime = ('%S'::timestamp - '%{Acct-Delay-Time:-0}'::interval),
>
>   That shoult be %{%{Acct-Delay-Time}:-0}
>
>   See "man unlang".  All of the other expansions need to be changed,
> too.  i.e.:
>
> OLD: %{foo:-0}
>
> NEW: %{%{foo}:-0}
>
>
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem after upgrade from 2.1 to 2.2

2013-06-08 Thread Alan DeKok 
Nadir Aliyev wrote:
> Dear All i have problem after upgrade from 2.1 to 2.2!
> 
> I use postgresql module. After upgrade to 2.2 i get sql errors of accounting 
> updates!
> 
> I checked logs and i see that Acct-Input-Gigawords Acct-Output-Gigawords 
> values are NULL.

 Those attributes are sent by the NAS.

> [sql] expand: UPDATE radacct
> SET AcctStopTime = ('%S'::timestamp - '%{Acct-Delay-Time:-0}'::interval),

  That shoult be %{%{Acct-Delay-Time}:-0}

  See "man unlang".  All of the other expansions need to be changed,
too.  i.e.:

OLD: %{foo:-0}

NEW: %{%{foo}:-0}


  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: [SPAM] FreeRADIUS 3.0 : mschap module fails to execute ntlm_auth

2013-06-08 Thread Arran Cudbard-Bell 

On 8 Jun 2013, at 10:30, nicolas@ricoh-industrie.fr wrote:

> I have the same problem after upgrade Freeradius to version 3.
> Before, ntlm worked very well but it seems that the new version used the ntlm 
> module differently.

Thanks for flagging your email appropriately.

Arran Cudbard-Bell 
FreeRADIUS Development Team

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem with Freeradius2 - Start and Stop connections isn't inserted in BD

2013-06-08 Thread Alan DeKok 
Rodrigo Yoshioka wrote:
> Do you have any idea about what is happening?

  Have you tried running the server in debugging mode, as suggested in
the FAQ, README, "man" page, web pages, and daily on this list?

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Problem with Freeradius2 - Start and Stop connections isn't inserted in BD

2013-06-08 Thread Rodrigo Yoshioka 
Hi,

I updated my freeradius to version 2, but now, It isn't inserting in database 
start and stop connections. Free radius is updating radacct table when it 
update sessions. So when client connect I'll just have this information in 
radacct when account update the download/upload data.


Do you have any idea about what is happening?


Thanks-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: [SPAM] Re: FreeRADIUS 3.0 : mschap module fails to execute ntlm_auth

2013-06-08 Thread nicolas . clo 
I have the same problem after upgrade Freeradius to version 3.Before, ntlm worked very well but it seems that the new version used the ntlm module differently.-freeradius-users-bounces+nicolas.clo=ricoh-industrie...@lists.freeradius.org a écrit : -A : freerad...@hardarson.se, FreeRadius users mailing list De : John Dennis Envoyé par : freeradius-users-bounces+nicolas.clo=ricoh-industrie...@lists.freeradius.orgDate : 07/06/2013 17:12Objet : [SPAM]  Re: FreeRADIUS 3.0 : mschap module fails to execute ntlm_authOn 06/07/2013 10:46 AM, Bjarni Hardarson wrote:> I am sure that the ntlm_auth file is at /usr/bin/ntlm_auth and if i run it manually with the expanded attributes i get the NT_KEY.> > root@freelab:/#/usr/bin/ntlm_auth --request-nt-key --username=vpntest --challenge=d9a8b4d1c188ae1b --nt-response=090bacad01a113dd74007ed5845d5b0c7c8017bac80821dd> NT_KEY: 2066656E05C22F3A995AD9ECFED913D6> > Any ideas?Please don't send more that one email, we heard you the first time.This sounds like a permission problem. Make sure when you run your testmanually you do so as the same user and group radiusd is running as,you'll find those values in your radiusd.cong file.Also if your system is running SELinux check for the presence of AVC's-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Free Radius not sending reject message when using "max_request_time"

2013-06-08 Thread Alan DeKok 
manjunath uthappa ponnachana wrote:
> But my concern why free radius is not sending access-reject response.

  I answered your question.  Did you bother to read my message?

  Fix your database.  Nothing else will solve the problem.

  If your car is out of gas, pushing on the gas pedal won't work.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Free Radius not sending reject message when using "max_request_time"

2013-06-08 Thread manjunath uthappa ponnachana 
Hi Alan,


But my concern why free radius is not sending access-reject response.


Thanks & Regards
ManjunathFrom: Alan DeKok Sent: Fri, 07 Jun 
2013 19:12:02 To: pu_manjun...@rediffmail.com, FreeRadius users mailing list 
Subject: Re: Free Radius not 
sending reject message when using "max_request_time"manjunath uthappa 
ponnachana wrote:> I am trying to test this and trying to execute SQL query 
from free> radius which will take more time than max_request_time. But free 
radius> is not sending reject message instead it comes out with an error 
"no> response from the server". That's how it works. The problem 
is that the call to SQL is blocking at the OS layer.  i.e.FreeRADIUS isn't 
running any more for that thread.  So it's pretty muchimpossible 
*forcibly* stop that SQL query. The solution to a slow database is to fix 
the database.  PokingFreeRADIUS won't work.  Any changes you make to 
FreeRADIUS will make theproblem worse. There is NO reason why an S!
 QL database takes more than .1s to returnfrom a query.  If it does, your 
database is horribly broken. Alan DeKok.-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html