can not initiate sim, no RAND1 attribute [eap] ERROR - Default EAP type sim failed in initiate [eap]
Hi All, I really do try to read the forums in full before I post, but I have seen much out there on this, but just cant find out why this is happening. Please see below. The only think I dont have is sim_files entry in the sites-enabled/default, as I assume this is now covered in the radiusd.conf file. Also, in the simtriplets files at the bottom, I have tried the entries with a 1 at the beiging of the IMSI, and without and with the word SIM there also. On packet captures over the air, I get P1 - eap identity request P2 - eap identity response P3 - eap-failure So I beleive the radius server is not sending an eap-start module and is my configuration issue. Could anyone be so kind to help me please? Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /usr/local/var/run/radiusd/radiusd.sock Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 10.53.1.200 port 45261, id=5, length=257 User-Name = 1234159143465...@wlan.mnc015.mcc234.3gppnetwork.org NAS-IP-Address = 192.168.21.1 Called-Station-Id = 5C-D9-98-BF-C0-9E:tt NAS-Port-Type = Wireless-802.11 NAS-Port = 1 Calling-Station-Id = 5C-F8-A1-8B-35-BA Connect-Info = CONNECT 54Mbps 802.11g Acct-Session-Id = 524016AE-0005 Framed-MTU = 1400 EAP-Message = 0x02ba0038013132333431353931343334363530383440776c616e2e6d6e633031352e6d63633233342e336770706e6574776f726b2e6f7267 Message-Authenticator = 0x25cd862fe8110e13ab54321c37032d00 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm wlan.mnc015.mcc234.3gppnetwork.org for User-Name = 1234159143465...@wlan.mnc015.mcc234.3gppnetwork.org [suffix] No such realm wlan.mnc015.mcc234.3gppnetwork.org ++[suffix] returns noop [eap] EAP packet type response id 186 length 56 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type sim can not initiate sim, no RAND1 attribute [eap] Default EAP type sim failed in initiate [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - 1234159143465...@wlan.mnc015.mcc234.3gppnetwork.org attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 5 to 10.53.1.200 port 45261 EAP-Message = 0x04ba0004 Message-Authenticator = 0x Waking up in 4.9 seconds. Cleaning up request 0 ID 5 with timestamp +8 Ready to process requests. rad_recv: Access-Request packet from host 10.53.1.200 port 45261, id=6, length=257 User-Name = 1234159143465...@wlan.mnc015.mcc234.3gppnetwork.org NAS-IP-Address = 192.168.21.1 Called-Station-Id = 5C-D9-98-BF-C0-9E:tt NAS-Port-Type = Wireless-802.11 NAS-Port = 1 Calling-Station-Id = 5C-F8-A1-8B-35-BA Connect-Info = CONNECT 54Mbps 802.11g Acct-Session-Id = 524016AE-0006 Framed-MTU = 1400 EAP-Message = 0x02f20038013132333431353931343334363530383440776c616e2e6d6e633031352e6d63633233342e336770706e6574776f726b2e6f7267 Message-Authenticator = 0xac6eea11e5915f4e4e5bbc06a7ed3e72 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm wlan.mnc015.mcc234.3gppnetwork.org for User-Name = 1234159143465...@wlan.mnc015.mcc234.3gppnetwork.org [suffix] No such realm wlan.mnc015.mcc234.3gppnetwork.org ++[suffix] returns noop [eap] EAP packet type response id 242 length 56 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type sim can not initiate sim, no
Re: can not initiate sim, no RAND1 attribute [eap] ERROR - Default EAP type sim failed in initiate [eap]
Hi Arran, Im not sure if I have interpreted this right. Are you agreeing with my statement, that it is not needed or are you saying it is needed? I seem to recall I get an error when I put the sime_files in the default file. Many thx indeed for the lightning fast response mate :) Ken On 23 September 2013 at 12:49 Arran Cudbard-Bell a.cudba...@freeradius.org wrote: On 23 Sep 2013, at 12:32, ken.farrington ken.farring...@802.co.uk wrote: Hi All, I really do try to read the forums in full before I post, but I have seen much out there on this, but just cant find out why this is happening. Please see below. The only think I dont have is sim_files entry in the sites-enabled/default, as I assume this is now covered in the radiusd.conf file. No, it's not, that is a version 1.x.x configuration. You have to list it in sites-enabled/default before EAP for it to work. Honestly though you don't need the sim_files stuff as you can set the attributes required in the users file (files). -Arran Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team Ken Farrington Director CCIE #12651 802 Limited International House, 221 Bow Road, London, E3 2SJ, United Kingdom Direct: +44 (0)7500 802802 ken.farring...@802.co.uk http://www.802.co.uk Disclaimer This e-mail may contain information that is confidential, privileged or otherwise protected from disclosure. If you are not an intended recipient of this e-mail, do not duplicate or redistribute it by any means. Please delete it and any attachments and notify the sender that you have received it in error. Any views or opinions presented are solely those of the author and do not necessarily represent those of 802 Limited or any subsidiary company of 802 Limited. This email may relate to or be sent from other members of the 802 Group. All rights reserved. 802 Limited. Registered in the UK. Company Number. 7962864.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication
Just also beware that the MAC and be spoofed also with lots of programs :) On 23 September 2013 at 13:46 Nikolaos Milas nmi...@noa.gr wrote: On 23/9/2013 3:14 μμ, Free-Radius wrote: I wonder if the Freeradius to authenticate a client by IP number, without using login and password, only the IP. If possible, how to do? You can authenticate a client based on MAC Address. See http://wiki.freeradius.org/guide/Mac-Auth for various scenarios. Of course not by IP number which can be manipulated. Regards, Nick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Ken Farrington Director CCIE #12651 802 Limited International House, 221 Bow Road, London, E3 2SJ, United Kingdom Direct: +44 (0)7500 802802 ken.farring...@802.co.uk http://www.802.co.uk Disclaimer This e-mail may contain information that is confidential, privileged or otherwise protected from disclosure. If you are not an intended recipient of this e-mail, do not duplicate or redistribute it by any means. Please delete it and any attachments and notify the sender that you have received it in error. Any views or opinions presented are solely those of the author and do not necessarily represent those of 802 Limited or any subsidiary company of 802 Limited. This email may relate to or be sent from other members of the 802 Group. All rights reserved. 802 Limited. Registered in the UK. Company Number. 7962864.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: can not initiate sim, no RAND1 attribute [eap] ERROR - Default EAP type sim failed in initiate [eap]
Also, if I put the sim_files entry before eap in the default file I get the following error when I try and start Radiusd -s -X Module: Linked to sub-module rlm_eap_sim Module: Instantiating eap-sim Module: Checking authorize {...} for more modules to load /usr/local/etc/raddb/radiusd.conf[643]: Failed to link to module 'rlm_sim_files': rlm_sim_files.so: cannot open shared object file: No such file or directory /usr/local/etc/raddb/sites-enabled/default[63]: Failed to load module sim_files. /usr/local/etc/raddb/sites-enabled/default[62]: Errors parsing authorize section. Could it be a linux thing, I am starting to think my linux skills are rubbish. I have been trying very hard :) Many thx ken On 23 September 2013 at 12:56 ken.farrington ken.farring...@802.co.uk wrote: Hi Arran, Im not sure if I have interpreted this right. Are you agreeing with my statement, that it is not needed or are you saying it is needed? I seem to recall I get an error when I put the sime_files in the default file. Many thx indeed for the lightning fast response mate :) Ken On 23 September 2013 at 12:49 Arran Cudbard-Bell a.cudba...@freeradius.org wrote: On 23 Sep 2013, at 12:32, ken.farrington ken.farring...@802.co.uk wrote: Hi All, I really do try to read the forums in full before I post, but I have seen much out there on this, but just cant find out why this is happening. Please see below. The only think I dont have is sim_files entry in the sites-enabled/default, as I assume this is now covered in the radiusd.conf file. No, it's not, that is a version 1.x.x configuration. You have to list it in sites-enabled/default before EAP for it to work. Honestly though you don't need the sim_files stuff as you can set the attributes required in the users file (files). -Arran Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team Ken Farrington Director CCIE #12651 802 Limited International House, 221 Bow Road, London, E3 2SJ, United Kingdom Direct: +44 (0)7500 802802 ken.farring...@802.co.uk http://www.802.co.uk Disclaimer This e-mail may contain information that is confidential, privileged or otherwise protected from disclosure. If you are not an intended recipient of this e-mail, do not duplicate or redistribute it by any means. Please delete it and any attachments and notify the sender that you have received it in error. Any views or opinions presented are solely those of the author and do not necessarily represent those of 802 Limited or any subsidiary company of 802 Limited. This email may relate to or be sent from other members of the 802 Group. All rights reserved. 802 Limited. Registered in the UK. Company Number. 7962864. Ken Farrington Director CCIE #12651 802 Limited International House, 221 Bow Road, London, E3 2SJ, United Kingdom Direct: +44 (0)7500 802802 ken.farring...@802.co.uk http://www.802.co.uk Disclaimer This e-mail may contain information that is confidential, privileged or otherwise protected from disclosure. If you are not an intended recipient of this e-mail, do not duplicate or redistribute it by any means. Please delete it and any attachments and notify the sender that you have received it in error. Any views or opinions presented are solely those of the author and do not necessarily represent those of 802 Limited or any subsidiary company of 802 Limited. This email may relate to or be sent from other members of the 802 Group. All rights reserved. 802 Limited. Registered in the UK. Company Number. 7962864.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap-tls ignore client cert expiry check - crazy idea?
Hi All, Just to let you all know I did get all my setup working (took me a while being not a linux guru) but it does work as expected. Just in case anyone was wondering :) Many thanks all Ken :) On 29 August 2013 at 16:05 ken.farrington ken.farring...@802.co.uk wrote: Hi All, Is there a way if I had 10 clients in my home lab and all the certs expire tomorrow, that rather than re-provide all the certs to my clients, I can frigg the radius server time, to still accpet them. Im guessing this is a no, but from what I see, the client cert is presented, and check against the server time. Would this be correct? Many thanks in advanced Ken - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
eap-tls ignore client cert expiry check - crazy idea?
Hi All, Is there a way if I had 10 clients in my home lab and all the certs expire tomorrow, that rather than re-provide all the certs to my clients, I can frigg the radius server time, to still accpet them. Im guessing this is a no, but from what I see, the client cert is presented, and check against the server time. Would this be correct? Many thanks in advanced Ken Ken Farrington Director CCIE #12651 802 Limited International House, 221 Bow Road, London, E3 2SJ, United Kingdom Direct: +44 (0)7500 802802 ken.farring...@802.co.uk http://www.802.co.uk Disclaimer This e-mail may contain information that is confidential, privileged or otherwise protected from disclosure. If you are not an intended recipient of this e-mail, do not duplicate or redistribute it by any means. Please delete it and any attachments and notify the sender that you have received it in error. Any views or opinions presented are solely those of the author and do not necessarily represent those of 802 Limited or any subsidiary company of 802 Limited. This email may relate to or be sent from other members of the 802 Group. All rights reserved. 802 Limited. Registered in the UK. Company Number. 7962864.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-SIM Module Failed to Load
Many thanks indeed. Are you saying I can just take out sim_files from the authorise in the default file and it should work anyway? If so, fantastic :) On 26 August 2013 at 12:11 Iliya Peregoudov iperegu...@cboss.ru wrote: On 25.08.2013 15:03, ken.farrington wrote: Module: Linked to sub-module rlm_eap_sim Module: Instantiating eap-sim rlm_eap_sim is compiled in. /usr/local/etc/raddb/modules/sim_files[1]: Failed to link to module 'rlm_sim_files': rlm_sim_files.so: cannot open shared object file: No such file or directory rlm_sim_files is not compiled in. In fact you do not need rlm_eap_files. All can be done using rlm_files module. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Ken Farrington Director CCIE #12651 802 Limited International House, 221 Bow Road, London, E3 2SJ, United Kingdom Direct: +44 (0)7500 802802 ken.farring...@802.co.uk http://www.802.co.uk Disclaimer This e-mail may contain information that is confidential, privileged or otherwise protected from disclosure. If you are not an intended recipient of this e-mail, do not duplicate or redistribute it by any means. Please delete it and any attachments and notify the sender that you have received it in error. Any views or opinions presented are solely those of the author and do not necessarily represent those of 802 Limited or any subsidiary company of 802 Limited. This email may relate to or be sent from other members of the 802 Group. All rights reserved. 802 Limited. Registered in the UK. Company Number. 7962864.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-SIM Module Failed to Load
Fantastic and thanks. On it now :) On 27 August 2013 at 08:54 Iliya Peregoudov iperegu...@cboss.ru wrote: On 27.08.2013 10:57, ken.farrington wrote: Many thanks indeed. Are you saying I can just take out sim_files from the authorise in the default file and it should work anyway? If so, fantastic :) My raddb/sites-enabled/default: authorize { preprocess auth_log chap mschap suffix eap { ok = return } files pap } My raddb/users: 1250016490216...@wlan.mnc001.mcc250.3gppnetwork.org EAP-Sim-RAND1 = 0x09844aff4ccf66cdb95e59dba8ec291c, EAP-Sim-RAND2 = 0x100446e9e8f553a9d87d0444a44b6cf5, EAP-Sim-RAND3 = 0x753fdfc2d7e834002557a069462a1fa5, EAP-Sim-SRES1 = 0x5dc9a406, EAP-Sim-SRES2 = 0x3b3f8ea3, EAP-Sim-SRES3 = 0x85bb8aeb, EAP-Sim-KC1 = 0x75e85aff085e917b, EAP-Sim-KC2 = 0x3055d76de12f1772, EAP-Sim-KC3 = 0x81806503efeebec1 1250016490216...@wlan.mnc001.mcc250.3gppnetwork.org is a decorated permanent identity for IMSI 250016490216808. (EA-Sim-RAND1, EAP-Sim-SRES1, EAP-Sim-KC1) is an authentication vector (aka GSM triplet). rlm_eap_sim requires three GSM triplets to be available. You can extract IMSI and GSM triplets from the SIM card using smart card reader and agsm2 program (http://agsm.sourceforge.net). Note this will always use same GSM triplets for authentication and consequently same master session key (MSK) for encryption. You need to integrate with HLR to retrieve truly random GSM triplets. Usually this is done by some sort of RADIUS-to-MAP gateway, like Cisco ITP. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Ken Farrington Director CCIE #12651 802 Limited International House, 221 Bow Road, London, E3 2SJ, United Kingdom Direct: +44 (0)7500 802802 ken.farring...@802.co.uk http://www.802.co.uk Disclaimer This e-mail may contain information that is confidential, privileged or otherwise protected from disclosure. If you are not an intended recipient of this e-mail, do not duplicate or redistribute it by any means. Please delete it and any attachments and notify the sender that you have received it in error. Any views or opinions presented are solely those of the author and do not necessarily represent those of 802 Limited or any subsidiary company of 802 Limited. This email may relate to or be sent from other members of the 802 Group. All rights reserved. 802 Limited. Registered in the UK. Company Number. 7962864.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-SIM Module Failed to Load
Hello all, I hope this email finds you all well and is my first post. I think I have a small problem with my backtrack distro and I am trying to load eap-sim onto my free radius server 2.1.11. I have followed the guide to add the relevant parts of the config and when I put the config into the default files for as per http://freeradius.1045715.n5.nabble.com/EAP-SIM-configuration-on-v2-1-12-td5714134.html http://freeradius.1045715.n5.nabble.com/EAP-SIM-configuration-on-v2-1-12-td5714134.html but I get the same message. I think it is a library or link issue. I am not the best linux person in the world s sorry if this seems like a dumb question Module: Linked to sub-module rlm_eap_sim Module: Instantiating eap-sim Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module preprocess from file /usr/local/etc/raddb/modules/preprocess preprocess { huntgroups = /usr/local/etc/raddb/huntgroups hints = /usr/local/etc/raddb/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Linked to module rlm_realm Module: Instantiating module suffix from file /usr/local/etc/raddb/modules/realm realm suffix { format = suffix delimiter = @ ignore_default = no ignore_null = no } /usr/local/etc/raddb/modules/sim_files[1]: Failed to link to module 'rlm_sim_files': rlm_sim_files.so: cannot open shared object file: No such file or directory /usr/local/etc/raddb/sites-enabled/default[138]: Failed to load module sim_files. /usr/local/etc/raddb/sites-enabled/default[62]: Errors parsing authorize section. root@bt:/usr/local/etc/raddb# more simtriplets.dat If anyone could help, that would be fantastic many thx ken Ken Farrington Director CCIE #12651 802 Limited International House, 221 Bow Road, London, E3 2SJ, United Kingdom Direct: +44 (0)7500 802802 ken.farring...@802.co.uk http://www.802.co.uk Disclaimer This e-mail may contain information that is confidential, privileged or otherwise protected from disclosure. If you are not an intended recipient of this e-mail, do not duplicate or redistribute it by any means. Please delete it and any attachments and notify the sender that you have received it in error. Any views or opinions presented are solely those of the author and do not necessarily represent those of 802 Limited or any subsidiary company of 802 Limited. This email may relate to or be sent from other members of the 802 Group. All rights reserved. 802 Limited. Registered in the UK. Company Number. 7962864.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html