Hi Iliya,
I'm been trying my self EAP-SIM auth for a while, with nothing but odd results.
I'm using FreeRADIUS Version 3.0.0 (git #25b6fdd), in wich the support for
sim_files module have been dropped. I tryied setting the vectors vía the users
file for my IMSI but its not working, I was just about to start a fresh thread
for this, but since it seem that raptor and I are struggling with the same
situation I'm popping in here.
>Equivalent users entry should look like:
>
>1510019760806391 EAP-Type:=SIM
>EAP-Sim-Rand1:=0xAAC0FAFDC47D4524AC9E2A3D51BDBA39,
>EAP-Sim-SRES1:=0x2A71bac3,
>EAP-Sim-KC1:=0x7868589a75fdc000,
>EAP-Sim-Rans2:=0xBF9A9F6EEB36422895D010927D76972C,
>EAP-Sim-SRES2:=0xF49dd880,
>EAP-Sim-KC2:=0x3Afbcf2fA9b0a000,
>EAP-Sim-Rand3:=0xC63837CFECD348deB119C35CFECD4898,
>EAP-Sim-SRES3:=0x49312999,
>EAP-Sim-KC3:=0xFD488938B6f2a000
The vectors are right, I extracted them directly from our VLR, here is the
portion of my users file:
<fragment users_file>
1714020096302050 Auth-Type :=EAP, EAP-Type :=SIM, EAP-Sim-Rand1
:=0x9FDDE3536228C010B2CD21081166DE48, EAP-Sim-SRES1 := 0xEF4ED51A, EAP-Sim-KC1
:=0x2F35C251A5CE3C00, EAP-Sim-Rand2 :=0xBA20E6E8BB359BD0843EBF34673D1541,
EAP-Sim-SRES2 :=0xBDC5490D, EAP-Sim-KC2 :=0x8FE8D4E09E5BFC00, EAP-Sim-Rand3
:=0xB4C3D755C3C359E3EF6E928641CA59F1, EAP-Sim-SRES3 :=0x404A3DAA, EAP-Sim-KC3
:=0x83EF559E1B33A000
</fragment users_file>
In my proxy.conf I added this entry for stripping the domain/realm from the
username.
<fragment proxy.conf_file>
realm wlan.mnc002.mcc714.3gppnetwork.org {
}
</fragment proxy.conf_file>
in the eap file i added this entry
<fragment eap_file>
sim {
}
</fragment eap_file>
from the logs i got this:
<fragment logs_output>
Tue Jun 11 09:09:01 2013 : Debug: (1) suffix : Looking up realm
"wlan.mnc002.mcc714.3gppnetwork.org" for User-Name =
"[email protected]"
Tue Jun 11 09:09:01 2013 : Debug: (1) suffix : Found realm
"wlan.mnc002.mcc714.3gppnetwork.org"
Tue Jun 11 09:09:01 2013 : Debug: (1) suffix : Adding Stripped-User-Name =
"1714020096302050"
Tue Jun 11 09:09:01 2013 : Debug: (1) suffix : Adding Realm =
"wlan.mnc002.mcc714.3gppnetwork.org"
Tue Jun 11 09:09:01 2013 : Debug: (1) suffix : Authentication realm is LOCAL.
Tue Jun 11 09:09:01 2013 : Debug: (1) modsingle[authorize]: returned from
suffix (rlm_realm) for request 1
Tue Jun 11 09:09:01 2013 : Debug: (1) [suffix] = ok
Tue Jun 11 09:09:01 2013 : Debug: (1) modsingle[authorize]: calling eap
(rlm_eap) for request 1
Tue Jun 11 09:09:01 2013 : Debug: (1) eap : EAP packet type response id 1
length 6
Tue Jun 11 09:09:01 2013 : Debug: (1) eap : No EAP Start, assuming it's an
on-going EAP conversation
Tue Jun 11 09:09:01 2013 : Debug: (1) modsingle[authorize]: returned from eap
(rlm_eap) for request 1
Tue Jun 11 09:09:01 2013 : Debug: (1) [eap] = updated
Tue Jun 11 09:09:01 2013 : Debug: (1) modsingle[authorize]: calling files
(rlm_files) for request 1
Tue Jun 11 09:09:01 2013 : Debug: (1) files : users: Matched entry
1714020096302050 at line 208
Tue Jun 11 09:09:01 2013 : Debug: (1) modsingle[authorize]: returned from
files (rlm_files) for request 1
Tue Jun 11 09:09:01 2013 : Debug: (1) [files] = ok
Tue Jun 11 09:09:01 2013 : Debug: (1) modsingle[authorize]: calling
expiration (rlm_expiration) for request 1
Tue Jun 11 09:09:01 2013 : Debug: (1) modsingle[authorize]: returned from
expiration (rlm_expiration) for request 1
Tue Jun 11 09:09:01 2013 : Debug: (1) [expiration] = noop
Tue Jun 11 09:09:01 2013 : Debug: (1) modsingle[authorize]: calling logintime
(rlm_logintime) for request 1
Tue Jun 11 09:09:01 2013 : Debug: (1) modsingle[authorize]: returned from
logintime (rlm_logintime) for request 1
Tue Jun 11 09:09:01 2013 : Debug: (1) [logintime] = noop
Tue Jun 11 09:09:01 2013 : Debug: (1) modsingle[authorize]: calling pap
(rlm_pap) for request 1
Tue Jun 11 09:09:01 2013 : WARNING: (1) WARNING: pap : No "known good" password
found for the user. Not setting Auth-Type.
Tue Jun 11 09:09:01 2013 : WARNING: (1) WARNING: pap : Authentication will fail
unless a "known good" password is available.
Tue Jun 11 09:09:01 2013 : Debug: (1) modsingle[authorize]: returned from pap
(rlm_pap) for request 1
Tue Jun 11 09:09:01 2013 : Debug: (1) [pap] = noop
Tue Jun 11 09:09:01 2013 : Debug: (1) Found Auth-Type = EAP
Tue Jun 11 09:09:01 2013 : Debug: (1) # Executing group from file
/usr/local/etc/raddb/sites-enabled/default
Tue Jun 11 09:09:01 2013 : Debug: (1) group authenticate {
Tue Jun 11 09:09:01 2013 : Debug: (1) - entering group authenticate {...}
Tue Jun 11 09:09:01 2013 : Debug: (1) modsingle[authenticate]: calling eap
(rlm_eap) for request 1
Tue Jun 11 09:09:01 2013 : Debug: (1) eap : Expiring EAP session with state
0xf386ee4bf387ea0a
Tue Jun 11 09:09:01 2013 : Debug: (1) eap : Finished EAP session with state
0xf386ee4bf387ea0a
Tue Jun 11 09:09:01 2013 : Debug: (1) eap : Previous EAP request found for
state 0xf386ee4bf387ea0a, released from the list
Tue Jun 11 09:09:01 2013 : Debug: (1) eap : Peer sent NAK (3)
Tue Jun 11 09:09:01 2013 : Debug: (1) eap : Found mutually acceptable type SIM
(18)
Tue Jun 11 09:09:01 2013 : Debug: (1) eap : Calling eap_sim to process EAP data
Tue Jun 11 09:09:01 2013 : Debug: can not initiate sim, no RAND1 attribute
Tue Jun 11 09:09:01 2013 : ERROR: (1) ERROR: eap : Failed starting EAP SIM (18)
session. EAP sub-module failed
Tue Jun 11 09:09:01 2013 : Debug: (1) eap : Failed in EAP select
Tue Jun 11 09:09:01 2013 : Debug: (1) modsingle[authenticate]: returned from
eap (rlm_eap) for request 1
Tue Jun 11 09:09:01 2013 : Debug: (1) [eap] = invalid
Tue Jun 11 09:09:01 2013 : Debug: (1) Failed to authenticate the user.
Tue Jun 11 09:09:01 2013 : Debug: (1) Using Post-Auth-Type Reject
</fragment logs_output>
The message says that there is no RAND1 attibute, but I have set it in the
users file.
I hope you could give me a hint of where the problem could be located.
Best regards,
--RM
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
