I have manually parse EAP messages. EAP Identity and AT_IDENTITY are the same.

EAP-Message from first Access-Request:

02                                              Code = 2 (EAP-Response)
   00                                           Identifier = 0
      00 38                                     Length = 56
            01                                  Type = 1 (Identity)
               31 33 30 32 37 32 30 34 30 34 34 Type-Data =
         [email protected]
31 33 38 39 30 40 77 6c 61 6e 2e 6d 6e 63 37 32
30 2e 6d 63 63 33 30 32 2e 33 67 70 70 6e 65 74
77 6f 72 6b 2e 6f 72 67

EAP-Message from second Access-Request:

02                                              Code = 2 (EAP-Response)
   f6                                           Identifier = 246
      00 58                                     Length = 88
            12                                  Type = 18 (EAP-SIM)
               0a                               Subtype = 10 (SIM-Start)
                  00 00                         Reserved
                        0e                      Attr Type = 14
                                                (AT_IDENTITY)
                           0e                   Attr Length = 56
                              00 33             Identity Length = 51
                                    31 33 30 32 Value =
         [email protected]
37 32 30 34 30 34 34 31 33 38 39 30 40 77 6c 61
6e 2e 6d 6e 63 37 32 30 2e 6d 63 63 33 30 32 2e
33 67 70 70 6e 65 74 77 6f 72 6b 2e 6f 72 67 00
10                                              Attr Type = 16
                                                (AT_SELECTED_VERSION)
   01                                           Attr Length = 4
      00 01                                     Value = 1
            07                                  Attr Type = 7
                                                (AT_NONCE_MT)
               05                               Attr Length = 20
                  00 00                         Reserved
                        7a e3 c3 b2 94 fa a5 fa Value = 16 random octets
c8 5c 9c dc 58 73 7c 87

I see AT_IDENTITY is padded with single zero octet. Maybe rlm_eap_sim uses wrong length field, namely Attribute Length instead of Identity Length?

Alan DeKok wrote:
Francois Gaudreault wrote:
Ok so I did bisect, and this commit appears to be the problematic one:

177dbabdcef84353768551c0a39d29c566538c06 is the first bad commit
commit 177dbabdcef84353768551c0a39d29c566538c06
Author: Alan T. DeKok <[email protected]>
Date:   Tue Feb 21 08:57:49 2012 +0100

    Try to use identity from SIM protocol, not EAP-Identity

  Well, the SIM identity doesn't agree with the EAP-Identity.

  The patch went in because Microsoft ran into inter-operability issues.
 The SIM identity can change during the protocol exchange.  The old way
of always using the EAP-Identity was wrong.

  I'm not sure what to suggest here.  You can delete the patch in your
private branch.  But that means you'll run into other inter-operability
issues later.

  You should probably do a bit more digging to see exactly *what* is
going on in the failing case.  Knowing that will help come up with a
decent solution.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to