Re: eap sim authorization problem
Hi, thanx for your reply i also tried using patch in http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120914/13b2c044/attachment.ksh but unfortunately, when i already connect with one device successfully, i try another device the result another device is rejected by server any idea? thanx for your time and your answer best regard On Fri, Jun 21, 2013 at 6:31 PM, Iliya Peregoudov iperegu...@cboss.ruwrote: On 20.06.2013 17:56, raptor raptor wrote: my users format 1510019760806391@wlan.mnc001.**mcc510.3gppnetwork.org1510019760806...@wlan.mnc001.mcc510.3gppnetwork.orgEAP-Type := SIM EAP-Sim-Rand1 = 0x 326258E6F77C40f3866DB25DEA60AE**4D, EAP-Sim-SRES1 = 0x DD287535, EAP-Sim-KC1 = 0x 7F743521EBabb000, EAP-Sim-Rand2 = 0x FD9989BD90AD4a03962E6C08C000C1**4B, EAP-Sim-SRES2 = 0x BFf89ad2, EAP-Sim-KC2 = 0x 1C7098005Fea8c00, EAP-Sim-Rand3 = 0x 26CC8DB02C9848c7BBCC2790E3F091**3B, EAP-Sim-SRES3 = 0x 17172cc6, EAP-Sim-KC3 = 0x BF34bf34D4ca4c00, Syntax error here. There should be no comma at the end of stanza. Due to comma next non-blank line is also considered to be part of this stanza. So next stanza (1510080325656501) will not be parsed correctly. rad_recv: Access-Request packet from host 192.168.2.1 port 2048, id=2, length=215 User-Name = 1510080325656501@wlan.mnc008.**mcc510.3gppnetwork.org1510080325656...@wlan.mnc008.mcc510.3gppnetwork.org NAS-IP-Address = 192.168.2.1 Called-Station-Id = 48f8b315461a Calling-Station-Id = 001adc019b98 NAS-Identifier = 48f8b315461a NAS-Port = 2 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x023801313531303038303332** 3536353635303140776c616e2e6d6e**633030382e6d63633531302e336770** 706e6574776f726b2e6f7267 Message-Authenticator = 0x1e6d83334fd94f359c5fda46d916**ce7e [skipped] ++[files] returns noop rlm_files was unable to find stanza for 1510080325656501 due to before mentioned syntax error. [eap] processing type sim can not initiate sim, no RAND1 attribute EAP-Sim-Rand1 attribute is not found in reply list. I don't know why. rlm_sim_files earlier said that it successfully found auth vectors. Definitely rlm_sim_files not working as expected. Try to fix syntax error in users file. - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap sim authorization problem
Hi IIiya, thanx for your answer i tried to fix syntax error in in users file and also i tried using patch in http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120914/13b2c044/attachment.ksh but unfortunately, the result is same, my first device can connect to internet and the second device can't connect if my first device is already connect thanx for your time and your answer best regards On Fri, Jun 21, 2013 at 6:31 PM, Iliya Peregoudov iperegu...@cboss.ruwrote: On 20.06.2013 17:56, raptor raptor wrote: my users format 1510019760806391@wlan.mnc001.**mcc510.3gppnetwork.org1510019760806...@wlan.mnc001.mcc510.3gppnetwork.orgEAP-Type := SIM EAP-Sim-Rand1 = 0x 326258E6F77C40f3866DB25DEA60AE**4D, EAP-Sim-SRES1 = 0x DD287535, EAP-Sim-KC1 = 0x 7F743521EBabb000, EAP-Sim-Rand2 = 0x FD9989BD90AD4a03962E6C08C000C1**4B, EAP-Sim-SRES2 = 0x BFf89ad2, EAP-Sim-KC2 = 0x 1C7098005Fea8c00, EAP-Sim-Rand3 = 0x 26CC8DB02C9848c7BBCC2790E3F091**3B, EAP-Sim-SRES3 = 0x 17172cc6, EAP-Sim-KC3 = 0x BF34bf34D4ca4c00, Syntax error here. There should be no comma at the end of stanza. Due to comma next non-blank line is also considered to be part of this stanza. So next stanza (1510080325656501) will not be parsed correctly. rad_recv: Access-Request packet from host 192.168.2.1 port 2048, id=2, length=215 User-Name = 1510080325656501@wlan.mnc008.**mcc510.3gppnetwork.org1510080325656...@wlan.mnc008.mcc510.3gppnetwork.org NAS-IP-Address = 192.168.2.1 Called-Station-Id = 48f8b315461a Calling-Station-Id = 001adc019b98 NAS-Identifier = 48f8b315461a NAS-Port = 2 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x023801313531303038303332** 3536353635303140776c616e2e6d6e**633030382e6d63633531302e336770** 706e6574776f726b2e6f7267 Message-Authenticator = 0x1e6d83334fd94f359c5fda46d916**ce7e [skipped] ++[files] returns noop rlm_files was unable to find stanza for 1510080325656501 due to before mentioned syntax error. [eap] processing type sim can not initiate sim, no RAND1 attribute EAP-Sim-Rand1 attribute is not found in reply list. I don't know why. rlm_sim_files earlier said that it successfully found auth vectors. Definitely rlm_sim_files not working as expected. Try to fix syntax error in users file. - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap sim authorization problem
On 20.06.2013 17:56, raptor raptor wrote: my users format 1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org EAP-Type := SIM EAP-Sim-Rand1 = 0x 326258E6F77C40f3866DB25DEA60AE4D, EAP-Sim-SRES1 = 0x DD287535, EAP-Sim-KC1 = 0x 7F743521EBabb000, EAP-Sim-Rand2 = 0x FD9989BD90AD4a03962E6C08C000C14B, EAP-Sim-SRES2 = 0x BFf89ad2, EAP-Sim-KC2 = 0x 1C7098005Fea8c00, EAP-Sim-Rand3 = 0x 26CC8DB02C9848c7BBCC2790E3F0913B, EAP-Sim-SRES3 = 0x 17172cc6, EAP-Sim-KC3 = 0x BF34bf34D4ca4c00, Syntax error here. There should be no comma at the end of stanza. Due to comma next non-blank line is also considered to be part of this stanza. So next stanza (1510080325656501) will not be parsed correctly. rad_recv: Access-Request packet from host 192.168.2.1 port 2048, id=2, length=215 User-Name = 1510080325656...@wlan.mnc008.mcc510.3gppnetwork.org NAS-IP-Address = 192.168.2.1 Called-Station-Id = 48f8b315461a Calling-Station-Id = 001adc019b98 NAS-Identifier = 48f8b315461a NAS-Port = 2 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0238013135313030383033323536353635303140776c616e2e6d6e633030382e6d63633531302e336770706e6574776f726b2e6f7267 Message-Authenticator = 0x1e6d83334fd94f359c5fda46d916ce7e [skipped] ++[files] returns noop rlm_files was unable to find stanza for 1510080325656501 due to before mentioned syntax error. [eap] processing type sim can not initiate sim, no RAND1 attribute EAP-Sim-Rand1 attribute is not found in reply list. I don't know why. rlm_sim_files earlier said that it successfully found auth vectors. Definitely rlm_sim_files not working as expected. Try to fix syntax error in users file. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap sim authorization problem
On 20.06.2013 8:38, raptor raptor wrote: i just try one client and success but when i use another client and it fails Post debug log if you want to diagnose authentication failure. is it correct if i add other client in users and simtriplets.dat? Yes, you should add auth vectors for all your SIM cards into users file, one stanza for every SIM card. If you still get insufficient number of challenges message then your simtriplets.dat is not relevant. Just forget about it. Auth vectors from users file are sufficient. Freeradius is very flexible. There is no one single way of correctly configure it. But there are indefinite number of ways to misconfigure it. If you prefer not to diagnose authentication failures but insert random stuff into randomly selected configuration files it's unlikely you accidentally configure it correctly. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap sim authorization problem
Hi IIiya, thanx for your quick response here is my log debug rad_recv: Access-Request packet from host 192.168.2.1 port 2048, id=0, length=215 User-Name = 1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org NAS-IP-Address = 192.168.2.1 Called-Station-Id = 48f8b315461a Calling-Station-Id = 1814563e5189 NAS-Identifier = 48f8b315461a NAS-Port = 38 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0238013135313030313937363038303633393140776c616e2e6d6e633030312e6d63633531302e336770706e6574776f726b2e6f7267 Message-Authenticator = 0x1e692ae9b93631a0f54bda0997d713f2 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] Looking up realm wlan.mnc001.mcc510.3gppnetwork.org for User-Name = 1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org [suffix] No such realm wlan.mnc001.mcc510.3gppnetwork.org ++[suffix] returns noop rlm_sim_files: authorized user/imsi 1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org rlm_sim_files: Adding EAP-Type: eap-sim ++[sim_files] returns ok [eap] EAP packet type response id 0 length 56 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry 1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org at line 1 ++[files] returns ok ++[sql] returns notfound ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type sim [eap] Underlying EAP-Type set EAP ID to 116 ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.2.1 port 2048 EAP-Message = 0x01740014120a0f020002000111010100 Message-Authenticator = 0x State = 0x2e42338f2e362191820b0799859172e9 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.2.1 port 2048, id=0, length=265 Cleaning up request 0 ID 0 with timestamp +10 User-Name = 1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org NAS-IP-Address = 192.168.2.1 Called-Station-Id = 48f8b315461a Calling-Station-Id = 1814563e5189 NAS-Identifier = 48f8b315461a NAS-Port = 38 Framed-MTU = 1400 State = 0x2e42338f2e362191820b0799859172e9 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x02740058120a0705c857b63e06e1bb7341a729ea36de8804100100010e0e00333135313030313937363038303633393140776c616e2e6d6e633030312e6d63633531302e336770706e6574776f726b2e6f726700 Message-Authenticator = 0x4228372d93c4496516a4c62a6b0d1f84 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] Looking up realm wlan.mnc001.mcc510.3gppnetwork.org for User-Name = 1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org [suffix] No such realm wlan.mnc001.mcc510.3gppnetwork.org ++[suffix] returns noop rlm_sim_files: authorized user/imsi 1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org rlm_sim_files: Adding EAP-Type: eap-sim ++[sim_files] returns ok [eap] EAP packet type response id 116 length 88 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry 1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org at line 1 ++[files] returns ok [sql] User 1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org not found ++[sql] returns notfound ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/sim [eap] processing type sim +++ EAP-sim decoded packet: User-Name = 1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org NAS-IP-Address = 192.168.2.1 Called-Station-Id = 48f8b315461a Calling-Station-Id = 1814563e5189 NAS-Identifier = 48f8b315461a NAS-Port = 38 Framed-MTU = 1400 State = 0x2e42338f2e362191820b0799859172e9 NAS-Port-Type = Wireless-802.11 EAP-Message =
Re: eap sim authorization problem
On 20.06.2013 13:38, raptor raptor wrote: Sending Access-Accept of id 0 to 192.168.2.1 port 2048 MS-MPPE-Recv-Key = 0x9d0b6b0a9151822473399a9fed44e8f0d74df083532a7d437e436f60866252d8 MS-MPPE-Send-Key = 0xebf07da25ca3cd97267d1fc6a1ce18d68ad2737902f610284bdb45c6eed0cb7f EAP-Message = 0x03760004 Message-Authenticator = 0x User-Name = 1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org Finished request 2. I cannot see authentication failure in this debug log. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap sim authorization problem
Hi, IIiya i'm sorry my posting above is about one client first, i connect with one client and it's success (until Finished request 2 in debug log) and then in next request, i try with different supplicant/client to authenticate and i have input identitiy (IMSI, RAND, SRES,KC) in to simtriplets.dat and users also my simtriplets.dat format 1510019760806391,326258E6F77C40f3866DB25DEA60AE4D,DD287535,7F743521EBabb000 1510019760806391,FD9989BD90AD4a03962E6C08C000C14B,BFf89ad2,1C7098005Fea8c00 1510019760806391,26CC8DB02C9848c7BBCC2790E3F0913B,17172cc6,BF34bf34D4ca4c00 1510080325656501,5A8F4C0677DE4930B47825B55534CC79,94d66001,AC85d79439b564c0 1510080325656501,8E29A03F8E13466fBF84D12F6A9D4734,E284e39e,13a524d040094ef4 1510080325656501,BC5D3CEB1EAC4164AA463E289222C450,AE8bdfc6,B0354bf3402e42ed my users format 1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org EAP-Type := SIM EAP-Sim-Rand1 = 0x 326258E6F77C40f3866DB25DEA60AE4D, EAP-Sim-SRES1 = 0x DD287535, EAP-Sim-KC1 = 0x 7F743521EBabb000, EAP-Sim-Rand2 = 0x FD9989BD90AD4a03962E6C08C000C14B, EAP-Sim-SRES2 = 0x BFf89ad2, EAP-Sim-KC2 = 0x 1C7098005Fea8c00, EAP-Sim-Rand3 = 0x 26CC8DB02C9848c7BBCC2790E3F0913B, EAP-Sim-SRES3 = 0x 17172cc6, EAP-Sim-KC3 = 0x BF34bf34D4ca4c00, 1510080325656...@wlan.mnc008.mcc510.3gppnetwork.org EAP-Type := SIM EAP-Sim-Rand1 = 0x 5A8F4C0677DE4930B47825B55534CC79, EAP-Sim-SRES1 = 0x 94d66001, EAP-Sim-KC1 = 0x AC85d79439b564c0, EAP-Sim-Rand2 = 0x 8E29A03F8E13466fBF84D12F6A9D4734, EAP-Sim-SRES2 = 0x E284e39e, EAP-Sim-KC2 = 0x 13a524d040094ef4, EAP-Sim-Rand3 = 0x BC5D3CEB1EAC4164AA463E289222C450, EAP-Sim-SRES3 = 0x AE8bdfc6, EAP-Sim-KC3 = 0x B0354bf3402e42ed here is my debug log: rad_recv: Access-Request packet from host 192.168.2.1 port 2048, id=1, length=215 User-Name = 1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org NAS-IP-Address = 192.168.2.1 Called-Station-Id = 48f8b315461a Calling-Station-Id = 1814563e5189 NAS-Identifier = 48f8b315461a NAS-Port = 38 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0238013135313030313937363038303633393140776c616e2e6d6e633030312e6d63633531302e336770706e6574776f726b2e6f7267 Message-Authenticator = 0x509abafbd92ee8417dcb22095d89059d # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] Looking up realm wlan.mnc001.mcc510.3gppnetwork.org for User-Name = 1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org [suffix] No such realm wlan.mnc001.mcc510.3gppnetwork.org ++[suffix] returns noop rlm_sim_files: authorized user/imsi 1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org rlm_sim_files: Adding EAP-Type: eap-sim ++[sim_files] returns ok [eap] EAP packet type response id 0 length 56 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry 1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type sim [eap] Underlying EAP-Type set EAP ID to 161 ++[eap] returns handled Sending Access-Challenge of id 1 to 192.168.2.1 port 2048 EAP-Message = 0x01a10014120a0f020002000111010100 Message-Authenticator = 0x State = 0x86406e6686e17cf5f398cb77ce20781c Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.2.1 port 2048, id=1, length=265 Cleaning up request 0 ID 1 with timestamp +25 User-Name = 1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org NAS-IP-Address = 192.168.2.1 Called-Station-Id = 48f8b315461a Calling-Station-Id = 1814563e5189 NAS-Identifier = 48f8b315461a NAS-Port = 38 Framed-MTU = 1400 State = 0x86406e6686e17cf5f398cb77ce20781c NAS-Port-Type = Wireless-802.11 EAP-Message = 0x02a10058120a07055004b19c6e3aacce33e95d1f3c10c481100100010e0e00333135313030313937363038303633393140776c616e2e6d6e633030312e6d63633531302e336770706e6574776f726b2e6f726700 Message-Authenticator = 0xc9bbe2c285ff35377724d62bb118966b # Executing section authorize from file /etc/freeradius/sites-enabled/default +-
Re: eap sim authorization problem
Hi, IIlya Thanx for your advice it works On Thu, Jun 13, 2013 at 2:47 PM, Iliya Peregoudov iperegu...@cboss.ruwrote: On 11.06.2013 12:27, raptor raptor wrote: 1. when i change users entry, i get notification that access-accept has succesfull but unfortunately, when i restart the system cant access-accept and i must change attribute in users from agsm program here the log: I do not understand clearly whether you think you succeed or no. 2. i've changed users entry as you suggest and i still get the same notification rlm_sim_files : isufficient number of challenges of challenges for imsi Changing users file will not fix simtriplets.dat. I do not understand why do you still bother about rlm_sim_files. You've already configured auth vectors using users file and it works well. Just comment out sim_files module invocation and isufficient number of challenges will go away. - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap sim authorization problem
Hi, i have tried with one client and it's success to authenticate and access internet in wlan could this test we use multiple clients? i just try one client and success but when i use another client and it fails is it correct if i add other client in users and simtriplets.dat? ex: simtriplets.dat 151001xx,Rand1,SRES1,kC1 151001xx,Rand2,SRES2,kC2 151001xx,Rand3,SRES3,kC3 151002xx,Rand1,SRES1,kC1 151002xx,Rand2,SRES2,kC2 151002xx,Rand3,SRES3,kC3 and also in users 151001xxx...@wlan.mnc EAP-Type :=SIM EAP-Sim-Rand1 = 0x... . . . . 151002xxx...@wlan.mnc EAP-Type :=SIM EAP-Sim-Rand1 = 0x... . . . . thanx for your time and your advice best regards On Thu, Jun 20, 2013 at 11:24 AM, raptor raptor raptors...@gmail.comwrote: Hi, IIlya Thanx for your advice it works On Thu, Jun 13, 2013 at 2:47 PM, Iliya Peregoudov iperegu...@cboss.ruwrote: On 11.06.2013 12:27, raptor raptor wrote: 1. when i change users entry, i get notification that access-accept has succesfull but unfortunately, when i restart the system cant access-accept and i must change attribute in users from agsm program here the log: I do not understand clearly whether you think you succeed or no. 2. i've changed users entry as you suggest and i still get the same notification rlm_sim_files : isufficient number of challenges of challenges for imsi Changing users file will not fix simtriplets.dat. I do not understand why do you still bother about rlm_sim_files. You've already configured auth vectors using users file and it works well. Just comment out sim_files module invocation and isufficient number of challenges will go away. - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap sim authorization problem
On 11.06.2013 22:21, Rodney Machado wrote: After reading again the documentation, i got to this point: [skipped] I'm going to fix the user file and give it a try again. rlm_eap_sim expects EAP-Sim-RAND1 (and friends) on reply list, not in control list. So correct users entry for EAP-SIM is: 1IMSI EAP-Type:=SIM EAP-Sim-RAND1:=0x..., ... EAP-Sim-KC3:=0x... EAP-Type control attribute is used to set initial EAP method. Initial EAP method selection performed by rlm_eap when Access-Request with EAP-Response/Identity handled. If there is no EAP-Type in control list default method is selected. Default outer EAP method is set in eap module configuration (eap { default_eap_type = ... }). Default inner EAP method is set in EAP-PEAP and EAP-TTLS method configuration (eap { peap { default_eap_type = ... }}). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap sim authorization problem
On 11.06.2013 12:27, raptor raptor wrote: 1. when i change users entry, i get notification that access-accept has succesfull but unfortunately, when i restart the system cant access-accept and i must change attribute in users from agsm program here the log: I do not understand clearly whether you think you succeed or no. 2. i've changed users entry as you suggest and i still get the same notification rlm_sim_files : isufficient number of challenges of challenges for imsi Changing users file will not fix simtriplets.dat. I do not understand why do you still bother about rlm_sim_files. You've already configured auth vectors using users file and it works well. Just comment out sim_files module invocation and isufficient number of challenges will go away. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap sim authorization problem
On 11.06.2013 7:00, raptor raptor wrote: i'm sorry i dont understand about LF UNIX line ending, could you show me what should i do to simtriplets.dat format? is there any mistake? Run dos2unix simtriplets.dat in UNIX shell. This will ensure simtriplets.dat has UNIX line endings. i got that format in /src/tests/eapsim-03/users-example.txt what should i fill in Rand1 attribute? I assume that your simtriplets.dat contains correct auth vectors (e.g. generated by SIM card and extracted using agsm program): 1510019760806391,AAC0FAFDC47D4524AC9E2A3D51BDBA39,2A71bac3,7868589a75fdc000 1510019760806391,BF9A9F6EEB36422895D010927D76972C,F49dd880,3Afbcf2fA9b0a000 1510019760806391,C63837CFECD348deB119C35CFECD4898,49312999,FD488938B6f2a000 Equivalent users entry should look like: 1510019760806391 EAP-Type:=SIM EAP-Sim-Rand1:=0xAAC0FAFDC47D4524AC9E2A3D51BDBA39, EAP-Sim-SRES1:=0x2A71bac3, EAP-Sim-KC1:=0x7868589a75fdc000, EAP-Sim-Rans2:=0xBF9A9F6EEB36422895D010927D76972C, EAP-Sim-SRES2:=0xF49dd880, EAP-Sim-KC2:=0x3Afbcf2fA9b0a000, EAP-Sim-Rand3:=0xC63837CFECD348deB119C35CFECD4898, EAP-Sim-SRES3:=0x49312999, EAP-Sim-KC3:=0xFD488938B6f2a000 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap sim authorization problem
Hi Iliya, I'm been trying my self EAP-SIM auth for a while, with nothing but odd results. I'm using FreeRADIUS Version 3.0.0 (git #25b6fdd), in wich the support for sim_files module have been dropped. I tryied setting the vectors vía the users file for my IMSI but its not working, I was just about to start a fresh thread for this, but since it seem that raptor and I are struggling with the same situation I'm popping in here. Equivalent users entry should look like: 1510019760806391 EAP-Type:=SIM EAP-Sim-Rand1:=0xAAC0FAFDC47D4524AC9E2A3D51BDBA39, EAP-Sim-SRES1:=0x2A71bac3, EAP-Sim-KC1:=0x7868589a75fdc000, EAP-Sim-Rans2:=0xBF9A9F6EEB36422895D010927D76972C, EAP-Sim-SRES2:=0xF49dd880, EAP-Sim-KC2:=0x3Afbcf2fA9b0a000, EAP-Sim-Rand3:=0xC63837CFECD348deB119C35CFECD4898, EAP-Sim-SRES3:=0x49312999, EAP-Sim-KC3:=0xFD488938B6f2a000 The vectors are right, I extracted them directly from our VLR, here is the portion of my users file: fragment users_file 1714020096302050 Auth-Type :=EAP, EAP-Type :=SIM, EAP-Sim-Rand1 :=0x9FDDE3536228C010B2CD21081166DE48, EAP-Sim-SRES1 := 0xEF4ED51A, EAP-Sim-KC1 :=0x2F35C251A5CE3C00, EAP-Sim-Rand2 :=0xBA20E6E8BB359BD0843EBF34673D1541, EAP-Sim-SRES2 :=0xBDC5490D, EAP-Sim-KC2 :=0x8FE8D4E09E5BFC00, EAP-Sim-Rand3 :=0xB4C3D755C3C359E3EF6E928641CA59F1, EAP-Sim-SRES3 :=0x404A3DAA, EAP-Sim-KC3 :=0x83EF559E1B33A000 /fragment users_file In my proxy.conf I added this entry for stripping the domain/realm from the username. fragment proxy.conf_file realm wlan.mnc002.mcc714.3gppnetwork.org { } /fragment proxy.conf_file in the eap file i added this entry fragment eap_file sim { } /fragment eap_file from the logs i got this: fragment logs_output Tue Jun 11 09:09:01 2013 : Debug: (1) suffix : Looking up realm wlan.mnc002.mcc714.3gppnetwork.org for User-Name = 1714020096302...@wlan.mnc002.mcc714.3gppnetwork.org Tue Jun 11 09:09:01 2013 : Debug: (1) suffix : Found realm wlan.mnc002.mcc714.3gppnetwork.org Tue Jun 11 09:09:01 2013 : Debug: (1) suffix : Adding Stripped-User-Name = 1714020096302050 Tue Jun 11 09:09:01 2013 : Debug: (1) suffix : Adding Realm = wlan.mnc002.mcc714.3gppnetwork.org Tue Jun 11 09:09:01 2013 : Debug: (1) suffix : Authentication realm is LOCAL. Tue Jun 11 09:09:01 2013 : Debug: (1) modsingle[authorize]: returned from suffix (rlm_realm) for request 1 Tue Jun 11 09:09:01 2013 : Debug: (1) [suffix] = ok Tue Jun 11 09:09:01 2013 : Debug: (1) modsingle[authorize]: calling eap (rlm_eap) for request 1 Tue Jun 11 09:09:01 2013 : Debug: (1) eap : EAP packet type response id 1 length 6 Tue Jun 11 09:09:01 2013 : Debug: (1) eap : No EAP Start, assuming it's an on-going EAP conversation Tue Jun 11 09:09:01 2013 : Debug: (1) modsingle[authorize]: returned from eap (rlm_eap) for request 1 Tue Jun 11 09:09:01 2013 : Debug: (1) [eap] = updated Tue Jun 11 09:09:01 2013 : Debug: (1) modsingle[authorize]: calling files (rlm_files) for request 1 Tue Jun 11 09:09:01 2013 : Debug: (1) files : users: Matched entry 1714020096302050 at line 208 Tue Jun 11 09:09:01 2013 : Debug: (1) modsingle[authorize]: returned from files (rlm_files) for request 1 Tue Jun 11 09:09:01 2013 : Debug: (1) [files] = ok Tue Jun 11 09:09:01 2013 : Debug: (1) modsingle[authorize]: calling expiration (rlm_expiration) for request 1 Tue Jun 11 09:09:01 2013 : Debug: (1) modsingle[authorize]: returned from expiration (rlm_expiration) for request 1 Tue Jun 11 09:09:01 2013 : Debug: (1) [expiration] = noop Tue Jun 11 09:09:01 2013 : Debug: (1) modsingle[authorize]: calling logintime (rlm_logintime) for request 1 Tue Jun 11 09:09:01 2013 : Debug: (1) modsingle[authorize]: returned from logintime (rlm_logintime) for request 1 Tue Jun 11 09:09:01 2013 : Debug: (1) [logintime] = noop Tue Jun 11 09:09:01 2013 : Debug: (1) modsingle[authorize]: calling pap (rlm_pap) for request 1 Tue Jun 11 09:09:01 2013 : WARNING: (1) WARNING: pap : No known good password found for the user. Not setting Auth-Type. Tue Jun 11 09:09:01 2013 : WARNING: (1) WARNING: pap : Authentication will fail unless a known good password is available. Tue Jun 11 09:09:01 2013 : Debug: (1) modsingle[authorize]: returned from pap (rlm_pap) for request 1 Tue Jun 11 09:09:01 2013 : Debug: (1) [pap] = noop Tue Jun 11 09:09:01 2013 : Debug: (1) Found Auth-Type = EAP Tue Jun 11 09:09:01 2013 : Debug: (1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default Tue Jun 11 09:09:01 2013 : Debug: (1) group authenticate { Tue Jun 11 09:09:01 2013 : Debug: (1) - entering group authenticate {...} Tue Jun 11 09:09:01 2013 : Debug: (1) modsingle[authenticate]: calling eap (rlm_eap) for request 1 Tue Jun 11 09:09:01 2013 : Debug: (1) eap : Expiring EAP session with state 0xf386ee4bf387ea0a Tue Jun 11 09:09:01 2013 : Debug: (1) eap : Finished EAP session with state 0xf386ee4bf387ea0a Tue Jun 11 09:09:01 2013 : Debug: (1) eap : Previous EAP request found for
Re: eap sim authorization problem
After reading again the documentation, i got to this point: What's with the commas in the raddb/users file? Commas link lists of attributes together. The general format for a raddb/users file entry is: name Check-Item = Value, ..., Check-Item = Value Reply-Item = Value, . . . Reply-Item = Value Where the dots means repetition of attributes. * The first line contains check-items ONLY. * Commas go BETWEEN check-items. * The first line ends WITHOUT a comma. * The next number of lines are reply-items ONLY. * Commas go BETWEEN reply-items. * The last line of the reply-item list ends WITHOUT a comma. Check-items are used to match attributes in a request packet or to set server parameters. Reply-items are used to set attributes which are to go in the reply packet. So things like Simultaneous-Use go on the first line of a raddb/users file entry and Framed-IP-Address goes on any following line. I'm going to fix the user file and give it a try again. Regards, --RM - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap sim authorization problem
On 09.06.2013 5:34, raptor raptor wrote: simtriplets.dat format that i wite: 1imsi,RAND,SRES,Kc 1510019760806391,AAC0FAFDC47D4524AC9E2A3D51BDBA39,2A71bac3,7868589a75fdc000 1510019760806391,BF9A9F6EEB36422895D010927D76972C,F49dd880,3Afbcf2fA9b0a000 1510019760806391,C63837CFECD348deB119C35CFECD4898,49312999,FD488938B6f2a000 Your simtriplets.dat format is ok. i add in users file: DEFAULTAuth-Type := EAP, EAP-Type := SIM EAP-Sim-Rand1 = 0x101112131415161718191a1b1c1d1e1f, EAP-Sim-SRES1 = 0xd1d2d3d4, EAP-Sim-Rand2 = 0x202122232425262728292a2b2c2d2e2f, EAP-Sim-SRES2 = 0xe1e2e3e4, EAP-Sim-Rand3 = 0x303132333435363738393a3b3c3d3e3f, EAP-Sim-SRES3 = 0xf1f2f3f4, EAP-Sim-KC1 = 0xa0a1a2a3a4a5a6a7, EAP-Sim-KC2 = 0xb0b1b2b3b4b5b6b7, EAP-Sim-KC3 = 0xc0c1c2c3c4c5c6c7, Your users format is ok: 16-octet RAND, 4-octet SRES, 8-octet Kc. Auth vectors in users file differ from those in simtriplets.dat. You cannot use arbitrary auth vectors. EAP-SIM is mutual authentication protocol. UE checks that AAA knows correct auth vectors when Request/SIM/Challenge received before sending Response/SIM/Challenge. rlm_sim_files: insufficient number of challenges for imsi 1510019760806391: 0 ++[sim_files] returns notfound It's strange that rlm_sim_files was unable to find auth vectors. Ensure that simtriplets.dat has UNIX line endings (LF, not CRLF). Sending Access-Challenge of id 0 to 192.168.1.1 port 2048 EAP-Message = 0x011a0014120a0f020002000111010100 Message-Authenticator = 0x State = 0x019a1a23018008ce78acd4b07bc4c4ac Here radiusd generates EAP Request/SIM/Start. There is no cryptography yet so UE will respond with Response/SIM/Start. +++ EAP-sim decoded packet: User-Name = 1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org NAS-IP-Address = 192.168.1.1 Called-Station-Id = 48f8b315461a Calling-Station-Id = 1814563e5189 NAS-Identifier = 48f8b315461a NAS-Port = 38 Framed-MTU = 1400 State = 0x019a1a23018008ce78acd4b07bc4c4ac NAS-Port-Type = Wireless-802.11 EAP-Message = 0x021a0058120a070543837c0b63fd6c4dc3fccbebc8439b04100100010e0e00333135313030313937363038303633393140776c616e2e6d6e633030312e6d63633531302e336770706e6574776f726b2e6f726700 Message-Authenticator = 0x441da87c8c81ad6b22b7596fba8b9098 Stripped-User-Name = 1510019760806391 Realm = wlan.mnc001.mcc510.3gppnetwork.org EAP-Type = SIM EAP-Sim-Subtype = Start EAP-Sim-NONCE_MT = 0x43837c0b63fd6c4dc3fccbebc8439b04 EAP-Sim-SELECTED_VERSION = 0x0001 EAP-Sim-IDENTITY = 0x00333135313030313937363038303633393140776c616e2e6d6e633030312e6d63633531302e336770706e6574776f726b2e6f726700 This is Response/SIM/Start from UE. Sending Access-Challenge of id 0 to 192.168.1.1 port 2048 EAP-Message = 0x011b0050120b010d101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f0b05fb675502a3304188312931054f33cd1f Message-Authenticator = 0x State = 0x019a1a23008108ce78acd4b07bc4c4ac Here radiusd generates EAP Request/SIM/Challenge using auth vectors from users file and NONCE_MT from Response/EAP/Start. UE will reject this EAP request (because AAA does not know correct auth vectors) and will restart EAP authentication. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap sim authorization problem
Iliya Peregoudov wite : 1. rlm_sim_files: insufficient number of challenges for imsi 1510019760806391: 0 ++[sim_files] returns notfound It's strange that rlm_sim_files was unable to find auth vectors. Ensure that simtriplets.dat has UNIX line endings (LF, not CRLF). i'm sorry i dont understand about LF UNIX line ending, could you show me what should i do to simtriplets.dat format? is there any mistake? 2. Your users format is ok: 16-octet RAND, 4-octet SRES, 8-octet Kc. Auth vectors in users file differ from those in simtriplets.dat. You cannot use arbitrary auth vectors. EAP-SIM is mutual authentication protocol. UE checks that AAA knows correct auth vectors when Request/SIM/Challenge received before sending Response/SIM/Challenge. i got that format in /src/tests/eapsim-03/users-example.txt what should i fill in Rand1 attribute? thanx for your advice best regard On Mon, Jun 10, 2013 at 5:29 PM, Iliya Peregoudov iperegu...@cboss.ruwrote: On 09.06.2013 5:34, raptor raptor wrote: simtriplets.dat format that i wite: 1imsi,RAND,SRES,Kc 1510019760806391,**AAC0FAFDC47D4524AC9E2A3D51BDBA** 39,2A71bac3,7868589a75fdc000 1510019760806391,**BF9A9F6EEB36422895D010927D7697** 2C,F49dd880,3Afbcf2fA9b0a000 1510019760806391,**C63837CFECD348deB119C35CFECD48** 98,49312999,FD488938B6f2a000 Your simtriplets.dat format is ok. i add in users file: DEFAULTAuth-Type := EAP, EAP-Type := SIM EAP-Sim-Rand1 = 0x101112131415161718191a1b1c1d**1e1f, EAP-Sim-SRES1 = 0xd1d2d3d4, EAP-Sim-Rand2 = 0x202122232425262728292a2b2c2d**2e2f, EAP-Sim-SRES2 = 0xe1e2e3e4, EAP-Sim-Rand3 = 0x303132333435363738393a3b3c3d**3e3f, EAP-Sim-SRES3 = 0xf1f2f3f4, EAP-Sim-KC1 = 0xa0a1a2a3a4a5a6a7, EAP-Sim-KC2 = 0xb0b1b2b3b4b5b6b7, EAP-Sim-KC3 = 0xc0c1c2c3c4c5c6c7, Your users format is ok: 16-octet RAND, 4-octet SRES, 8-octet Kc. Auth vectors in users file differ from those in simtriplets.dat. You cannot use arbitrary auth vectors. EAP-SIM is mutual authentication protocol. UE checks that AAA knows correct auth vectors when Request/SIM/Challenge received before sending Response/SIM/Challenge. rlm_sim_files: insufficient number of challenges for imsi 1510019760806391: 0 ++[sim_files] returns notfound It's strange that rlm_sim_files was unable to find auth vectors. Ensure that simtriplets.dat has UNIX line endings (LF, not CRLF). Sending Access-Challenge of id 0 to 192.168.1.1 port 2048 EAP-Message = 0x011a0014120a0f0200020001**11010100 Message-Authenticator = 0x** State = 0x019a1a23018008ce78acd4b07bc4**c4ac Here radiusd generates EAP Request/SIM/Start. There is no cryptography yet so UE will respond with Response/SIM/Start. +++ EAP-sim decoded packet: User-Name = 1510019760806391@wlan.mnc001.**mcc510.3gppnetwork.org1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org NAS-IP-Address = 192.168.1.1 Called-Station-Id = 48f8b315461a Calling-Station-Id = 1814563e5189 NAS-Identifier = 48f8b315461a NAS-Port = 38 Framed-MTU = 1400 State = 0x019a1a23018008ce78acd4b07bc4**c4ac NAS-Port-Type = Wireless-802.11 EAP-Message = 0x021a0058120a07054383**7c0b63fd6c4dc3fccbebc8439b0410** 0100010e0e00333135313030313937**363038303633393140776c616e2e6d** 6e633030312e6d63633531302e3367**70706e6574776f726b2e6f726700 Message-Authenticator = 0x441da87c8c81ad6b22b7596fba8b**9098 Stripped-User-Name = 1510019760806391 Realm = wlan.mnc001.mcc510.**3gppnetwork.orghttp://wlan.mnc001.mcc510.3gppnetwork.org EAP-Type = SIM EAP-Sim-Subtype = Start EAP-Sim-NONCE_MT = 0x43837c0b63fd6c4dc3fccbeb**c8439b04 EAP-Sim-SELECTED_VERSION = 0x0001 EAP-Sim-IDENTITY = 0x0033313531303031393736303830**3633393140776c616e2e6d6e633030** 312e6d63633531302e336770706e65**74776f726b2e6f726700 This is Response/SIM/Start from UE. Sending Access-Challenge of id 0 to 192.168.1.1 port 2048 EAP-Message = 0x011b0050120b010d1011**12131415161718191a1b1c1d1e1f20** 2122232425262728292a2b2c2d2e2f**303132333435363738393a3b3c3d3e** 3f0b05fb675502a33041883129**31054f33cd1f Message-Authenticator = 0x** State = 0x019a1a23008108ce78acd4b07bc4**c4ac Here radiusd generates EAP Request/SIM/Challenge using auth vectors from users file and NONCE_MT from Response/EAP/Start. UE will reject this EAP request (because AAA does not know correct auth vectors) and will restart EAP authentication. - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap sim authorization problem
my simtriplets.dat : 1imsi 1510019760806391,AAC0FAFDC47D4524AC9E2A3D51BDBA39,2A71bac3,7868589a75fdc000 1510019760806391,BF9A9F6EEB36422895D010927D76972C,F49dd880,3Afbcf2fA9b0a000 1510019760806391,C63837CFECD348deB119C35CFECD4898,49312999,FD488938B6f2a000 On Mon, Jun 3, 2013 at 9:26 PM, Alan DeKok al...@deployingradius.comwrote: Iliya Peregoudov wrote: Apparently there is an error in simtriplets.dat. Format is 1IMSI,RAND,SRES,KC RAND, SRES, and KC should be in hexadecimal digits, without 0x prefix. An even number of hexadecimal digits should be in there. The simtriplets.dat dile doesn't have 0x prefixes in its examples In any case, hitting an assertion because of a format error is stupid. I've pushed a fix. It will now complain about syntax errors instead. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap sim authorization problem
simtriplets.dat format that i wite: 1imsi,RAND,SRES,Kc 1510019760806391,AAC0FAFDC47D4524AC9E2A3D51BDBA39,2A71bac3,7868589a75fdc000 1510019760806391,BF9A9F6EEB36422895D010927D76972C,F49dd880,3Afbcf2fA9b0a000 1510019760806391,C63837CFECD348deB119C35CFECD4898,49312999,FD488938B6f2a000 i add in users file: DEFAULT Auth-Type := EAP, EAP-Type := SIM EAP-Sim-Rand1 = 0x101112131415161718191a1b1c1d1e1f, EAP-Sim-SRES1 = 0xd1d2d3d4, EAP-Sim-Rand2 = 0x202122232425262728292a2b2c2d2e2f, EAP-Sim-SRES2 = 0xe1e2e3e4, EAP-Sim-Rand3 = 0x303132333435363738393a3b3c3d3e3f, EAP-Sim-SRES3 = 0xf1f2f3f4, EAP-Sim-KC1 = 0xa0a1a2a3a4a5a6a7, EAP-Sim-KC2 = 0xb0b1b2b3b4b5b6b7, EAP-Sim-KC3 = 0xc0c1c2c3c4c5c6c7, i think number of RAND in simtriplets.dat is same in EAP-Sim-Rand1 (32 octet) is my format wrong? i'm using freeradius-server-2.1.9 and nokia e63 and i run freeradius so here the log: Ready to process requests. rad_recv: Access-Request packet from host 192.168.1.1 port 2048, id=0, length=215 User-Name = 1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org NAS-IP-Address = 192.168.1.1 Called-Station-Id = 48f8b315461a Calling-Station-Id = 1814563e5189 NAS-Identifier = 48f8b315461a NAS-Port = 38 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0238013135313030313937363038303633393140776c616e2e6d6e633030312e6d63633531302e336770706e6574776f726b2e6f7267 Message-Authenticator = 0xa01e03afe31bdb73b9c01a64096ec87a +- entering group authorize {...} ++[preprocess] returns ok [suffix] Looking up realm wlan.mnc001.mcc510.3gppnetwork.org for User-Name = 1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org [suffix] Found realm wlan.mnc001.mcc510.3gppnetwork.org [suffix] Adding Stripped-User-Name = 1510019760806391 [suffix] Adding Realm = wlan.mnc001.mcc510.3gppnetwork.org [suffix] Authentication realm is LOCAL. ++[suffix] returns ok rlm_sim_files: insufficient number of challenges for imsi 1510019760806391: 0 ++[sim_files] returns notfound [eap] EAP packet type response id 0 length 56 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 205 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type sim [eap] Underlying EAP-Type set EAP ID to 26 ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.1.1 port 2048 EAP-Message = 0x011a0014120a0f020002000111010100 Message-Authenticator = 0x State = 0x019a1a23018008ce78acd4b07bc4c4ac Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.1 port 2048, id=0, length=265 Cleaning up request 0 ID 0 with timestamp +227 User-Name = 1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org NAS-IP-Address = 192.168.1.1 Called-Station-Id = 48f8b315461a Calling-Station-Id = 1814563e5189 NAS-Identifier = 48f8b315461a NAS-Port = 38 Framed-MTU = 1400 State = 0x019a1a23018008ce78acd4b07bc4c4ac NAS-Port-Type = Wireless-802.11 EAP-Message = 0x021a0058120a070543837c0b63fd6c4dc3fccbebc8439b04100100010e0e00333135313030313937363038303633393140776c616e2e6d6e633030312e6d63633531302e336770706e6574776f726b2e6f726700 Message-Authenticator = 0x441da87c8c81ad6b22b7596fba8b9098 +- entering group authorize {...} ++[preprocess] returns ok [suffix] Looking up realm wlan.mnc001.mcc510.3gppnetwork.org for User-Name = 1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org [suffix] Found realm wlan.mnc001.mcc510.3gppnetwork.org [suffix] Adding Stripped-User-Name = 1510019760806391 [suffix] Adding Realm = wlan.mnc001.mcc510.3gppnetwork.org [suffix] Authentication realm is LOCAL. ++[suffix] returns ok rlm_sim_files: insufficient number of challenges for imsi 1510019760806391: 0 ++[sim_files] returns notfound [eap] EAP packet type response id 26 length 88 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 205 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/sim [eap] processing type sim rlm_eap_sim: subtype= 10 start. +++ EAP-sim decoded packet: User-Name = 1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org NAS-IP-Address = 192.168.1.1 Called-Station-Id = 48f8b315461a
Re: eap sim authorization problem
Apparently there is an error in simtriplets.dat. Format is 1IMSI,RAND,SRES,KC RAND, SRES, and KC should be in hexadecimal digits, without 0x prefix. An even number of hexadecimal digits should be in there. On 01.06.2013 5:51, raptor raptor wrote: ASSERT FAILED rlm_sim_files.c[212]: k != NULL - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap sim authorization problem
Iliya Peregoudov wrote: Apparently there is an error in simtriplets.dat. Format is 1IMSI,RAND,SRES,KC RAND, SRES, and KC should be in hexadecimal digits, without 0x prefix. An even number of hexadecimal digits should be in there. The simtriplets.dat dile doesn't have 0x prefixes in its examples In any case, hitting an assertion because of a format error is stupid. I've pushed a fix. It will now complain about syntax errors instead. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap sim authorization problem
Call suffix before sim_files. The rlm_sim_files module uses canonical username as a key for searching authentication vectors. Initially canonical username points to User-Name attribute. rlm_realm module (suffix is an instance of this module) split User-Name to Stripped-User-Name and Realm and set canonical username to point to Stripped-User-Name. Or you can put full username 1IMSI@wlan.mnc001.mcc510.3gppnetwork.org into simtriplets.dat. This will work without calling suffix. On 30.05.2013 19:26, raptor raptor wrote: Hi, i have added simtriplets.dat and create file sim_files in /freeradius/modules and also i configure sim_files in authorize{} in /sites-enabled/default but i dont use suffix module so my concern is how to solve this message : rlm_sim_files: insufficient number of challenges for imsi i...@wlan.mnc001.mcc510.3gppnetwork.org mailto:i...@wlan.mnc001.mcc510.3gppnetwork.org : 0 [sim_files] returnnot found - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap sim authorization problem
i have added Stripped-User-Name in sites-enabled/default and also i disabled suffix module but, i found like fatal mistake could someone tell me what i should do to fix this this is my log Ready to process requests. rad_recv: Access-Request packet from host 192.168.1.1 port 2048, id=0, length=215 User-Name = 15100...@wlan.mnc001.mcc510.3gppnetwork.org NAS-IP-Address = 192.168.1.1 Called-Station-Id = 48f8b315461a Calling-Station-Id = 1814563e5189 NAS-Identifier = 48f8b315461a NAS-Port = 38 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0238013135313030313937363038303633393140776c616e2e6d6e633030312e6d63633531302e336770706e6574776f726b2e6f7267 Message-Authenticator = 0xe0a42673f8bb72f47e48dcb350887961 +- entering group authorize {...} ++[preprocess] returns ok ++? if (User-Name =~ /^(.*)@(.+)$/) ? Evaluating (User-Name =~ /^(.*)@(.+)$/) - TRUE ++? if (User-Name =~ /^(.*)@(.+)$/) - TRUE ++- entering if (User-Name =~ /^(.*)@(.+)$/) {...} expand: %{1} - 15100xx expand: %{2} - wlan.mnc001.mcc510.3gppnetwork.org +++[request] returns ok ++- if (User-Name =~ /^(.*)@(.+)$/) returns ok ASSERT FAILED rlm_sim_files.c[212]: k != NULL Aborted best regard On Fri, May 31, 2013 at 12:59 PM, Iliya Peregoudov iperegu...@cboss.ruwrote: Call suffix before sim_files. The rlm_sim_files module uses canonical username as a key for searching authentication vectors. Initially canonical username points to User-Name attribute. rlm_realm module (suffix is an instance of this module) split User-Name to Stripped-User-Name and Realm and set canonical username to point to Stripped-User-Name. Or you can put full username 1IMSI@wlan.mnc001.mcc510.**3gppnetwork.orghttp://wlan.mnc001.mcc510.3gppnetwork.orginto simtriplets.dat. This will work without calling suffix. On 30.05.2013 19:26, raptor raptor wrote: Hi, i have added simtriplets.dat and create file sim_files in /freeradius/modules and also i configure sim_files in authorize{} in /sites-enabled/default but i dont use suffix module so my concern is how to solve this message : rlm_sim_files: insufficient number of challenges for imsi imsi@wlan.mnc001.mcc510.**3gppnetwork.orgi...@wlan.mnc001.mcc510.3gppnetwork.org mailto:imsi@wlan.mnc001.**mcc510.3gppnetwork.orgi...@wlan.mnc001.mcc510.3gppnetwork.org : 0 [sim_files] returnnot found - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap sim authorization problem
You should designate realm wlan.mnc001.mcc510.3gppnetwork.org as locally served in raddb/proxy.conf: # raddb/proxy.conf realm wlan.mnc001.mcc510.3gppnetwork.org { } Then you should add authentication vectors to raddb/simtriplets.dat: # raddb/simtriplets.dat # 1IMSI,RAND,SRES,KC 1250991417456196,cf92007bd3814afaa71a58bbe406b8a0,6b7ace84,b54e3cad99ab2000 ... At least 3 authentication vectors should be present for each IMSI. You can generate authentication vectors for your SIM card using smart card reader and agsm program (http://agsm.sourceforge.net/). On 30.05.2013 10:44, raptor raptor wrote: Hi all, i have read anything about my problem, but i dont get any idea to solve in FR i get message like this : rlm_sim_files: insufficient number of challenges for imsi i...@wlan.mnc001.mcc510.3gppnetwork.org mailto:i...@wlan.mnc001.mcc510.3gppnetwork.org : 0 [sim_files] returnnot found - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap sim authorization problem
On 30/05/2556 13:44, raptor raptor wrote: [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP It 's mean NAS send Auth type as EAP but this user set Auth type to pap. Check your user auth type. -- EasyZone Mikrotik Billing v3.0 - Radius Billing for Mikrotik devices EasyZone Hotspot Billing v3.0 LDAP - supports LDAP , VLAN, Landing Page, Block site by Group, Multi Hotspot, Cisco WLC EasyZone ISP Billing - Billing for Wireless ISP, Local ISP. http://www.easyzonecorp.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap sim authorization problem
On 30/05/13 08:16, Iliya Peregoudov wrote: You should designate realm wlan.mnc001.mcc510.3gppnetwork.org as locally served in raddb/proxy.conf: Better yet, don't use the suffix module; look for the realm and strip it yourself: authorize { if (User-Name =~ /^(.*)@(.+)$/) { update request { Stripped-User-Name := %{1} Realm := %{2} } } } See the policy.conf/policy.d and list archives for better regexps for NAI-style usernames. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap sim authorization problem
On 30/05/13 08:22, EasyHorpak.com wrote: On 30/05/2556 13:44, raptor raptor wrote: [pap] WARNING! No known good password found for the user.Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP [pap] WARNING! No known good password found for the user.Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP It 's mean NAS send Auth type as EAP but this user set Auth type to pap. No, it doesn't. This is normal output saying that PAP *wasn't* detected, but EAP *was* - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap sim authorization problem
Hi, Phil Better yet, don't use the suffix module; look for the realm and strip it yourself: authorize { if (User-Name =~ /^(.*)@(.+)$/) { update request { Stripped-User-Name := %{1} Realm := %{2} } } } See the policy.conf/policy.d and list archives for better regexps for NAI-style usernames. is it in policy.conf or sites-enabled/default? if in policy.conf i can't find format like authorize {}, but i find cui_authorize On Thu, May 30, 2013 at 4:08 PM, Phil Mayers p.may...@imperial.ac.ukwrote: On 30/05/13 08:16, Iliya Peregoudov wrote: You should designate realm wlan.mnc001.mcc510.**3gppnetwork.orghttp://wlan.mnc001.mcc510.3gppnetwork.orgas locally served in raddb/proxy.conf: Better yet, don't use the suffix module; look for the realm and strip it yourself: authorize { if (User-Name =~ /^(.*)@(.+)$/) { update request { Stripped-User-Name := %{1} Realm := %{2} } } } See the policy.conf/policy.d and list archives for better regexps for NAI-style usernames. - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap sim authorization problem
Hi, i have added simtriplets.dat and create file sim_files in /freeradius/modules and also i configure sim_files in authorize{} in /sites-enabled/default but i dont use suffix module so my concern is how to solve this message : rlm_sim_files: insufficient number of challenges for imsi i...@wlan.mnc001.mcc510.3gppnetwork.org : 0 [sim_files] returnnot found here is my log: Ready to process requests. rad_recv: Access-Request packet from host 192.168.1.1 port 2048, id=0, length=215 User-Name = 1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org NAS-IP-Address = 192.168.1.1 Called-Station-Id = 48f8b315461a Calling-Station-Id = 1814563e5189 NAS-Identifier = 48f8b315461a NAS-Port = 38 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0238013135313030313937363038303633393140776c616e2e6d6e633030312e6d63633531302e336770706e6574776f726b2e6f7267 Message-Authenticator = 0x91af511bc958602ec652547f08683045 +- entering group authorize {...} ++[preprocess] returns ok rlm_sim_files: insufficient number of challenges for imsi 1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org: 0 ++[sim_files] returns notfound [eap] EAP packet type response id 0 length 56 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry 1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org at line 205 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type sim [eap] Underlying EAP-Type set EAP ID to 218 ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.1.1 port 2048 EAP-Message = 0x01da0014120a0f020002000111010100 Message-Authenticator = 0x State = 0x1e96d6021e4cc425cab980602ba77fc7 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.1 port 2048, id=0, length=265 Cleaning up request 0 ID 0 with timestamp +91 User-Name = 1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org NAS-IP-Address = 192.168.1.1 Called-Station-Id = 48f8b315461a Calling-Station-Id = 1814563e5189 NAS-Identifier = 48f8b315461a NAS-Port = 38 Framed-MTU = 1400 State = 0x1e96d6021e4cc425cab980602ba77fc7 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x02da0058120a070566bf4d6f1cf16dae34700d33b40a2cf2100100010e0e00333135313030313937363038303633393140776c616e2e6d6e633030312e6d63633531302e336770706e6574776f726b2e6f726700 Message-Authenticator = 0x46abb1e0d252ff580dd8d31e5a56ba46 +- entering group authorize {...} ++[preprocess] returns ok rlm_sim_files: insufficient number of challenges for imsi 1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org: 0 ++[sim_files] returns notfound [eap] EAP packet type response id 218 length 88 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry 1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org at line 205 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/sim [eap] processing type sim +++ EAP-sim decoded packet: User-Name = 1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org NAS-IP-Address = 192.168.1.1 Called-Station-Id = 48f8b315461a Calling-Station-Id = 1814563e5189 NAS-Identifier = 48f8b315461a NAS-Port = 38 Framed-MTU = 1400 State = 0x1e96d6021e4cc425cab980602ba77fc7 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x02da0058120a070566bf4d6f1cf16dae34700d33b40a2cf2100100010e0e00333135313030313937363038303633393140776c616e2e6d6e633030312e6d63633531302e336770706e6574776f726b2e6f726700 Message-Authenticator = 0x46abb1e0d252ff580dd8d31e5a56ba46 EAP-Type = SIM EAP-Sim-Subtype = Start EAP-Sim-NONCE_MT = 0x66bf4d6f1cf16dae34700d33b40a2cf2 EAP-Sim-SELECTED_VERSION = 0x0001 EAP-Sim-IDENTITY = 0x00333135313030313937363038303633393140776c616e2e6d6e633030312e6d63633531302e336770706e6574776f726b2e6f726700 [eap] Underlying EAP-Type set EAP ID to 219 ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.1.1 port 2048