EAP-SIM authentication problem at 2nd stage
dear guest, i have problem in eap-sim authentication.
I'm using freeradius 2.2.0, blackberry 9220
here my simtripletsdat. file
1510012660372465,AF6876E748BD46bf853A99DC2032F0A7,95762655,449177635B92bc00
1510012660372465,A1A9AC744E8D49819D27A79B067BCA69,257b31c6,64ff9467DEa1e400
1510012660372465,603906BFD8DC404197BAC35FF1274EB3,4F41eb06,F3ce89b4FCbc
1510080332618369,23A95DB79B644a4299463F0342069A11,7775d266,B10f3eba2Bc5ed2b
1510080332618369,FDCE8E4F2B0B4b3086BEF230076EAD58,D9e080d9,E2aad63f711e1324
1510080332618369,238100571AD1495fBCE2AD5505634E41,A40e1656,66a098a750d9cd13
here content of users file
1510080332618369Auth-Type := EAP, EAP-Type := SIM
EAP-Sim-Rand1 := 0x23A95DB79B644a4299463F0342069A11,
EAP-Sim-SRES1 := 0x7775d266,
EAP-Sim-KC1 := 0xB10f3eba2Bc5ed2b,
EAP-Sim-Rand2 := 0xFDCE8E4F2B0B4b3086BEF230076EAD58,
EAP-Sim-SRES2 := 0xD9e080d9,
EAP-Sim-KC2 := 0xE2aad63f711e1324,
EAP-Sim-Rand3 := 0x238100571AD1495fBCE2AD5505634E41,
EAP-Sim-SRES3 := 0xA40e1656,
EAP-Sim-KC3 := 0x66a098a750d9cd13,
1510012660372465 Auth-Type := EAP,EAP-Type := sim
EAP-Sim-Rand1 := 0xAF6876E748BD46bf853A99DC2032F0A7,
EAP-Sim-SRES1 := 0x95762655,
EAP-Sim-KC1 := 0x449177635B92bc00,
EAP-Sim-Rand2 := 0xA1A9AC744E8D49819D27A79B067BCA69,
EAP-Sim-SRES2 := 0x257b31c6,
EAP-Sim-KC2 := 0x64ff9467DEa1e400,
EAP-Sim-Rand3 := 0x603906BFD8DC404197BAC35FF1274EB3,
EAP-Sim-SRES3 := 0x4F41eb06,
EAP-Sim-KC3 := 0xF3ce89b4FCbc,
1510080332618369 at wlan.mnc080.mcc510.3gppnetwork.orgAuth-Type :=
EAP, EAP-Type := SIM
EAP-Sim-Rand1 := 0x23A95DB79B644a4299463F0342069A11,
EAP-Sim-SRES1 := 0x7775d266,
EAP-Sim-KC1 := 0xB10f3eba2Bc5ed2b,
EAP-Sim-Rand2 := 0xFDCE8E4F2B0B4b3086BEF230076EAD58,
EAP-Sim-SRES2 := 0xD9e080d9,
EAP-Sim-KC2 := 0xE2aad63f711e1324,
EAP-Sim-Rand3 := 0x238100571AD1495fBCE2AD5505634E41,
EAP-Sim-SRES3 := 0xA40e1656,
EAP-Sim-KC3 := 0x66a098a750d9cd13
Already included sim_files in modules
and sim { } in eap.conf.
I analyze in debug , the firsth authorization success (sim_files return ok
status) , the first authenticating success , the second authorization
success also,
but the problem the second authenticating is failed.
Already read in the past list archive, but no clue .
Here debug of radius
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.111.72 port 34647,
id=129, length=250
User-Name = "1510080332618...@wlan.mnc080.mcc510.3gppnetwork.org"
NAS-IP-Address = 192.168.88.52
Called-Station-Id = "FA-1A-67-9F-E4-68:NOLSPOT-Secure"
NAS-Port-Type = Wireless-802.11
NAS-Port = 1
Calling-Station-Id = "70-AA-B2-EF-8E-9D"
Connect-Info = "CONNECT 54Mbps 802.11g"
Framed-MTU = 1400
EAP-Message =
0x0210003801313531303038303236313833363940776c616e2e6d6e633038302e6d63633531302e336770706e6574776f726b2e6f7267
Message-Authenticator = 0xf0b7f7c3d39dd64797e1ffa08c3c078e
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] Looking up realm "wlan.mnc080.mcc510.3gppnetwork.org" for
User-Name = "1510080332618...@wlan.mnc080.mcc510.3gppnetwork.org"
[suffix] Found realm "wlan.mnc080.mcc510.3gppnetwork.org"
[suffix] Adding Stripped-User-Name = "1510080332618369"
[suffix] Adding Realm = "wlan.mnc080.mcc510.3gppnetwork.org"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[files] users: Matched entry 1510080332618369 at line 206
++[files] returns ok
rlm_sim_files: authorized user/imsi 1510080332618369
rlm_sim_files: Adding EAP-Type: eap-sim
++[sim_files] returns ok
[eap] EAP packet type response id 16 length 56
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[sql] expand: %{User-Name} ->
1510080332618...@wlan.mnc080.mcc510.3gppnetwork.org
[sql] sql_set_user escaped user --> '
1510080332618...@wlan.mnc080.mcc510.3gppnetwork.org'
rlm_sql (sql): Reserving sql socket id: 4
[sql] expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY
id -> SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '
1510080332618...@wlan.mnc080.mcc510.3gppnetwork.org' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup
WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT
groupname FROM radusergroup WHERE username = '
1510080332618...@wlan.mnc08
Re: eap sim authentication for multiple clients
There is a clear distinction between the two cases.
First case: user record is found in users file:
rad_recv: Access-Request packet from host 192.168.2.1 port 2048, id=1,
length=215
[skipped]
+- entering group authorize {...}
[skipped]
[files] users: Matched entry
1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org at line 1
[skipped]
+- entering group authenticate {...}
[skipped]
Sending Access-Challenge of id 1 to 192.168.2.1 port 2048
Second case: user record is not found in users file:
rad_recv: Access-Request packet from host 192.168.2.1 port 2048, id=2,
length=215
[skipped]
+- entering group authorize {...}
[skipped]
++[files] returns noop
[skipped]
+- entering group authenticate {...}
[skipped]
Failed to authenticate the user.
[skipped]
+- entering group REJECT {...}
[skipped]
Sending Access-Reject of id 2 to 192.168.2.1 port 2048
It seems your users file is broken in some way. You need to fix it.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
eap sim authentication for multiple clients
Hi,
i have tried with one client and it's success to authenticate and access
internet in wlan
i just try one client and success but when i use another client and it fails
first, i connect with one client and it's success
(until "Finished request 2" in debug log)
and then in next request, i try with different supplicant/client to
authenticate and i have input identitiy (IMSI, RAND, SRES,KC) in to
simtriplets.dat and users also
my simtriplets.dat format
1510019760806391,326258E6F77C40f3866DB25DEA60AE4D,DD287535,7F743521EBabb000
1510019760806391,FD9989BD90AD4a03962E6C08C000C14B,BFf89ad2,1C7098005Fea8c00
1510019760806391,26CC8DB02C9848c7BBCC2790E3F0913B,17172cc6,BF34bf34D4ca4c00
1510080325656501,5A8F4C0677DE4930B47825B55534CC79,94d66001,AC85d79439b564c0
1510080325656501,8E29A03F8E13466fBF84D12F6A9D4734,E284e39e,13a524d040094ef4
1510080325656501,BC5D3CEB1EAC4164AA463E289222C450,AE8bdfc6,B0354bf3402e42ed
my users format
1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org EAP-Type := SIM
EAP-Sim-Rand1 = 0x 326258E6F77C40f3866DB25DEA60AE4D,
EAP-Sim-SRES1 = 0x DD287535,
EAP-Sim-KC1 = 0x 7F743521EBabb000,
EAP-Sim-Rand2 = 0x FD9989BD90AD4a03962E6C08C000C14B,
EAP-Sim-SRES2 = 0x BFf89ad2,
EAP-Sim-KC2 = 0x 1C7098005Fea8c00,
EAP-Sim-Rand3 = 0x 26CC8DB02C9848c7BBCC2790E3F0913B,
EAP-Sim-SRES3 = 0x 17172cc6,
EAP-Sim-KC3 = 0x BF34bf34D4ca4c00
1510080325656...@wlan.mnc008.mcc510.3gppnetwork.org EAP-Type := SIM
EAP-Sim-Rand1 = 0x 5A8F4C0677DE4930B47825B55534CC79,
EAP-Sim-SRES1 = 0x 94d66001,
EAP-Sim-KC1 = 0x AC85d79439b564c0,
EAP-Sim-Rand2 = 0x 8E29A03F8E13466fBF84D12F6A9D4734,
EAP-Sim-SRES2 = 0x E284e39e,
EAP-Sim-KC2 = 0x 13a524d040094ef4,
EAP-Sim-Rand3 = 0x BC5D3CEB1EAC4164AA463E289222C450,
EAP-Sim-SRES3 = 0x AE8bdfc6,
EAP-Sim-KC3 = 0x B0354bf3402e42ed
and also add patch as in :
http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120914/13b2c044/attachment.ksh
and this is my debug log
rad_recv: Access-Request packet from host 192.168.2.1 port 2048, id=1,
length=215
User-Name = "1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org
"
NAS-IP-Address = 192.168.2.1
Called-Station-Id = "48f8b315461a"
Calling-Station-Id = "1814563e5189"
NAS-Identifier = "48f8b315461a"
NAS-Port = 38
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x0238013135313030313937363038303633393140776c616e2e6d6e633030312e6d63633531302e336770706e6574776f726b2e6f7267
Message-Authenticator = 0x509abafbd92ee8417dcb22095d89059d
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] Looking up realm "wlan.mnc001.mcc510.3gppnetwork.org" for
User-Name = "1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org"
[suffix] No such realm "wlan.mnc001.mcc510.3gppnetwork.org"
++[suffix] returns noop
rlm_sim_files: authorized user/imsi
1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org
rlm_sim_files: Adding EAP-Type: eap-sim
++[sim_files] returns ok
[eap] EAP packet type response id 0 length 56
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry
1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org at line 1
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication
may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type sim
[eap] Underlying EAP-Type set EAP ID to 161
++[eap] returns handled
Sending Access-Challenge of id 1 to 192.168.2.1 port 2048
EAP-Message = 0x01a10014120a0f020002000111010100
Message-Authenticator = 0x
State = 0x86406e6686e17cf5f398cb77ce20781c
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.2.1 port 2048, id=1,
length=265
Cleaning up request 0 ID 1 with timestamp +25
User-Name = "1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org
"
NAS-IP-Address = 192.168.2.1
Called-Station-Id = "48f8b315461a"
Calling-Station-Id = "1814563e5189"
NAS-Identifier = "48f8b315461a"
NAS-Port = 38
Framed-MTU = 1400
State = 0x86406e6686e17cf5f398cb77ce20781c
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x02a10058120a07055004b19c6e3aacce33e95d1f3c10c481100100010
Re: EAP-SIM Authentication
Hi Phil, Thanks for your reply, It will be greatful if you show some way to implement the EAP-SIM. Thanks On Wed, Jun 5, 2013 at 6:15 PM, Phil Mayers wrote: > On 06/05/2013 04:45 AM, Kranthi K wrote: > >> Hi All, >> >> I am Newbie to free radius. I installed freeradius version 2.2.0. i want >> to configure the EAP-SIM Authentication. Can anyone tell me the steps >> how to implement it. >> > > What's with the sudden interest in EAP-SIM? Is there a school project > running somewhere? > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/** > list/users.html <http://www.freeradius.org/list/users.html> > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-SIM Authentication
On 06/05/2013 04:45 AM, Kranthi K wrote: Hi All, I am Newbie to free radius. I installed freeradius version 2.2.0. i want to configure the EAP-SIM Authentication. Can anyone tell me the steps how to implement it. What's with the sudden interest in EAP-SIM? Is there a school project running somewhere? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-SIM Authentication
Hi All, I am Newbie to free radius. I installed freeradius version 2.2.0. i want to configure the EAP-SIM Authentication. Can anyone tell me the steps how to implement it. Thanks Kranthi - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-SIM authentication with Huawei
Probably Aptilo is the solution for you. On 8 January 2013 18:44, akinpelu emmanuel wrote: > Dear All, > > Please has there been anyone that has successfully implemented EAP-SIM with > Huawei HLR? I would appreciate head-start on how possible this is. > > Thank you > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html -- Primož Marinšek - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-SIM authentication with Huawei
Dear All, Please has there been anyone that has successfully implemented EAP-SIM with Huawei HLR? I would appreciate head-start on how possible this is. Thank you- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-SIM authentication failed
On 15/11/12 16:46, Yann R. Moupinda wrote: Has anyone an idea why the MAC not matches although Client and Server are using the same algorithm version (Version 1 mentioned in AT_VERSION_LIST from Server and in AT_SELECTED_VERSION from client) ? It's probably a bug somewhere. Very likely, the wrong data is being fed into the MAC at both ends. Unfortunately, since FreeRADIUS works with *some* EAP-SIM/AKA supplicants, I am guessing there are incompatible implementations out there. You would need to read the SIM/AKA RFCs in detail, and possibly feed the test data into FreeRADIUS to find the bug. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP-SIM authentication failed
Hi guys,
i'm still trying to authenticate a EAP SIM Client with
the Freeraduis 3.0.0. By Using the Nokia E51 and E52, the eap-sim
authentication process just stops after the raduis has sent the "
EAP-REQUEST, SIM-CHALLENGE" (containing AT_RAND and AT_MAC) message (see
log info.).
I did some changes in the in the " eapsimlib.c" regarding the AT_IDENTITY by
using the patch 'commit cfd61d24b99022eb613054bbf7e0da4fa3af1bde' but the
result didn't change.
I decided to change the Client. I downloaded and installed
Xsupplicant 2.2.3.553 on my windows XP. This is a software capable to be
used as EAP-SIM Client. I didn't change anything on the server side.
This time Xsupplicant replys with a " EAP-RESPONSE, SIM-CHALLENGE"
(containing AT_MAC) after recieving the " EAP-REQUEST, SIM-CHALLENGE"
(containing AT_RAND and AT_MAC). The Freeradius Server recieves the "
EAP-RESPONSE, SIM-CHALLENGE" (containing AT_MAC), says that the received
MAC doesn't match and breaks the authentication process with a "access
reject"
Here the log messages with Nokia:
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /var/run/radiusd/radiusd.sock
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Opening new proxy address * port 1814
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.10.212 port 48077, id=19,
length=308
Service-Type = Framed-User
Framed-MTU = 1400
User-Name = "19017...@wlan.mnc070.mcc901.3gppnetwork.org"
NAS-Port-Id = "ap_hotspot"
NAS-Port-Type = Wireless-802.11
Acct-Session-Id = "8253"
Acct-Multi-Session-Id =
"00-0C-42-64-41-9D-A8-7E-33-3E-9C-5B-82-50-00-00-00-00-00-03"
Calling-Station-Id = "A8-7E-33-3E-9C-5B"
Called-Station-Id = "00-0C-42-64-41-9D:YANN"
EAP-Message =
0x02010038013139303137303030303030303036353340776c616e2e6d6e633037302e6d63633930312e336770706e6574776f726b2e6f7267
Message-Authenticator = 0x429b263e5293fadbae0a13f28dad2775
NAS-Identifier = "MT_Yann"
NAS-IP-Address = 192.168.10.212
(0) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
(0) group authorize {
(0) - entering group authorize {...}
(0) [preprocess] = ok
(0) [chap] = noop
(0) auth_log : expand: %{Packet-Src-IP-Address} -> 192.168.10.212
(0)
auth_log : expand:
/var/log/radiusd/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
-> /var/log/radiusd/radacct/192.168.10.212/auth-detail-20121108
(0)
auth_log :
/var/log/radiusd/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/radiusd/radacct/192.168.10.212/auth-detail-20121108
(0) auth_log : expand: %t -> Thu Nov 8 14:20:05 2012
(0) [auth_log] = ok
(0) [mschap] = noop
(0) [digest] = noop
(0)
suffix : Looking up realm "wlan.mnc070.mcc901.3gppnetwork.org" for
User-Name = "19017...@wlan.mnc070.mcc901.3gppnetwork.org"
(0) suffix : Found realm "~.*.3gppnetwork.org$"
(0) suffix : Adding Stripped-User-Name = "19017653"
(0) suffix : Adding Realm = "wlan.mnc070.mcc901.3gppnetwork.org"
(0) suffix : Authentication realm is LOCAL.
(0) [suffix] = ok
rlm_sim_files: authorized user/imsi 19017653
rlm_sim_files: Adding EAP-Type: eap-sim
(0) [sim_files] = ok
(0) eap : EAP packet type response id 1 length 56
(0) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest
of authorize
(0) [eap] = ok
(0) Found Auth-Type = EAP
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0) group authenticate {
(0) - entering group authenticate {...}
(0) eap : EAP Identity
(0) eap : processing type sim
(0) eap : Underlying EAP-Type set EAP ID to 133
(0) [eap] = handled
Sending Access-Challenge of id 19 to 192.168.10.212 port 48077
EAP-Message = 0x01850014120a0f020002000111010100
Message-Authenticator = 0x
State = 0x077b668807fe746db0e5f555c7ca40d2
(0) Finished request 0.
Waking up in 0.3 seconds.
rad_recv: Access-Request packet from host 192.168.10.212 port 41383, id=20,
length=358
Service-Type = Framed-User
Framed-MTU = 1400
User-Name = "19017...@wlan.mnc070.mcc901.3gppnetwork.org"
State = 0x077b668807fe746db0e5f555c7ca40d2
NAS-Port-Id = "ap_hotspot"
NAS-Port-Type = Wireless-802.11
Acct-Session-Id = "8253"
Acct-Multi-Session-Id =
"00-0C-42-64-41-9D-A8-7E-33-3E-9C-5B-82-50-00-00-00-00-00-03"
Calling-Station-Id = "A8-7E-33-3E-9C-5B"
Called-Station-Id = "00-0C-42-64-41-9D:YANN"
RE: EAP-SIM authentication failed
Hi guys,
i'm still looking for a solution for the eapsim authentication. Now i use the
Freeradius 3.0.0 and i made some changes in the 'eapsimlib.c' regarding
AT_IDENTITY (commit cfd61d24b99022eb613054bbf7e0da4fa3af1bde). I still have the
same problem, the client is able to send two Acces-Request but unable to send
the third Access-Request to close the authentication.
I use a Nokia E52 as supplicant, did anybody realize the test successfully with
another mobile phone (except android phones)?
Does anyone know how i can debug the mobile phone?
any helpfull ideas?
here my debug
radiusd: FreeRADIUS Version 3.0.0 (git #d3c7336), for host i586-pc-linux-gnu,
built on Nov 7 2012 at 14:54:31
.
.
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /var/run/radiusd/radiusd.sock
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Opening new proxy address * port 1814
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.10.212 port 48077, id=19,
length=308
Service-Type = Framed-User
Framed-MTU = 1400
User-Name = "19017...@wlan.mnc070.mcc901.3gppnetwork.org"
NAS-Port-Id = "ap_hotspot"
NAS-Port-Type = Wireless-802.11
Acct-Session-Id = "8253"
Acct-Multi-Session-Id =
"00-0C-42-64-41-9D-A8-7E-33-3E-9C-5B-82-50-00-00-00-00-00-03"
Calling-Station-Id = "A8-7E-33-3E-9C-5B"
Called-Station-Id = "00-0C-42-64-41-9D:YANN"
EAP-Message =
0x02010038013139303137303030303030303036353340776c616e2e6d6e633037302e6d63633930312e336770706e6574776f726b2e6f7267
Message-Authenticator = 0x429b263e5293fadbae0a13f28dad2775
NAS-Identifier = "MT_Yann"
NAS-IP-Address = 192.168.10.212
(0) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
(0) group authorize {
(0) - entering group authorize {...}
(0) [preprocess] = ok
(0) [chap] = noop
(0) auth_log : expand: %{Packet-Src-IP-Address} -> 192.168.10.212
(0) auth_log : expand:
/var/log/radiusd/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
-> /var/log/radiusd/radacct/192.168.10.212/auth-detail-20121108
(0) auth_log :
/var/log/radiusd/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/radiusd/radacct/192.168.10.212/auth-detail-20121108
(0) auth_log : expand: %t -> Thu Nov 8 14:20:05 2012
(0) [auth_log] = ok
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix : Looking up realm "wlan.mnc070.mcc901.3gppnetwork.org" for
User-Name = "19017...@wlan.mnc070.mcc901.3gppnetwork.org"
(0) suffix : Found realm "~.*.3gppnetwork.org$"
(0) suffix : Adding Stripped-User-Name = "19017653"
(0) suffix : Adding Realm = "wlan.mnc070.mcc901.3gppnetwork.org"
(0) suffix : Authentication realm is LOCAL.
(0) [suffix] = ok
rlm_sim_files: authorized user/imsi 19017653
rlm_sim_files: Adding EAP-Type: eap-sim
(0) [sim_files] = ok
(0) eap : EAP packet type response id 1 length 56
(0) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest
of authorize
(0) [eap] = ok
(0) Found Auth-Type = EAP
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0) group authenticate {
(0) - entering group authenticate {...}
(0) eap : EAP Identity
(0) eap : processing type sim
(0) eap : Underlying EAP-Type set EAP ID to 133
(0) [eap] = handled
Sending Access-Challenge of id 19 to 192.168.10.212 port 48077
EAP-Message = 0x01850014120a0f020002000111010100
Message-Authenticator = 0x
State = 0x077b668807fe746db0e5f555c7ca40d2
(0) Finished request 0.
Waking up in 0.3 seconds.
rad_recv: Access-Request packet from host 192.168.10.212 port 41383, id=20,
length=358
Service-Type = Framed-User
Framed-MTU = 1400
User-Name = "19017...@wlan.mnc070.mcc901.3gppnetwork.org"
State = 0x077b668807fe746db0e5f555c7ca40d2
NAS-Port-Id = "ap_hotspot"
NAS-Port-Type = Wireless-802.11
Acct-Session-Id = "8253"
Acct-Multi-Session-Id =
"00-0C-42-64-41-9D-A8-7E-33-3E-9C-5B-82-50-00-00-00-00-00-03"
Calling-Station-Id = "A8-7E-33-3E-9C-5B"
Called-Station-Id = "00-0C-42-64-41-9D:YANN"
EAP-Message =
0x02850058120a0705be65a474dc99300354fdd97e5176bbc5100100010e0e00333139303137303030303030303036353340776c616e2e6d6e633037302e6d63633930312e336770706e6574776f726b2e6f726700
Message-Authenticator = 0x07c87b76cd6232ca08dc4529913d5cac
NAS-Identifier = "MT_Yann"
NAS-IP-Address = 192.168.10.212
(1) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
(1) group authorize {
(1) - entering group authorize {...}
(1) [preprocess] = ok
(1) [chap] = noop
(1) auth_log : expand: %{Packet-Src-IP-Address} -> 192.168.10.212
(1) auth_log : expand:
Re: EAP-SIM authentication failed
I have the same problem with Nokia E51 handset. EAP-SIM authentication interrupted by Nokia supplicant. Unfortunately there is no useful diagnostic on the handset. On other hand EAP-SIM authentication succeeds when I use wpa_supplicant on Windows using smart card reader with the same SIM card I've used with Nokia handset. Unfortunately I have neither iPhone nor Windows-based handset to test EAP-SIM against. Yann R. Moupinda wrote: i got the same failure than before: after sending the 2nd access challenge, the server is waiting for the 3rd access request and doesn't get anything --> authentication failed - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP-SIM authentication failed
Hi guys,
Thanks for your help.
After reading your suggestions, i installed a new version of FreeRADIUS
(FreeRADIUS 2.2.1).
I haven't worked with the the patch yet (i'm going to do that later) but, just
to show what i got with the new version 2.2.1 and changing the content of the
simtriplets.dat
1. case : simtriplets.dat looks like following (imsi,rand,sres,kc) (3 different
rand...)
19017653,0123456789abcdef0123456789abcdef,0227bc86,44168f1de9259000
19017653,0123456789abcdef0123456789abcde0,725bb218,25903c082654b400
19017653,0123456789abcdef0123456789abcd18,ed404256,bc871da6ae8edc00
19017653,0123456789abcdef0123456789abcd88,6695bd6e,58788a55e9052000
i got the same failure than before: after sending the 2nd access challenge, the
server is waiting for the 3rd access request and doesn't get anything -->
authentication failed
.
.
.
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.10.212 port 38803, id=29,
length=238
Service-Type = Framed-User
Framed-MTU = 1400
User-Name = "19017653"
NAS-Port-Id = "ap_hotspot"
NAS-Port-Type = Wireless-802.11
Acct-Session-Id = "822e"
Acct-Multi-Session-Id =
"00-0C-42-64-41-9D-A8-7E-33-3E-9C-5B-82-20-00-00-00-00-00-0E"
Calling-Station-Id = "A8-7E-33-3E-9C-5B"
Called-Station-Id = "00-0C-42-64-41-9D:YANN"
EAP-Message = 0x020100150131393031373030303030303030363533
Message-Authenticator = 0xcf4e5f6429686cc260b16bd23d82489f
NAS-Identifier = "MT_Yann"
NAS-IP-Address = 192.168.10.212
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
rlm_sim_files: authorized user/imsi 19017653
rlm_sim_files: Adding EAP-Type: eap-sim
++[sim_files] returns ok
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "19017653", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 21
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may
fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type sim
[eap] Underlying EAP-Type set EAP ID to 108
++[eap] returns handled
Sending Access-Challenge of id 29 to 192.168.10.212 port 38803
EAP-Message = 0x016c0014120a0f020002000111010100
Message-Authenticator = 0x
State = 0x870e2a6987623891aa6e49c2b1bcc9b6
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.10.212 port 50478, id=30,
length=287
Service-Type = Framed-User
Framed-MTU = 1400
User-Name = "19017653"
State = 0x870e2a6987623891aa6e49c2b1bcc9b6
NAS-Port-Id = "ap_hotspot"
NAS-Port-Type = Wireless-802.11
Acct-Session-Id = "822e"
Acct-Multi-Session-Id =
"00-0C-42-64-41-9D-A8-7E-33-3E-9C-5B-82-20-00-00-00-00-00-0E"
Calling-Station-Id = "A8-7E-33-3E-9C-5B"
Called-Station-Id = "00-0C-42-64-41-9D:YANN"
EAP-Message =
0x026c0034120a0705c27cfb1cfa7a257c9c89796e49bca230100100010e05001031393031373030303030303030363533
Message-Authenticator = 0xc691af8b618d9da88f9e289557530f6f
NAS-Identifier = "MT_Yann"
NAS-IP-Address = 192.168.10.212
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
rlm_sim_files: authorized user/imsi 19017653
rlm_sim_files: Adding EAP-Type: eap-sim
++[sim_files] returns ok
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "19017653", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 108 length 52
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may
fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/sim
[eap] processing type sim
+++> EAP-sim decoded packet:
Service-Type = Framed-User
Framed-MTU = 1400
User-Name = "19017653"
State = 0x870e2a6987623891aa6e4
Re: EAP-SIM authentication failed
Didn't you make another fix afterward regarding AT_IDENTITY (commit cfd61d24b99022eb613054bbf7e0da4fa3af1bde)? Not the patch from Microsoft. I know I have to patch the 2.2.0 source in our RPMs with this commit otherwise it fails ;) On 2012-11-06, at 10:15 AM, Alan DeKok wrote: > Phil Mayers wrote: >> Was that after 2.2.0 was released? > > No, before. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-SIM authentication failed
Phil Mayers wrote: > Was that after 2.2.0 was released? No, before. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-SIM authentication failed
On 06/11/12 13:34, Francois Gaudreault wrote: Hi, -what should I configure to get more than 2 Access-Request You don't. The client is stopping because it thinks something is wrong. Upgrade to 2.2.0 and try again - if the same thing happens, you need to debug on the client. You need to also add a patch that has been committed in the 2.1.x branch (I think) post release regarding EAP-SIM. Without it, it will not work. Was that after 2.2.0 was released? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-SIM authentication failed
Hi, > >> -what should I configure to get more than 2 Access-Request > > You don't. The client is stopping because it thinks something is wrong. > Upgrade to 2.2.0 and try again - if the same thing happens, you need to debug > on the client. You need to also add a patch that has been committed in the 2.1.x branch (I think) post release regarding EAP-SIM. Without it, it will not work. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-SIM authentication failed
On 06/11/12 10:55, Yann R. Moupinda wrote: Hi guys, for my thesis i need to realize a EAP-SIM Authentication testbed. I'm using a Nokia E52 with EAP-SIM, a MIKROTIK router as access point and FreeRADIUS 2.1.10 as Radius server. I have added the necessary commands Upgrade. Some fixes for EAP-SIM went into more recent versions. Access-Request' packets from MIKROTIK router and it also sent two 'Access-Challenge' packets back to the router. It seems the radius is waiting for next requests and then the authentication process just ends up. Yes. The client stops responding, so you need to ask the client what the problem is - but the EAP-SIM fixed might be the cause. so my questions are: -how many request packets are needed to complete the eap-sim authentication? 3, I think. -what should I configure to get more than 2 Access-Request You don't. The client is stopping because it thinks something is wrong. Upgrade to 2.2.0 and try again - if the same thing happens, you need to debug on the client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-SIM authentication failed
Hi guys,
for my thesis i need to realize a EAP-SIM Authentication testbed. I'm using a
Nokia E52 with EAP-SIM, a MIKROTIK router as access point and FreeRADIUS 2.1.10
as Radius server. I have added the necessary commands in the clients.conf,
radiusd.conf, eap.conf and default files in order to enable EAP-SIM
Authentication on the FreeRADIUS and I've created a flat file ' simtriplets.dat
' that is used from the Radius during the authentication process.
By trying to access to the Wlan with the mobile phone (Nokia E52), i got the
message that the authentication was unsuccessful. But by looking at the radius
debug file, i cannot recognize any failure or messages like 'Access-Reject'.
The debug file shows that radius got two ' Access-Request' packets from
MIKROTIK router and it also sent two 'Access-Challenge' packets back to the
router. It seems the radius is waiting for next requests and then the
authentication process just ends up.
so my questions are:
-how many request packets are needed to complete the eap-sim authentication?
-what should I configure to get more than 2 Access-Request
here is the content of my debug file:
.
.
.
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.10.212 port 38803, id=29,
length=238
Service-Type = Framed-User
Framed-MTU = 1400
User-Name = "19017653"
NAS-Port-Id = "ap_hotspot"
NAS-Port-Type = Wireless-802.11
Acct-Session-Id = "822e"
Acct-Multi-Session-Id =
"00-0C-42-64-41-9D-A8-7E-33-3E-9C-5B-82-20-00-00-00-00-00-0E"
Calling-Station-Id = "A8-7E-33-3E-9C-5B"
Called-Station-Id = "00-0C-42-64-41-9D:YANN"
EAP-Message = 0x020100150131393031373030303030303030363533
Message-Authenticator = 0xcf4e5f6429686cc260b16bd23d82489f
NAS-Identifier = "MT_Yann"
NAS-IP-Address = 192.168.10.212
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
rlm_sim_files: authorized user/imsi 19017653
rlm_sim_files: Adding EAP-Type: eap-sim
++[sim_files] returns ok
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "19017653", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 21
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may
fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type sim
[eap] Underlying EAP-Type set EAP ID to 108
++[eap] returns handled
Sending Access-Challenge of id 29 to 192.168.10.212 port 38803
EAP-Message = 0x016c0014120a0f020002000111010100
Message-Authenticator = 0x
State = 0x870e2a6987623891aa6e49c2b1bcc9b6
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.10.212 port 50478, id=30,
length=287
Service-Type = Framed-User
Framed-MTU = 1400
User-Name = "19017653"
State = 0x870e2a6987623891aa6e49c2b1bcc9b6
NAS-Port-Id = "ap_hotspot"
NAS-Port-Type = Wireless-802.11
Acct-Session-Id = "822e"
Acct-Multi-Session-Id =
"00-0C-42-64-41-9D-A8-7E-33-3E-9C-5B-82-20-00-00-00-00-00-0E"
Calling-Station-Id = "A8-7E-33-3E-9C-5B"
Called-Station-Id = "00-0C-42-64-41-9D:YANN"
EAP-Message =
0x026c0034120a0705c27cfb1cfa7a257c9c89796e49bca230100100010e05001031393031373030303030303030363533
Message-Authenticator = 0xc691af8b618d9da88f9e289557530f6f
NAS-Identifier = "MT_Yann"
NAS-IP-Address = 192.168.10.212
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
rlm_sim_files: authorized user/imsi 19017653
rlm_sim_files: Adding EAP-Type: eap-sim
++[sim_files] returns ok
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "19017653", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 108 length 52
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] r
Re: EAP-SIM authentication / Supplicant
Any more activities in this context ? I'm trying to set up soemthing in this area. T. -- View this message in context: http://freeradius.1045715.n5.nabble.com/EAP-SIM-authentication-Supplicant-tp2752052p3242070.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-SIM authentication / Supplicant
Geoffroy Arnoud wrote: > Currently, my SIM card can be authenticated using a Cisco supplicant > (eap-sim-draft-v5) with a Cisco Access Registrar RADIUS server > (eap-sim-draft-v5) that gets SIM triplets from an ITP and a HLR simulator. I'm not sure this is compatible with draft-12 ... > I would like to know whether someone uses EAP-SIM, and which supplicant is > used. I've heard rumors of people using it. For testing, I would suggest using wpa_supplicant (i.e. eapol_test). You will have access to the source, and lots of debugging output. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-SIM authentication / Supplicant
Hi all,
I try to use FreeRADIUS to authenticate a wireless device using EAP-SIM.
Currently, my SIM card can be authenticated using a Cisco supplicant
(eap-sim-draft-v5) with a Cisco Access Registrar RADIUS server
(eap-sim-draft-v5) that gets SIM triplets from an ITP and a HLR simulator.
I extracted the triplets from the HLR and injected them into FreeRADIUS
rlm_sim_files module.
I use another laptop, with centrino chipset with Intel EAP-SIM supplicant.
The FreeRADIUS server receives the EAP message and sends back a Challenge.
The supplicant answers to the challenge.
FreeRADIUS then sends back the same challenge.
The supplicant stops
I would like to know whether someone uses EAP-SIM, and which supplicant is used.
Regading RFC compliancy, I assume that FreeRADIUS is eap-sim-draft-v12
compliant (present in RFC directory).
The Intel supplicant can be RFC compliant.
Here is my config :
sites-enabled/default :
authorize {
eap {
ok = return
}
sim_files
}
authenticate {
eap
}
preacct {
}
accounting {
}
session {
}
post-auth {
}
pre-proxy {
}
post-proxy {
}
simtriplets.dat :
[EMAIL PROTECTED],,01234567,89ABCDEFFEDCBA98
[EMAIL PROTECTED],,01234567,89ABCDEFFEDCBA98
[EMAIL PROTECTED],,01234567,89ABCDEFFEDCBA98
I know that triplets are identical, but it is the exact content of my HLR
FreeRADIUS debug output :
rad_recv: Access-Request packet from host 10.67.141.66 port 1647, id=18,
length=282
User-Name = "[EMAIL PROTECTED]"
Framed-MTU = 1400
Called-Station-Id = "001a.6cf3.fd90"
Calling-Station-Id = "0013.ce0d.e627"
Cisco-AVPair = "ssid=MySSID"
Service-Type = Login-User
Message-Authenticator = 0xc30522798ef5169cf5e0c3807650d0ca
EAP-Message =
0x02010037013131303230333034303530363037303840696d732e6d6e633033302e6d63633130322e336770706e6574776f726b2e6f7267
Cisco-NAS-Port = "611"
NAS-Port = 611
NAS-Identifier = "AP4"
Proxy-State = 0x535347
Proxy-State = 0x323234
NAS-IP-Address = 10.67.106.62
Event-Timestamp = "Jul 22 2008 07:58:15 GMT"
NAS-Port-Type = Wireless-802.11
WISPr-Location-Name = "unknown"
Proxy-State = 0x3432
+- entering group authorize
rlm_eap: EAP packet type response id 1 length 55
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
rlm_sim_files: authorized user/imsi [EMAIL PROTECTED]
rlm_sim_files: Adding EAP-Type: eap-sim
++[sim_files] returns ok
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: EAP Identity
rlm_eap: processing type sim
rlm_eap: Underlying EAP-Type set EAP ID to 23
++[eap] returns handled
Sending Access-Challenge of id 18 to 10.67.141.66 port 1647
EAP-Message = 0x01170014120a0f020002000111010100
Message-Authenticator = 0x
State = 0x9ef748f79ee05ae75aadbce935e2f4b8
Proxy-State = 0x535347
Proxy-State = 0x323234
Proxy-State = 0x3432
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.67.141.66 port 1647, id=19,
length=333
User-Name = "[EMAIL PROTECTED]"
Framed-MTU = 1400
Called-Station-Id = "001a.6cf3.fd90"
Calling-Station-Id = "0013.ce0d.e627"
Cisco-AVPair = "ssid=MySSID"
Service-Type = Login-User
Message-Authenticator = 0xd4899c4bcc876e21712e13b045ea773f
EAP-Message =
0x02170058120a0e0e00323131303230333034303530363037303840696d732e6d6e633033302e6d63633130322e336770706e6574776f726b2e6f7267100100010705e05543a4f8463a935b25152720718715
Cisco-NAS-Port = "611"
NAS-Port = 611
State = 0x9ef748f79ee05ae75aadbce935e2f4b8
NAS-Identifier = "AP4"
Proxy-State = 0x535347
Proxy-State = 0x323235
NAS-IP-Address = 10.67.106.62
Event-Timestamp = "Jul 22 2008 07:58:15 GMT"
NAS-Port-Type = Wireless-802.11
WISPr-Location-Name = "unknown"
Proxy-State = 0x3433
+- entering group authorize
rlm_eap: EAP packet type response id 23 length 88
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
rlm_sim_files: authorized user/imsi [EMAIL PROTECTED]
rlm_sim_files: Adding EAP-Type: eap-sim
++[sim_files] returns ok
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/sim
rlm_eap: processing type sim
+++> EAP-sim decoded packet:
User-Name = "[EMAIL PROTECTED]"
Framed-MTU = 1400
Called-Station-Id = "001a.6cf3.fd90"
Calling-Station-Id = "0013.ce0d.e627"
Cisco-AVPair = "ssi
eap sim authentication
Hi, I'am a new user of freeradius and i would to ask if it exits some good documentation about eap sim authentication and how i can configure the radius server and how can i test if it works. thanks tom fritz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
eap sim authentication
Hi, I'am a new user of freeradius and i would to ask if it exits some good documentationabout eap sim authentication and how i can configure the radius server and how can i test if it works. thankstom fritz ___ Tom Fritz 6,rue Henri Frommes L-1545 Luxembourg email: [EMAIL PROTECTED]
EAP-SIM Authentication
Hi all, I am a new user of Freeradius and i need your help. Do you know if there is any way to achieve EAP-SIM based Auhtentication using Freeradius? Do i need to include more files in the freeradius server; Thanks in advance! Giorgos
