EAP-SIM authentication problem at 2nd stage
dear guest, i have problem in eap-sim authentication. I'm using freeradius 2.2.0, blackberry 9220 here my simtripletsdat. file 1510012660372465,AF6876E748BD46bf853A99DC2032F0A7,95762655,449177635B92bc00 1510012660372465,A1A9AC744E8D49819D27A79B067BCA69,257b31c6,64ff9467DEa1e400 1510012660372465,603906BFD8DC404197BAC35FF1274EB3,4F41eb06,F3ce89b4FCbc 1510080332618369,23A95DB79B644a4299463F0342069A11,7775d266,B10f3eba2Bc5ed2b 1510080332618369,FDCE8E4F2B0B4b3086BEF230076EAD58,D9e080d9,E2aad63f711e1324 1510080332618369,238100571AD1495fBCE2AD5505634E41,A40e1656,66a098a750d9cd13 here content of users file 1510080332618369Auth-Type := EAP, EAP-Type := SIM EAP-Sim-Rand1 := 0x23A95DB79B644a4299463F0342069A11, EAP-Sim-SRES1 := 0x7775d266, EAP-Sim-KC1 := 0xB10f3eba2Bc5ed2b, EAP-Sim-Rand2 := 0xFDCE8E4F2B0B4b3086BEF230076EAD58, EAP-Sim-SRES2 := 0xD9e080d9, EAP-Sim-KC2 := 0xE2aad63f711e1324, EAP-Sim-Rand3 := 0x238100571AD1495fBCE2AD5505634E41, EAP-Sim-SRES3 := 0xA40e1656, EAP-Sim-KC3 := 0x66a098a750d9cd13, 1510012660372465 Auth-Type := EAP,EAP-Type := sim EAP-Sim-Rand1 := 0xAF6876E748BD46bf853A99DC2032F0A7, EAP-Sim-SRES1 := 0x95762655, EAP-Sim-KC1 := 0x449177635B92bc00, EAP-Sim-Rand2 := 0xA1A9AC744E8D49819D27A79B067BCA69, EAP-Sim-SRES2 := 0x257b31c6, EAP-Sim-KC2 := 0x64ff9467DEa1e400, EAP-Sim-Rand3 := 0x603906BFD8DC404197BAC35FF1274EB3, EAP-Sim-SRES3 := 0x4F41eb06, EAP-Sim-KC3 := 0xF3ce89b4FCbc, 1510080332618369 at wlan.mnc080.mcc510.3gppnetwork.orgAuth-Type := EAP, EAP-Type := SIM EAP-Sim-Rand1 := 0x23A95DB79B644a4299463F0342069A11, EAP-Sim-SRES1 := 0x7775d266, EAP-Sim-KC1 := 0xB10f3eba2Bc5ed2b, EAP-Sim-Rand2 := 0xFDCE8E4F2B0B4b3086BEF230076EAD58, EAP-Sim-SRES2 := 0xD9e080d9, EAP-Sim-KC2 := 0xE2aad63f711e1324, EAP-Sim-Rand3 := 0x238100571AD1495fBCE2AD5505634E41, EAP-Sim-SRES3 := 0xA40e1656, EAP-Sim-KC3 := 0x66a098a750d9cd13 Already included sim_files in modules and sim { } in eap.conf. I analyze in debug , the firsth authorization success (sim_files return ok status) , the first authenticating success , the second authorization success also, but the problem the second authenticating is failed. Already read in the past list archive, but no clue . Here debug of radius Ready to process requests. rad_recv: Access-Request packet from host 192.168.111.72 port 34647, id=129, length=250 User-Name = "1510080332618...@wlan.mnc080.mcc510.3gppnetwork.org" NAS-IP-Address = 192.168.88.52 Called-Station-Id = "FA-1A-67-9F-E4-68:NOLSPOT-Secure" NAS-Port-Type = Wireless-802.11 NAS-Port = 1 Calling-Station-Id = "70-AA-B2-EF-8E-9D" Connect-Info = "CONNECT 54Mbps 802.11g" Framed-MTU = 1400 EAP-Message = 0x0210003801313531303038303236313833363940776c616e2e6d6e633038302e6d63633531302e336770706e6574776f726b2e6f7267 Message-Authenticator = 0xf0b7f7c3d39dd64797e1ffa08c3c078e # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] Looking up realm "wlan.mnc080.mcc510.3gppnetwork.org" for User-Name = "1510080332618...@wlan.mnc080.mcc510.3gppnetwork.org" [suffix] Found realm "wlan.mnc080.mcc510.3gppnetwork.org" [suffix] Adding Stripped-User-Name = "1510080332618369" [suffix] Adding Realm = "wlan.mnc080.mcc510.3gppnetwork.org" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [files] users: Matched entry 1510080332618369 at line 206 ++[files] returns ok rlm_sim_files: authorized user/imsi 1510080332618369 rlm_sim_files: Adding EAP-Type: eap-sim ++[sim_files] returns ok [eap] EAP packet type response id 16 length 56 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [sql] expand: %{User-Name} -> 1510080332618...@wlan.mnc080.mcc510.3gppnetwork.org [sql] sql_set_user escaped user --> ' 1510080332618...@wlan.mnc080.mcc510.3gppnetwork.org' rlm_sql (sql): Reserving sql socket id: 4 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = ' 1510080332618...@wlan.mnc080.mcc510.3gppnetwork.org' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = ' 1510080332618...@wlan.mnc08
Re: eap sim authentication for multiple clients
There is a clear distinction between the two cases. First case: user record is found in users file: rad_recv: Access-Request packet from host 192.168.2.1 port 2048, id=1, length=215 [skipped] +- entering group authorize {...} [skipped] [files] users: Matched entry 1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org at line 1 [skipped] +- entering group authenticate {...} [skipped] Sending Access-Challenge of id 1 to 192.168.2.1 port 2048 Second case: user record is not found in users file: rad_recv: Access-Request packet from host 192.168.2.1 port 2048, id=2, length=215 [skipped] +- entering group authorize {...} [skipped] ++[files] returns noop [skipped] +- entering group authenticate {...} [skipped] Failed to authenticate the user. [skipped] +- entering group REJECT {...} [skipped] Sending Access-Reject of id 2 to 192.168.2.1 port 2048 It seems your users file is broken in some way. You need to fix it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
eap sim authentication for multiple clients
Hi, i have tried with one client and it's success to authenticate and access internet in wlan i just try one client and success but when i use another client and it fails first, i connect with one client and it's success (until "Finished request 2" in debug log) and then in next request, i try with different supplicant/client to authenticate and i have input identitiy (IMSI, RAND, SRES,KC) in to simtriplets.dat and users also my simtriplets.dat format 1510019760806391,326258E6F77C40f3866DB25DEA60AE4D,DD287535,7F743521EBabb000 1510019760806391,FD9989BD90AD4a03962E6C08C000C14B,BFf89ad2,1C7098005Fea8c00 1510019760806391,26CC8DB02C9848c7BBCC2790E3F0913B,17172cc6,BF34bf34D4ca4c00 1510080325656501,5A8F4C0677DE4930B47825B55534CC79,94d66001,AC85d79439b564c0 1510080325656501,8E29A03F8E13466fBF84D12F6A9D4734,E284e39e,13a524d040094ef4 1510080325656501,BC5D3CEB1EAC4164AA463E289222C450,AE8bdfc6,B0354bf3402e42ed my users format 1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org EAP-Type := SIM EAP-Sim-Rand1 = 0x 326258E6F77C40f3866DB25DEA60AE4D, EAP-Sim-SRES1 = 0x DD287535, EAP-Sim-KC1 = 0x 7F743521EBabb000, EAP-Sim-Rand2 = 0x FD9989BD90AD4a03962E6C08C000C14B, EAP-Sim-SRES2 = 0x BFf89ad2, EAP-Sim-KC2 = 0x 1C7098005Fea8c00, EAP-Sim-Rand3 = 0x 26CC8DB02C9848c7BBCC2790E3F0913B, EAP-Sim-SRES3 = 0x 17172cc6, EAP-Sim-KC3 = 0x BF34bf34D4ca4c00 1510080325656...@wlan.mnc008.mcc510.3gppnetwork.org EAP-Type := SIM EAP-Sim-Rand1 = 0x 5A8F4C0677DE4930B47825B55534CC79, EAP-Sim-SRES1 = 0x 94d66001, EAP-Sim-KC1 = 0x AC85d79439b564c0, EAP-Sim-Rand2 = 0x 8E29A03F8E13466fBF84D12F6A9D4734, EAP-Sim-SRES2 = 0x E284e39e, EAP-Sim-KC2 = 0x 13a524d040094ef4, EAP-Sim-Rand3 = 0x BC5D3CEB1EAC4164AA463E289222C450, EAP-Sim-SRES3 = 0x AE8bdfc6, EAP-Sim-KC3 = 0x B0354bf3402e42ed and also add patch as in : http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120914/13b2c044/attachment.ksh and this is my debug log rad_recv: Access-Request packet from host 192.168.2.1 port 2048, id=1, length=215 User-Name = "1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org " NAS-IP-Address = 192.168.2.1 Called-Station-Id = "48f8b315461a" Calling-Station-Id = "1814563e5189" NAS-Identifier = "48f8b315461a" NAS-Port = 38 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0238013135313030313937363038303633393140776c616e2e6d6e633030312e6d63633531302e336770706e6574776f726b2e6f7267 Message-Authenticator = 0x509abafbd92ee8417dcb22095d89059d # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] Looking up realm "wlan.mnc001.mcc510.3gppnetwork.org" for User-Name = "1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org" [suffix] No such realm "wlan.mnc001.mcc510.3gppnetwork.org" ++[suffix] returns noop rlm_sim_files: authorized user/imsi 1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org rlm_sim_files: Adding EAP-Type: eap-sim ++[sim_files] returns ok [eap] EAP packet type response id 0 length 56 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry 1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type sim [eap] Underlying EAP-Type set EAP ID to 161 ++[eap] returns handled Sending Access-Challenge of id 1 to 192.168.2.1 port 2048 EAP-Message = 0x01a10014120a0f020002000111010100 Message-Authenticator = 0x State = 0x86406e6686e17cf5f398cb77ce20781c Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.2.1 port 2048, id=1, length=265 Cleaning up request 0 ID 1 with timestamp +25 User-Name = "1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org " NAS-IP-Address = 192.168.2.1 Called-Station-Id = "48f8b315461a" Calling-Station-Id = "1814563e5189" NAS-Identifier = "48f8b315461a" NAS-Port = 38 Framed-MTU = 1400 State = 0x86406e6686e17cf5f398cb77ce20781c NAS-Port-Type = Wireless-802.11 EAP-Message = 0x02a10058120a07055004b19c6e3aacce33e95d1f3c10c481100100010
Re: EAP-SIM Authentication
Hi Phil, Thanks for your reply, It will be greatful if you show some way to implement the EAP-SIM. Thanks On Wed, Jun 5, 2013 at 6:15 PM, Phil Mayers wrote: > On 06/05/2013 04:45 AM, Kranthi K wrote: > >> Hi All, >> >> I am Newbie to free radius. I installed freeradius version 2.2.0. i want >> to configure the EAP-SIM Authentication. Can anyone tell me the steps >> how to implement it. >> > > What's with the sudden interest in EAP-SIM? Is there a school project > running somewhere? > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/** > list/users.html <http://www.freeradius.org/list/users.html> > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-SIM Authentication
On 06/05/2013 04:45 AM, Kranthi K wrote: Hi All, I am Newbie to free radius. I installed freeradius version 2.2.0. i want to configure the EAP-SIM Authentication. Can anyone tell me the steps how to implement it. What's with the sudden interest in EAP-SIM? Is there a school project running somewhere? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-SIM Authentication
Hi All, I am Newbie to free radius. I installed freeradius version 2.2.0. i want to configure the EAP-SIM Authentication. Can anyone tell me the steps how to implement it. Thanks Kranthi - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-SIM authentication with Huawei
Probably Aptilo is the solution for you. On 8 January 2013 18:44, akinpelu emmanuel wrote: > Dear All, > > Please has there been anyone that has successfully implemented EAP-SIM with > Huawei HLR? I would appreciate head-start on how possible this is. > > Thank you > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html -- Primož Marinšek - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-SIM authentication with Huawei
Dear All, Please has there been anyone that has successfully implemented EAP-SIM with Huawei HLR? I would appreciate head-start on how possible this is. Thank you- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-SIM authentication failed
On 15/11/12 16:46, Yann R. Moupinda wrote: Has anyone an idea why the MAC not matches although Client and Server are using the same algorithm version (Version 1 mentioned in AT_VERSION_LIST from Server and in AT_SELECTED_VERSION from client) ? It's probably a bug somewhere. Very likely, the wrong data is being fed into the MAC at both ends. Unfortunately, since FreeRADIUS works with *some* EAP-SIM/AKA supplicants, I am guessing there are incompatible implementations out there. You would need to read the SIM/AKA RFCs in detail, and possibly feed the test data into FreeRADIUS to find the bug. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP-SIM authentication failed
Hi guys, i'm still trying to authenticate a EAP SIM Client with the Freeraduis 3.0.0. By Using the Nokia E51 and E52, the eap-sim authentication process just stops after the raduis has sent the " EAP-REQUEST, SIM-CHALLENGE" (containing AT_RAND and AT_MAC) message (see log info.). I did some changes in the in the " eapsimlib.c" regarding the AT_IDENTITY by using the patch 'commit cfd61d24b99022eb613054bbf7e0da4fa3af1bde' but the result didn't change. I decided to change the Client. I downloaded and installed Xsupplicant 2.2.3.553 on my windows XP. This is a software capable to be used as EAP-SIM Client. I didn't change anything on the server side. This time Xsupplicant replys with a " EAP-RESPONSE, SIM-CHALLENGE" (containing AT_MAC) after recieving the " EAP-REQUEST, SIM-CHALLENGE" (containing AT_RAND and AT_MAC). The Freeradius Server recieves the " EAP-RESPONSE, SIM-CHALLENGE" (containing AT_MAC), says that the received MAC doesn't match and breaks the authentication process with a "access reject" Here the log messages with Nokia: Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /var/run/radiusd/radiusd.sock Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Opening new proxy address * port 1814 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 192.168.10.212 port 48077, id=19, length=308 Service-Type = Framed-User Framed-MTU = 1400 User-Name = "19017...@wlan.mnc070.mcc901.3gppnetwork.org" NAS-Port-Id = "ap_hotspot" NAS-Port-Type = Wireless-802.11 Acct-Session-Id = "8253" Acct-Multi-Session-Id = "00-0C-42-64-41-9D-A8-7E-33-3E-9C-5B-82-50-00-00-00-00-00-03" Calling-Station-Id = "A8-7E-33-3E-9C-5B" Called-Station-Id = "00-0C-42-64-41-9D:YANN" EAP-Message = 0x02010038013139303137303030303030303036353340776c616e2e6d6e633037302e6d63633930312e336770706e6574776f726b2e6f7267 Message-Authenticator = 0x429b263e5293fadbae0a13f28dad2775 NAS-Identifier = "MT_Yann" NAS-IP-Address = 192.168.10.212 (0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (0) group authorize { (0) - entering group authorize {...} (0) [preprocess] = ok (0) [chap] = noop (0) auth_log : expand: %{Packet-Src-IP-Address} -> 192.168.10.212 (0) auth_log : expand: /var/log/radiusd/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/radiusd/radacct/192.168.10.212/auth-detail-20121108 (0) auth_log : /var/log/radiusd/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radiusd/radacct/192.168.10.212/auth-detail-20121108 (0) auth_log : expand: %t -> Thu Nov 8 14:20:05 2012 (0) [auth_log] = ok (0) [mschap] = noop (0) [digest] = noop (0) suffix : Looking up realm "wlan.mnc070.mcc901.3gppnetwork.org" for User-Name = "19017...@wlan.mnc070.mcc901.3gppnetwork.org" (0) suffix : Found realm "~.*.3gppnetwork.org$" (0) suffix : Adding Stripped-User-Name = "19017653" (0) suffix : Adding Realm = "wlan.mnc070.mcc901.3gppnetwork.org" (0) suffix : Authentication realm is LOCAL. (0) [suffix] = ok rlm_sim_files: authorized user/imsi 19017653 rlm_sim_files: Adding EAP-Type: eap-sim (0) [sim_files] = ok (0) eap : EAP packet type response id 1 length 56 (0) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) Found Auth-Type = EAP (0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (0) group authenticate { (0) - entering group authenticate {...} (0) eap : EAP Identity (0) eap : processing type sim (0) eap : Underlying EAP-Type set EAP ID to 133 (0) [eap] = handled Sending Access-Challenge of id 19 to 192.168.10.212 port 48077 EAP-Message = 0x01850014120a0f020002000111010100 Message-Authenticator = 0x State = 0x077b668807fe746db0e5f555c7ca40d2 (0) Finished request 0. Waking up in 0.3 seconds. rad_recv: Access-Request packet from host 192.168.10.212 port 41383, id=20, length=358 Service-Type = Framed-User Framed-MTU = 1400 User-Name = "19017...@wlan.mnc070.mcc901.3gppnetwork.org" State = 0x077b668807fe746db0e5f555c7ca40d2 NAS-Port-Id = "ap_hotspot" NAS-Port-Type = Wireless-802.11 Acct-Session-Id = "8253" Acct-Multi-Session-Id = "00-0C-42-64-41-9D-A8-7E-33-3E-9C-5B-82-50-00-00-00-00-00-03" Calling-Station-Id = "A8-7E-33-3E-9C-5B" Called-Station-Id = "00-0C-42-64-41-9D:YANN"
RE: EAP-SIM authentication failed
Hi guys, i'm still looking for a solution for the eapsim authentication. Now i use the Freeradius 3.0.0 and i made some changes in the 'eapsimlib.c' regarding AT_IDENTITY (commit cfd61d24b99022eb613054bbf7e0da4fa3af1bde). I still have the same problem, the client is able to send two Acces-Request but unable to send the third Access-Request to close the authentication. I use a Nokia E52 as supplicant, did anybody realize the test successfully with another mobile phone (except android phones)? Does anyone know how i can debug the mobile phone? any helpfull ideas? here my debug radiusd: FreeRADIUS Version 3.0.0 (git #d3c7336), for host i586-pc-linux-gnu, built on Nov 7 2012 at 14:54:31 . . Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /var/run/radiusd/radiusd.sock Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Opening new proxy address * port 1814 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 192.168.10.212 port 48077, id=19, length=308 Service-Type = Framed-User Framed-MTU = 1400 User-Name = "19017...@wlan.mnc070.mcc901.3gppnetwork.org" NAS-Port-Id = "ap_hotspot" NAS-Port-Type = Wireless-802.11 Acct-Session-Id = "8253" Acct-Multi-Session-Id = "00-0C-42-64-41-9D-A8-7E-33-3E-9C-5B-82-50-00-00-00-00-00-03" Calling-Station-Id = "A8-7E-33-3E-9C-5B" Called-Station-Id = "00-0C-42-64-41-9D:YANN" EAP-Message = 0x02010038013139303137303030303030303036353340776c616e2e6d6e633037302e6d63633930312e336770706e6574776f726b2e6f7267 Message-Authenticator = 0x429b263e5293fadbae0a13f28dad2775 NAS-Identifier = "MT_Yann" NAS-IP-Address = 192.168.10.212 (0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (0) group authorize { (0) - entering group authorize {...} (0) [preprocess] = ok (0) [chap] = noop (0) auth_log : expand: %{Packet-Src-IP-Address} -> 192.168.10.212 (0) auth_log : expand: /var/log/radiusd/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/radiusd/radacct/192.168.10.212/auth-detail-20121108 (0) auth_log : /var/log/radiusd/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radiusd/radacct/192.168.10.212/auth-detail-20121108 (0) auth_log : expand: %t -> Thu Nov 8 14:20:05 2012 (0) [auth_log] = ok (0) [mschap] = noop (0) [digest] = noop (0) suffix : Looking up realm "wlan.mnc070.mcc901.3gppnetwork.org" for User-Name = "19017...@wlan.mnc070.mcc901.3gppnetwork.org" (0) suffix : Found realm "~.*.3gppnetwork.org$" (0) suffix : Adding Stripped-User-Name = "19017653" (0) suffix : Adding Realm = "wlan.mnc070.mcc901.3gppnetwork.org" (0) suffix : Authentication realm is LOCAL. (0) [suffix] = ok rlm_sim_files: authorized user/imsi 19017653 rlm_sim_files: Adding EAP-Type: eap-sim (0) [sim_files] = ok (0) eap : EAP packet type response id 1 length 56 (0) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) Found Auth-Type = EAP (0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (0) group authenticate { (0) - entering group authenticate {...} (0) eap : EAP Identity (0) eap : processing type sim (0) eap : Underlying EAP-Type set EAP ID to 133 (0) [eap] = handled Sending Access-Challenge of id 19 to 192.168.10.212 port 48077 EAP-Message = 0x01850014120a0f020002000111010100 Message-Authenticator = 0x State = 0x077b668807fe746db0e5f555c7ca40d2 (0) Finished request 0. Waking up in 0.3 seconds. rad_recv: Access-Request packet from host 192.168.10.212 port 41383, id=20, length=358 Service-Type = Framed-User Framed-MTU = 1400 User-Name = "19017...@wlan.mnc070.mcc901.3gppnetwork.org" State = 0x077b668807fe746db0e5f555c7ca40d2 NAS-Port-Id = "ap_hotspot" NAS-Port-Type = Wireless-802.11 Acct-Session-Id = "8253" Acct-Multi-Session-Id = "00-0C-42-64-41-9D-A8-7E-33-3E-9C-5B-82-50-00-00-00-00-00-03" Calling-Station-Id = "A8-7E-33-3E-9C-5B" Called-Station-Id = "00-0C-42-64-41-9D:YANN" EAP-Message = 0x02850058120a0705be65a474dc99300354fdd97e5176bbc5100100010e0e00333139303137303030303030303036353340776c616e2e6d6e633037302e6d63633930312e336770706e6574776f726b2e6f726700 Message-Authenticator = 0x07c87b76cd6232ca08dc4529913d5cac NAS-Identifier = "MT_Yann" NAS-IP-Address = 192.168.10.212 (1) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (1) group authorize { (1) - entering group authorize {...} (1) [preprocess] = ok (1) [chap] = noop (1) auth_log : expand: %{Packet-Src-IP-Address} -> 192.168.10.212 (1) auth_log : expand:
Re: EAP-SIM authentication failed
I have the same problem with Nokia E51 handset. EAP-SIM authentication interrupted by Nokia supplicant. Unfortunately there is no useful diagnostic on the handset. On other hand EAP-SIM authentication succeeds when I use wpa_supplicant on Windows using smart card reader with the same SIM card I've used with Nokia handset. Unfortunately I have neither iPhone nor Windows-based handset to test EAP-SIM against. Yann R. Moupinda wrote: i got the same failure than before: after sending the 2nd access challenge, the server is waiting for the 3rd access request and doesn't get anything --> authentication failed - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP-SIM authentication failed
Hi guys, Thanks for your help. After reading your suggestions, i installed a new version of FreeRADIUS (FreeRADIUS 2.2.1). I haven't worked with the the patch yet (i'm going to do that later) but, just to show what i got with the new version 2.2.1 and changing the content of the simtriplets.dat 1. case : simtriplets.dat looks like following (imsi,rand,sres,kc) (3 different rand...) 19017653,0123456789abcdef0123456789abcdef,0227bc86,44168f1de9259000 19017653,0123456789abcdef0123456789abcde0,725bb218,25903c082654b400 19017653,0123456789abcdef0123456789abcd18,ed404256,bc871da6ae8edc00 19017653,0123456789abcdef0123456789abcd88,6695bd6e,58788a55e9052000 i got the same failure than before: after sending the 2nd access challenge, the server is waiting for the 3rd access request and doesn't get anything --> authentication failed . . . Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Ready to process requests. rad_recv: Access-Request packet from host 192.168.10.212 port 38803, id=29, length=238 Service-Type = Framed-User Framed-MTU = 1400 User-Name = "19017653" NAS-Port-Id = "ap_hotspot" NAS-Port-Type = Wireless-802.11 Acct-Session-Id = "822e" Acct-Multi-Session-Id = "00-0C-42-64-41-9D-A8-7E-33-3E-9C-5B-82-20-00-00-00-00-00-0E" Calling-Station-Id = "A8-7E-33-3E-9C-5B" Called-Station-Id = "00-0C-42-64-41-9D:YANN" EAP-Message = 0x020100150131393031373030303030303030363533 Message-Authenticator = 0xcf4e5f6429686cc260b16bd23d82489f NAS-Identifier = "MT_Yann" NAS-IP-Address = 192.168.10.212 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} rlm_sim_files: authorized user/imsi 19017653 rlm_sim_files: Adding EAP-Type: eap-sim ++[sim_files] returns ok ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "19017653", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 21 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type sim [eap] Underlying EAP-Type set EAP ID to 108 ++[eap] returns handled Sending Access-Challenge of id 29 to 192.168.10.212 port 38803 EAP-Message = 0x016c0014120a0f020002000111010100 Message-Authenticator = 0x State = 0x870e2a6987623891aa6e49c2b1bcc9b6 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.10.212 port 50478, id=30, length=287 Service-Type = Framed-User Framed-MTU = 1400 User-Name = "19017653" State = 0x870e2a6987623891aa6e49c2b1bcc9b6 NAS-Port-Id = "ap_hotspot" NAS-Port-Type = Wireless-802.11 Acct-Session-Id = "822e" Acct-Multi-Session-Id = "00-0C-42-64-41-9D-A8-7E-33-3E-9C-5B-82-20-00-00-00-00-00-0E" Calling-Station-Id = "A8-7E-33-3E-9C-5B" Called-Station-Id = "00-0C-42-64-41-9D:YANN" EAP-Message = 0x026c0034120a0705c27cfb1cfa7a257c9c89796e49bca230100100010e05001031393031373030303030303030363533 Message-Authenticator = 0xc691af8b618d9da88f9e289557530f6f NAS-Identifier = "MT_Yann" NAS-IP-Address = 192.168.10.212 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} rlm_sim_files: authorized user/imsi 19017653 rlm_sim_files: Adding EAP-Type: eap-sim ++[sim_files] returns ok ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "19017653", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 108 length 52 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/sim [eap] processing type sim +++> EAP-sim decoded packet: Service-Type = Framed-User Framed-MTU = 1400 User-Name = "19017653" State = 0x870e2a6987623891aa6e4
Re: EAP-SIM authentication failed
Didn't you make another fix afterward regarding AT_IDENTITY (commit cfd61d24b99022eb613054bbf7e0da4fa3af1bde)? Not the patch from Microsoft. I know I have to patch the 2.2.0 source in our RPMs with this commit otherwise it fails ;) On 2012-11-06, at 10:15 AM, Alan DeKok wrote: > Phil Mayers wrote: >> Was that after 2.2.0 was released? > > No, before. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-SIM authentication failed
Phil Mayers wrote: > Was that after 2.2.0 was released? No, before. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-SIM authentication failed
On 06/11/12 13:34, Francois Gaudreault wrote: Hi, -what should I configure to get more than 2 Access-Request You don't. The client is stopping because it thinks something is wrong. Upgrade to 2.2.0 and try again - if the same thing happens, you need to debug on the client. You need to also add a patch that has been committed in the 2.1.x branch (I think) post release regarding EAP-SIM. Without it, it will not work. Was that after 2.2.0 was released? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-SIM authentication failed
Hi, > >> -what should I configure to get more than 2 Access-Request > > You don't. The client is stopping because it thinks something is wrong. > Upgrade to 2.2.0 and try again - if the same thing happens, you need to debug > on the client. You need to also add a patch that has been committed in the 2.1.x branch (I think) post release regarding EAP-SIM. Without it, it will not work. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-SIM authentication failed
On 06/11/12 10:55, Yann R. Moupinda wrote: Hi guys, for my thesis i need to realize a EAP-SIM Authentication testbed. I'm using a Nokia E52 with EAP-SIM, a MIKROTIK router as access point and FreeRADIUS 2.1.10 as Radius server. I have added the necessary commands Upgrade. Some fixes for EAP-SIM went into more recent versions. Access-Request' packets from MIKROTIK router and it also sent two 'Access-Challenge' packets back to the router. It seems the radius is waiting for next requests and then the authentication process just ends up. Yes. The client stops responding, so you need to ask the client what the problem is - but the EAP-SIM fixed might be the cause. so my questions are: -how many request packets are needed to complete the eap-sim authentication? 3, I think. -what should I configure to get more than 2 Access-Request You don't. The client is stopping because it thinks something is wrong. Upgrade to 2.2.0 and try again - if the same thing happens, you need to debug on the client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-SIM authentication failed
Hi guys, for my thesis i need to realize a EAP-SIM Authentication testbed. I'm using a Nokia E52 with EAP-SIM, a MIKROTIK router as access point and FreeRADIUS 2.1.10 as Radius server. I have added the necessary commands in the clients.conf, radiusd.conf, eap.conf and default files in order to enable EAP-SIM Authentication on the FreeRADIUS and I've created a flat file ' simtriplets.dat ' that is used from the Radius during the authentication process. By trying to access to the Wlan with the mobile phone (Nokia E52), i got the message that the authentication was unsuccessful. But by looking at the radius debug file, i cannot recognize any failure or messages like 'Access-Reject'. The debug file shows that radius got two ' Access-Request' packets from MIKROTIK router and it also sent two 'Access-Challenge' packets back to the router. It seems the radius is waiting for next requests and then the authentication process just ends up. so my questions are: -how many request packets are needed to complete the eap-sim authentication? -what should I configure to get more than 2 Access-Request here is the content of my debug file: . . . Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Ready to process requests. rad_recv: Access-Request packet from host 192.168.10.212 port 38803, id=29, length=238 Service-Type = Framed-User Framed-MTU = 1400 User-Name = "19017653" NAS-Port-Id = "ap_hotspot" NAS-Port-Type = Wireless-802.11 Acct-Session-Id = "822e" Acct-Multi-Session-Id = "00-0C-42-64-41-9D-A8-7E-33-3E-9C-5B-82-20-00-00-00-00-00-0E" Calling-Station-Id = "A8-7E-33-3E-9C-5B" Called-Station-Id = "00-0C-42-64-41-9D:YANN" EAP-Message = 0x020100150131393031373030303030303030363533 Message-Authenticator = 0xcf4e5f6429686cc260b16bd23d82489f NAS-Identifier = "MT_Yann" NAS-IP-Address = 192.168.10.212 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} rlm_sim_files: authorized user/imsi 19017653 rlm_sim_files: Adding EAP-Type: eap-sim ++[sim_files] returns ok ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "19017653", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 21 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type sim [eap] Underlying EAP-Type set EAP ID to 108 ++[eap] returns handled Sending Access-Challenge of id 29 to 192.168.10.212 port 38803 EAP-Message = 0x016c0014120a0f020002000111010100 Message-Authenticator = 0x State = 0x870e2a6987623891aa6e49c2b1bcc9b6 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.10.212 port 50478, id=30, length=287 Service-Type = Framed-User Framed-MTU = 1400 User-Name = "19017653" State = 0x870e2a6987623891aa6e49c2b1bcc9b6 NAS-Port-Id = "ap_hotspot" NAS-Port-Type = Wireless-802.11 Acct-Session-Id = "822e" Acct-Multi-Session-Id = "00-0C-42-64-41-9D-A8-7E-33-3E-9C-5B-82-20-00-00-00-00-00-0E" Calling-Station-Id = "A8-7E-33-3E-9C-5B" Called-Station-Id = "00-0C-42-64-41-9D:YANN" EAP-Message = 0x026c0034120a0705c27cfb1cfa7a257c9c89796e49bca230100100010e05001031393031373030303030303030363533 Message-Authenticator = 0xc691af8b618d9da88f9e289557530f6f NAS-Identifier = "MT_Yann" NAS-IP-Address = 192.168.10.212 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} rlm_sim_files: authorized user/imsi 19017653 rlm_sim_files: Adding EAP-Type: eap-sim ++[sim_files] returns ok ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "19017653", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 108 length 52 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] r
Re: EAP-SIM authentication / Supplicant
Any more activities in this context ? I'm trying to set up soemthing in this area. T. -- View this message in context: http://freeradius.1045715.n5.nabble.com/EAP-SIM-authentication-Supplicant-tp2752052p3242070.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-SIM authentication / Supplicant
Geoffroy Arnoud wrote: > Currently, my SIM card can be authenticated using a Cisco supplicant > (eap-sim-draft-v5) with a Cisco Access Registrar RADIUS server > (eap-sim-draft-v5) that gets SIM triplets from an ITP and a HLR simulator. I'm not sure this is compatible with draft-12 ... > I would like to know whether someone uses EAP-SIM, and which supplicant is > used. I've heard rumors of people using it. For testing, I would suggest using wpa_supplicant (i.e. eapol_test). You will have access to the source, and lots of debugging output. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-SIM authentication / Supplicant
Hi all, I try to use FreeRADIUS to authenticate a wireless device using EAP-SIM. Currently, my SIM card can be authenticated using a Cisco supplicant (eap-sim-draft-v5) with a Cisco Access Registrar RADIUS server (eap-sim-draft-v5) that gets SIM triplets from an ITP and a HLR simulator. I extracted the triplets from the HLR and injected them into FreeRADIUS rlm_sim_files module. I use another laptop, with centrino chipset with Intel EAP-SIM supplicant. The FreeRADIUS server receives the EAP message and sends back a Challenge. The supplicant answers to the challenge. FreeRADIUS then sends back the same challenge. The supplicant stops I would like to know whether someone uses EAP-SIM, and which supplicant is used. Regading RFC compliancy, I assume that FreeRADIUS is eap-sim-draft-v12 compliant (present in RFC directory). The Intel supplicant can be RFC compliant. Here is my config : sites-enabled/default : authorize { eap { ok = return } sim_files } authenticate { eap } preacct { } accounting { } session { } post-auth { } pre-proxy { } post-proxy { } simtriplets.dat : [EMAIL PROTECTED],,01234567,89ABCDEFFEDCBA98 [EMAIL PROTECTED],,01234567,89ABCDEFFEDCBA98 [EMAIL PROTECTED],,01234567,89ABCDEFFEDCBA98 I know that triplets are identical, but it is the exact content of my HLR FreeRADIUS debug output : rad_recv: Access-Request packet from host 10.67.141.66 port 1647, id=18, length=282 User-Name = "[EMAIL PROTECTED]" Framed-MTU = 1400 Called-Station-Id = "001a.6cf3.fd90" Calling-Station-Id = "0013.ce0d.e627" Cisco-AVPair = "ssid=MySSID" Service-Type = Login-User Message-Authenticator = 0xc30522798ef5169cf5e0c3807650d0ca EAP-Message = 0x02010037013131303230333034303530363037303840696d732e6d6e633033302e6d63633130322e336770706e6574776f726b2e6f7267 Cisco-NAS-Port = "611" NAS-Port = 611 NAS-Identifier = "AP4" Proxy-State = 0x535347 Proxy-State = 0x323234 NAS-IP-Address = 10.67.106.62 Event-Timestamp = "Jul 22 2008 07:58:15 GMT" NAS-Port-Type = Wireless-802.11 WISPr-Location-Name = "unknown" Proxy-State = 0x3432 +- entering group authorize rlm_eap: EAP packet type response id 1 length 55 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated rlm_sim_files: authorized user/imsi [EMAIL PROTECTED] rlm_sim_files: Adding EAP-Type: eap-sim ++[sim_files] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type sim rlm_eap: Underlying EAP-Type set EAP ID to 23 ++[eap] returns handled Sending Access-Challenge of id 18 to 10.67.141.66 port 1647 EAP-Message = 0x01170014120a0f020002000111010100 Message-Authenticator = 0x State = 0x9ef748f79ee05ae75aadbce935e2f4b8 Proxy-State = 0x535347 Proxy-State = 0x323234 Proxy-State = 0x3432 Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.67.141.66 port 1647, id=19, length=333 User-Name = "[EMAIL PROTECTED]" Framed-MTU = 1400 Called-Station-Id = "001a.6cf3.fd90" Calling-Station-Id = "0013.ce0d.e627" Cisco-AVPair = "ssid=MySSID" Service-Type = Login-User Message-Authenticator = 0xd4899c4bcc876e21712e13b045ea773f EAP-Message = 0x02170058120a0e0e00323131303230333034303530363037303840696d732e6d6e633033302e6d63633130322e336770706e6574776f726b2e6f7267100100010705e05543a4f8463a935b25152720718715 Cisco-NAS-Port = "611" NAS-Port = 611 State = 0x9ef748f79ee05ae75aadbce935e2f4b8 NAS-Identifier = "AP4" Proxy-State = 0x535347 Proxy-State = 0x323235 NAS-IP-Address = 10.67.106.62 Event-Timestamp = "Jul 22 2008 07:58:15 GMT" NAS-Port-Type = Wireless-802.11 WISPr-Location-Name = "unknown" Proxy-State = 0x3433 +- entering group authorize rlm_eap: EAP packet type response id 23 length 88 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated rlm_sim_files: authorized user/imsi [EMAIL PROTECTED] rlm_sim_files: Adding EAP-Type: eap-sim ++[sim_files] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/sim rlm_eap: processing type sim +++> EAP-sim decoded packet: User-Name = "[EMAIL PROTECTED]" Framed-MTU = 1400 Called-Station-Id = "001a.6cf3.fd90" Calling-Station-Id = "0013.ce0d.e627" Cisco-AVPair = "ssi
eap sim authentication
Hi, I'am a new user of freeradius and i would to ask if it exits some good documentation about eap sim authentication and how i can configure the radius server and how can i test if it works. thanks tom fritz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
eap sim authentication
Hi, I'am a new user of freeradius and i would to ask if it exits some good documentationabout eap sim authentication and how i can configure the radius server and how can i test if it works. thankstom fritz ___ Tom Fritz 6,rue Henri Frommes L-1545 Luxembourg email: [EMAIL PROTECTED]
EAP-SIM Authentication
Hi all, I am a new user of Freeradius and i need your help. Do you know if there is any way to achieve EAP-SIM based Auhtentication using Freeradius? Do i need to include more files in the freeradius server; Thanks in advance! Giorgos