can not initiate sim, no RAND1 attribute [eap] ERROR - Default EAP type sim failed in initiate [eap]
Hi All,
I really do try to read the forums in full before I post, but I have seen much
out there on this, but just cant find out why this is happening.
Please see below.
The only think I dont have is sim_files entry in the sites-enabled/default, as
I assume this is now covered in the radiusd.conf file.
Also, in the simtriplets files at the bottom, I have tried the entries with a 1
at the beiging of the IMSI, and without and with the word SIM there also.
On packet captures over the air, I get
P1 - eap identity request
P2 - eap identity response
P3 - eap-failure
So I beleive the radius server is not sending an eap-start module and is my
configuration issue.
Could anyone be so kind to help me please?
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /usr/local/var/run/radiusd/radiusd.sock
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 10.53.1.200 port 45261, id=5,
length=257
User-Name = 1234159143465...@wlan.mnc015.mcc234.3gppnetwork.org
NAS-IP-Address = 192.168.21.1
Called-Station-Id = 5C-D9-98-BF-C0-9E:tt
NAS-Port-Type = Wireless-802.11
NAS-Port = 1
Calling-Station-Id = 5C-F8-A1-8B-35-BA
Connect-Info = CONNECT 54Mbps 802.11g
Acct-Session-Id = 524016AE-0005
Framed-MTU = 1400
EAP-Message =
0x02ba0038013132333431353931343334363530383440776c616e2e6d6e633031352e6d63633233342e336770706e6574776f726b2e6f7267
Message-Authenticator = 0x25cd862fe8110e13ab54321c37032d00
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm wlan.mnc015.mcc234.3gppnetwork.org for User-Name =
1234159143465...@wlan.mnc015.mcc234.3gppnetwork.org
[suffix] No such realm wlan.mnc015.mcc234.3gppnetwork.org
++[suffix] returns noop
[eap] EAP packet type response id 186 length 56
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user. Authentication may
fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type sim
can not initiate sim, no RAND1 attribute
[eap] Default EAP type sim failed in initiate
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -
1234159143465...@wlan.mnc015.mcc234.3gppnetwork.org
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 5 to 10.53.1.200 port 45261
EAP-Message = 0x04ba0004
Message-Authenticator = 0x
Waking up in 4.9 seconds.
Cleaning up request 0 ID 5 with timestamp +8
Ready to process requests.
rad_recv: Access-Request packet from host 10.53.1.200 port 45261, id=6,
length=257
User-Name = 1234159143465...@wlan.mnc015.mcc234.3gppnetwork.org
NAS-IP-Address = 192.168.21.1
Called-Station-Id = 5C-D9-98-BF-C0-9E:tt
NAS-Port-Type = Wireless-802.11
NAS-Port = 1
Calling-Station-Id = 5C-F8-A1-8B-35-BA
Connect-Info = CONNECT 54Mbps 802.11g
Acct-Session-Id = 524016AE-0006
Framed-MTU = 1400
EAP-Message =
0x02f20038013132333431353931343334363530383440776c616e2e6d6e633031352e6d63633233342e336770706e6574776f726b2e6f7267
Message-Authenticator = 0xac6eea11e5915f4e4e5bbc06a7ed3e72
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm wlan.mnc015.mcc234.3gppnetwork.org for User-Name =
1234159143465...@wlan.mnc015.mcc234.3gppnetwork.org
[suffix] No such realm wlan.mnc015.mcc234.3gppnetwork.org
++[suffix] returns noop
[eap] EAP packet type response id 242 length 56
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user. Authentication may
fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type sim
can not initiate sim, no
Re: can not initiate sim, no RAND1 attribute [eap] ERROR - Default EAP type sim failed in initiate [eap]
Hi Arran, Im not sure if I have interpreted this right. Are you agreeing with my statement, that it is not needed or are you saying it is needed? I seem to recall I get an error when I put the sime_files in the default file. Many thx indeed for the lightning fast response mate :) Ken On 23 September 2013 at 12:49 Arran Cudbard-Bell a.cudba...@freeradius.org wrote: On 23 Sep 2013, at 12:32, ken.farrington ken.farring...@802.co.uk wrote: Hi All, I really do try to read the forums in full before I post, but I have seen much out there on this, but just cant find out why this is happening. Please see below. The only think I dont have is sim_files entry in the sites-enabled/default, as I assume this is now covered in the radiusd.conf file. No, it's not, that is a version 1.x.x configuration. You have to list it in sites-enabled/default before EAP for it to work. Honestly though you don't need the sim_files stuff as you can set the attributes required in the users file (files). -Arran Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team Ken Farrington Director CCIE #12651 802 Limited International House, 221 Bow Road, London, E3 2SJ, United Kingdom Direct: +44 (0)7500 802802 ken.farring...@802.co.uk http://www.802.co.uk Disclaimer This e-mail may contain information that is confidential, privileged or otherwise protected from disclosure. If you are not an intended recipient of this e-mail, do not duplicate or redistribute it by any means. Please delete it and any attachments and notify the sender that you have received it in error. Any views or opinions presented are solely those of the author and do not necessarily represent those of 802 Limited or any subsidiary company of 802 Limited. This email may relate to or be sent from other members of the 802 Group. All rights reserved. 802 Limited. Registered in the UK. Company Number. 7962864.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication
Just also beware that the MAC and be spoofed also with lots of programs :) On 23 September 2013 at 13:46 Nikolaos Milas nmi...@noa.gr wrote: On 23/9/2013 3:14 μμ, Free-Radius wrote: I wonder if the Freeradius to authenticate a client by IP number, without using login and password, only the IP. If possible, how to do? You can authenticate a client based on MAC Address. See http://wiki.freeradius.org/guide/Mac-Auth for various scenarios. Of course not by IP number which can be manipulated. Regards, Nick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Ken Farrington Director CCIE #12651 802 Limited International House, 221 Bow Road, London, E3 2SJ, United Kingdom Direct: +44 (0)7500 802802 ken.farring...@802.co.uk http://www.802.co.uk Disclaimer This e-mail may contain information that is confidential, privileged or otherwise protected from disclosure. If you are not an intended recipient of this e-mail, do not duplicate or redistribute it by any means. Please delete it and any attachments and notify the sender that you have received it in error. Any views or opinions presented are solely those of the author and do not necessarily represent those of 802 Limited or any subsidiary company of 802 Limited. This email may relate to or be sent from other members of the 802 Group. All rights reserved. 802 Limited. Registered in the UK. Company Number. 7962864.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: can not initiate sim, no RAND1 attribute [eap] ERROR - Default EAP type sim failed in initiate [eap]
Also, if I put the sim_files entry before eap in the default file I get the
following error when I try and start Radiusd -s -X
Module: Linked to sub-module rlm_eap_sim
Module: Instantiating eap-sim
Module: Checking authorize {...} for more modules to load
/usr/local/etc/raddb/radiusd.conf[643]: Failed to link to module
'rlm_sim_files': rlm_sim_files.so: cannot open shared object file: No such file
or directory
/usr/local/etc/raddb/sites-enabled/default[63]: Failed to load module
sim_files.
/usr/local/etc/raddb/sites-enabled/default[62]: Errors parsing authorize
section.
Could it be a linux thing, I am starting to think my linux skills are rubbish.
I have been trying very hard :)
Many thx
ken
On 23 September 2013 at 12:56 ken.farrington ken.farring...@802.co.uk
wrote:
Hi Arran,
Im not sure if I have interpreted this right. Are you agreeing with my
statement, that it is not needed or are you saying it is needed? I seem to
recall I get an error when I put the sime_files in the default file.
Many thx indeed for the lightning fast response mate :)
Ken
On 23 September 2013 at 12:49 Arran Cudbard-Bell
a.cudba...@freeradius.org wrote:
On 23 Sep 2013, at 12:32, ken.farrington ken.farring...@802.co.uk wrote:
Hi All,
I really do try to read the forums in full before I post, but I have seen
much out there on this, but just cant find out why this is happening.
Please see below.
The only think I dont have is sim_files entry in the
sites-enabled/default, as I assume this is now covered in the
radiusd.conf file.
No, it's not, that is a version 1.x.x configuration. You have to list it in
sites-enabled/default before EAP for it to work.
Honestly though you don't need the sim_files stuff as you can set the
attributes required in the users file (files).
-Arran
Arran Cudbard-Bell a.cudba...@freeradius.org
FreeRADIUS Development Team
Ken Farrington
Director
CCIE #12651
802 Limited
International House, 221 Bow Road, London, E3 2SJ, United Kingdom
Direct: +44 (0)7500 802802
ken.farring...@802.co.uk
http://www.802.co.uk
Disclaimer
This e-mail may contain information that is confidential, privileged or
otherwise protected from disclosure. If you are not an intended recipient of
this e-mail, do not duplicate or redistribute it by any means. Please delete
it and any attachments and notify the sender that you have received it in
error. Any views or opinions presented are solely those of the author and do
not necessarily represent those of 802 Limited or any subsidiary company of
802 Limited. This email may relate to or be sent from other members of the 802
Group. All rights reserved. 802 Limited. Registered in the UK. Company Number.
7962864.
Ken Farrington
Director
CCIE #12651
802 Limited
International House, 221 Bow Road, London, E3 2SJ, United Kingdom
Direct: +44 (0)7500 802802
ken.farring...@802.co.uk
http://www.802.co.uk
Disclaimer
This e-mail may contain information that is confidential, privileged or
otherwise protected from disclosure. If you are not an intended recipient of
this e-mail, do not duplicate or redistribute it by any means. Please delete it
and any attachments and notify the sender that you have received it in error.
Any views or opinions presented are solely those of the author and do not
necessarily represent those of 802 Limited or any subsidiary company of 802
Limited. This email may relate to or be sent from other members of the 802
Group. All rights reserved. 802 Limited. Registered in the UK. Company Number.
7962864.-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap-tls ignore client cert expiry check - crazy idea?
Hi All, Just to let you all know I did get all my setup working (took me a while being not a linux guru) but it does work as expected. Just in case anyone was wondering :) Many thanks all Ken :) On 29 August 2013 at 16:05 ken.farrington ken.farring...@802.co.uk wrote: Hi All, Is there a way if I had 10 clients in my home lab and all the certs expire tomorrow, that rather than re-provide all the certs to my clients, I can frigg the radius server time, to still accpet them. Im guessing this is a no, but from what I see, the client cert is presented, and check against the server time. Would this be correct? Many thanks in advanced Ken - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
eap-tls ignore client cert expiry check - crazy idea?
Hi All, Is there a way if I had 10 clients in my home lab and all the certs expire tomorrow, that rather than re-provide all the certs to my clients, I can frigg the radius server time, to still accpet them. Im guessing this is a no, but from what I see, the client cert is presented, and check against the server time. Would this be correct? Many thanks in advanced Ken Ken Farrington Director CCIE #12651 802 Limited International House, 221 Bow Road, London, E3 2SJ, United Kingdom Direct: +44 (0)7500 802802 ken.farring...@802.co.uk http://www.802.co.uk Disclaimer This e-mail may contain information that is confidential, privileged or otherwise protected from disclosure. If you are not an intended recipient of this e-mail, do not duplicate or redistribute it by any means. Please delete it and any attachments and notify the sender that you have received it in error. Any views or opinions presented are solely those of the author and do not necessarily represent those of 802 Limited or any subsidiary company of 802 Limited. This email may relate to or be sent from other members of the 802 Group. All rights reserved. 802 Limited. Registered in the UK. Company Number. 7962864.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-SIM Module Failed to Load
Many thanks indeed. Are you saying I can just take out sim_files from the authorise in the default file and it should work anyway? If so, fantastic :) On 26 August 2013 at 12:11 Iliya Peregoudov iperegu...@cboss.ru wrote: On 25.08.2013 15:03, ken.farrington wrote: Module: Linked to sub-module rlm_eap_sim Module: Instantiating eap-sim rlm_eap_sim is compiled in. /usr/local/etc/raddb/modules/sim_files[1]: Failed to link to module 'rlm_sim_files': rlm_sim_files.so: cannot open shared object file: No such file or directory rlm_sim_files is not compiled in. In fact you do not need rlm_eap_files. All can be done using rlm_files module. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Ken Farrington Director CCIE #12651 802 Limited International House, 221 Bow Road, London, E3 2SJ, United Kingdom Direct: +44 (0)7500 802802 ken.farring...@802.co.uk http://www.802.co.uk Disclaimer This e-mail may contain information that is confidential, privileged or otherwise protected from disclosure. If you are not an intended recipient of this e-mail, do not duplicate or redistribute it by any means. Please delete it and any attachments and notify the sender that you have received it in error. Any views or opinions presented are solely those of the author and do not necessarily represent those of 802 Limited or any subsidiary company of 802 Limited. This email may relate to or be sent from other members of the 802 Group. All rights reserved. 802 Limited. Registered in the UK. Company Number. 7962864.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-SIM Module Failed to Load
Fantastic and thanks. On it now :)
On 27 August 2013 at 08:54 Iliya Peregoudov iperegu...@cboss.ru wrote:
On 27.08.2013 10:57, ken.farrington wrote:
Many thanks indeed. Are you saying I can just take out sim_files from
the authorise in the default file and it should work anyway?
If so, fantastic :)
My raddb/sites-enabled/default:
authorize {
preprocess
auth_log
chap
mschap
suffix
eap {
ok = return
}
files
pap
}
My raddb/users:
1250016490216...@wlan.mnc001.mcc250.3gppnetwork.org
EAP-Sim-RAND1 = 0x09844aff4ccf66cdb95e59dba8ec291c,
EAP-Sim-RAND2 = 0x100446e9e8f553a9d87d0444a44b6cf5,
EAP-Sim-RAND3 = 0x753fdfc2d7e834002557a069462a1fa5,
EAP-Sim-SRES1 = 0x5dc9a406,
EAP-Sim-SRES2 = 0x3b3f8ea3,
EAP-Sim-SRES3 = 0x85bb8aeb,
EAP-Sim-KC1 = 0x75e85aff085e917b,
EAP-Sim-KC2 = 0x3055d76de12f1772,
EAP-Sim-KC3 = 0x81806503efeebec1
1250016490216...@wlan.mnc001.mcc250.3gppnetwork.org is a decorated
permanent identity for IMSI 250016490216808.
(EA-Sim-RAND1, EAP-Sim-SRES1, EAP-Sim-KC1) is an authentication vector
(aka GSM triplet). rlm_eap_sim requires three GSM triplets to be available.
You can extract IMSI and GSM triplets from the SIM card using smart card
reader and agsm2 program (http://agsm.sourceforge.net).
Note this will always use same GSM triplets for authentication and
consequently same master session key (MSK) for encryption. You need to
integrate with HLR to retrieve truly random GSM triplets. Usually this
is done by some sort of RADIUS-to-MAP gateway, like Cisco ITP.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ken Farrington
Director
CCIE #12651
802 Limited
International House, 221 Bow Road, London, E3 2SJ, United Kingdom
Direct: +44 (0)7500 802802
ken.farring...@802.co.uk
http://www.802.co.uk
Disclaimer
This e-mail may contain information that is confidential, privileged or
otherwise protected from disclosure. If you are not an intended recipient of
this e-mail, do not duplicate or redistribute it by any means. Please delete it
and any attachments and notify the sender that you have received it in error.
Any views or opinions presented are solely those of the author and do not
necessarily represent those of 802 Limited or any subsidiary company of 802
Limited. This email may relate to or be sent from other members of the 802
Group. All rights reserved. 802 Limited. Registered in the UK. Company Number.
7962864.-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-SIM Module Failed to Load
Hello all,
I hope this email finds you all well and is my first post.
I think I have a small problem with my backtrack distro and I am trying to
load eap-sim onto my free radius server 2.1.11. I have followed the guide to
add the relevant parts of the config and when I put the config into the
default files for as per
http://freeradius.1045715.n5.nabble.com/EAP-SIM-configuration-on-v2-1-12-td5714134.html
http://freeradius.1045715.n5.nabble.com/EAP-SIM-configuration-on-v2-1-12-td5714134.html
but I get the same message. I think it is a library or link issue. I am not
the best linux person in the world s sorry if this seems like a dumb question
Module: Linked to sub-module rlm_eap_sim
Module: Instantiating eap-sim
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating module preprocess from file
/usr/local/etc/raddb/modules/preprocess
preprocess {
huntgroups = /usr/local/etc/raddb/huntgroups
hints = /usr/local/etc/raddb/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Linked to module rlm_realm
Module: Instantiating module suffix from file
/usr/local/etc/raddb/modules/realm
realm suffix {
format = suffix
delimiter = @
ignore_default = no
ignore_null = no
}
/usr/local/etc/raddb/modules/sim_files[1]: Failed to link to module
'rlm_sim_files': rlm_sim_files.so: cannot open shared object file: No such
file or directory
/usr/local/etc/raddb/sites-enabled/default[138]: Failed to load module
sim_files.
/usr/local/etc/raddb/sites-enabled/default[62]: Errors parsing authorize
section.
root@bt:/usr/local/etc/raddb# more simtriplets.dat
If anyone could help, that would be fantastic
many thx
ken
Ken Farrington
Director
CCIE #12651
802 Limited
International House, 221 Bow Road, London, E3 2SJ, United Kingdom
Direct: +44 (0)7500 802802
ken.farring...@802.co.uk
http://www.802.co.uk
Disclaimer
This e-mail may contain information that is confidential, privileged or
otherwise protected from disclosure. If you are not an intended recipient of
this e-mail, do not duplicate or redistribute it by any means. Please delete it
and any attachments and notify the sender that you have received it in error.
Any views or opinions presented are solely those of the author and do not
necessarily represent those of 802 Limited or any subsidiary company of 802
Limited. This email may relate to or be sent from other members of the 802
Group. All rights reserved. 802 Limited. Registered in the UK. Company Number.
7962864.-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
