Hello Heikki,
> Date: Thu, 25 Aug 2011 12:10:09 +0300
> From: [email protected]
> To: [email protected]
> CC: [email protected]
> Subject: Re: [RADIATOR] EAP-SIM Authentication
>
> Yes, this is allowed according to the EAP-SIM RFC. You are seeing the
> IMSI in the initial request, but subsequent requests use TMSI to hide
> the real identity. To keep track of the IMSI, you would need to follow
> the EAP session and subsequent reauthentication using the context
> Radiator creates for EAP authentication. In other words, this means
> digging into Radiator more instead of being able to handle the requests
> simply packet by packet.
I actually do not see the IMSI in the initial Access-Request.
> eap_simoperator.cfg has an example of how to control TMSI generation.
> Please see the example and try "UseTMSI 0" to turn it off. There's also
> "UseReauthentication" just below you could try to turn off.
I have set the two (2) parameters you mentioned above to 0 but I am still
seeing the TMSI instead of IMSI which has the value of 525110101128573. I have
attached the Radiator log file for your reference.
> Note that identity hiding is generally considered a good feature so
> turning off TMSI and reauthentication may not be a good idea outside of
> lab environment.
I understand.
> Also you would need to expand the hook with real code that uses the
> parameters Radiator passes to it. The parameters should give you access
> to e.g. EAP context that contains IMSI.
Noted.
> You might also see if expanding AuthSIMOPERATOR.pm would be useful. As
> the README and the comments in the .pm file say, it can and should be
> expanded as needed. Depending on your environment EXTERNAL might be an
> answer too. SIMOPERATOR will probably be useful as a reference since it
> is meant as the first component in Radiator that processes the incoming
> EAP-SIM requests from NASes.
Noted.
Thank you very much once again.
Fri Aug 26 10:54:43 2011 033861: DEBUG: Finished reading configuration file
'/opt/radiator/goodies/eap_simoperator.cfg'
Fri Aug 26 10:54:43 2011 037928: DEBUG: Reading dictionary file
'/opt/radiator/raddb/dictionary'
Fri Aug 26 10:54:43 2011 418147: DEBUG: Reading dictionary file
'/opt/radiator/raddb/dictionary.sim'
Fri Aug 26 10:54:43 2011 419483: DEBUG: Creating authentication port
0.0.0.0:1812
Fri Aug 26 10:54:43 2011 420140: DEBUG: Creating accounting port 0.0.0.0:1813
Fri Aug 26 10:54:43 2011 420424: NOTICE: Server started: Radiator 4.7 on
eap-sim.example.com
Fri Aug 26 10:57:59 2011 957816: DEBUG: Packet dump:
*** Received from 11.22.33.44 port 1817 ....
Packet length = 223
01 db 00 df f5 9f 31 cd 0b 0a ec 28 0b f2 88 b1
d3 e7 50 fb 04 06 0a 80 00 01 05 06 00 00 00 11
0c 06 00 00 05 6c 3d 06 00 00 00 13 06 06 00 00
00 08 1e 24 30 30 2d 31 38 2d 32 35 2d 31 31 2d
30 37 2d 32 30 3a 43 6f 6e 6e 65 78 69 6f 5f 53
74 61 72 48 75 62 1f 13 35 38 2d 31 66 2d 61 61
2d 34 34 2d 65 65 2d 34 66 57 13 35 38 2d 31 66
2d 61 61 2d 34 34 2d 65 65 2d 34 66 01 13 33 35
62 33 62 32 30 38 64 64 63 36 62 65 63 64 61 4f
3b 02 00 00 39 01 33 35 62 33 62 32 30 38 64 64
63 36 62 65 63 64 61 40 77 6c 61 6e 2e 6d 6e 63
30 30 35 2e 6d 63 63 35 32 35 2e 33 67 70 70 6e
65 74 77 6f 72 6b 2e 6f 72 67 50 12 cc ff 8d 06
f1 b7 1e b1 79 64 67 d3 89 9c 99 e5 21 03 30
Code: Access-Request
Identifier: 219
Authentic: <245><159>1<205><11><10><236>(<11><242><136><177><211><231>P<251>
Attributes:
NAS-IP-Address = 10.128.0.1
NAS-Port = 17
Framed-MTU = 1388
NAS-Port-Type = Wireless-IEEE-802-11
Service-Type = Authenticate-Only
Called-Station-Id = "00-18-25-11-07-20:MySSID"
Calling-Station-Id = "58-1f-aa-44-ee-4f"
NAS-Port-Id = "58-1f-aa-44-ee-4f"
User-Name = "35b3b208ddc6becda"
EAP-Message =
<2><0><0>9<1>[email protected]
Message-Authenticator =
<204><255><141><6><241><183><30><177>ydg<211><137><156><153><229>
Proxy-State = 0
Fri Aug 26 10:57:59 2011 959108: DEBUG: Handling request with Handler
'Realm=DEFAULT', Identifier ''
Fri Aug 26 10:57:59 2011 959761: DEBUG: Deleting session for
35b3b208ddc6becda, 10.128.0.1, 17
Fri Aug 26 10:57:59 2011 960196: DEBUG: Handling with Radius::AuthSIMOPERATOR:
Fri Aug 26 10:57:59 2011 998898: DEBUG: Handling with EAP: code 2, 0, 57, 1
Fri Aug 26 10:57:59 2011 999219: DEBUG: Response type 1
Fri Aug 26 10:58:00 2011 001144: DEBUG: EAP result: 3, EAP SIM/Start
Fri Aug 26 10:58:00 2011 001600: DEBUG: AuthBy SIMOPERATOR result: CHALLENGE,
EAP SIM/Start
Fri Aug 26 10:58:00 2011 001869: DEBUG: Access challenged for
35b3b208ddc6becda: EAP SIM/Start
Fri Aug 26 10:58:00 2011 002763: DEBUG: Packet dump:
*** Sending to 11.22.33.44 port 1817 ....
Packet length = 63
0b db 00 3f 0c 6c 96 df 5a af 36 50 5f d4 54 57
a4 23 bd 9d 4f 16 01 01 00 14 12 0a 00 00 0d 01
00 00 0f 02 00 04 00 00 00 01 50 12 04 9d c4 48
62 11 92 80 b4 67 32 b1 20 0c 55 4d 21 03 30
Code: Access-Challenge
Identifier: 219
Authentic: <12>l<150><223>Z<175>6P_<212>TW<164>#<189><157>
Attributes:
EAP-Message =
<1><1><0><20><18><10><0><0><13><1><0><0><15><2><0><4><0><0><0><1>
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Proxy-State = 0
Fri Aug 26 10:58:00 2011 160239: DEBUG: Packet dump:
*** Received from 11.22.33.44 port 1817 ....
Packet length = 254
01 dc 00 fe 9a 27 6f 74 59 a8 32 6b f2 4c de f2
cd 5e 2f c6 04 06 0a 80 00 01 05 06 00 00 00 11
0c 06 00 00 05 6c 3d 06 00 00 00 13 06 06 00 00
00 08 1e 24 30 30 2d 31 38 2d 32 35 2d 31 31 2d
30 37 2d 32 30 3a 43 6f 6e 6e 65 78 69 6f 5f 53
74 61 72 48 75 62 1f 13 35 38 2d 31 66 2d 61 61
2d 34 34 2d 65 65 2d 34 66 57 13 35 38 2d 31 66
2d 61 61 2d 34 34 2d 65 65 2d 34 66 01 13 33 35
62 33 62 32 30 38 64 64 63 36 62 65 63 64 61 4f
5a 02 01 00 58 12 0a 00 00 0e 0e 00 34 33 35 62
33 62 32 30 38 64 64 63 36 62 65 63 64 61 40 77
6c 61 6e 2e 6d 6e 63 30 30 35 2e 6d 63 63 35 32
35 2e 33 67 70 70 6e 65 74 77 6f 72 6b 2e 6f 72
67 10 01 00 01 07 05 00 00 78 9f 7d 45 ad 95 28
96 f3 41 d2 8b 81 2d 82 ee 50 12 7c fb f6 f4 20
57 52 7f d7 03 01 46 94 e2 30 4b 21 03 30
Code: Access-Request
Identifier: 220
Authentic: <154>'otY<168>2k<242>L<222><242><205>^/<198>
Attributes:
NAS-IP-Address = 10.128.0.1
NAS-Port = 17
Framed-MTU = 1388
NAS-Port-Type = Wireless-IEEE-802-11
Service-Type = Authenticate-Only
Called-Station-Id = "00-18-25-11-07-20:MySSID"
Calling-Station-Id = "58-1f-aa-44-ee-4f"
NAS-Port-Id = "58-1f-aa-44-ee-4f"
User-Name = "35b3b208ddc6becda"
EAP-Message =
<2><1><0>X<18><10><0><0><14><14><0>[email protected]<16><1><0><1><7><5><0><0>x<159>}E<173><149>(<150><243>A<210><139><129>-<130><238>
Message-Authenticator = |<251><246><244> WR<127><215><3><1>F<148><226>0K
Proxy-State = 0
Fri Aug 26 10:58:00 2011 160952: DEBUG: Handling request with Handler
'Realm=DEFAULT', Identifier ''
Fri Aug 26 10:58:00 2011 161287: DEBUG: Deleting session for
35b3b208ddc6becda, 10.128.0.1, 17
Fri Aug 26 10:58:00 2011 161596: DEBUG: Handling with Radius::AuthSIMOPERATOR:
Fri Aug 26 10:58:00 2011 161915: DEBUG: Handling with EAP: code 2, 1, 88, 18
Fri Aug 26 10:58:00 2011 162102: DEBUG: Response type 18
Fri Aug 26 10:58:00 2011 162638: DEBUG: EAP result: 3, EAP SIM/Start
Fri Aug 26 10:58:00 2011 162831: DEBUG: AuthBy SIMOPERATOR result: CHALLENGE,
EAP SIM/Start
Fri Aug 26 10:58:00 2011 163039: DEBUG: Access challenged for
35b3b208ddc6becda: EAP SIM/Start
Fri Aug 26 10:58:00 2011 163766: DEBUG: Packet dump:
*** Sending to 11.22.33.44 port 1817 ....
Packet length = 63
0b dc 00 3f e3 0c 8b e2 2b eb 75 db 48 35 34 3e
ab 9d 46 8b 4f 16 01 02 00 14 12 0a 00 00 0a 01
00 00 0f 02 00 04 00 00 00 01 50 12 a3 98 fd a2
36 e7 75 8c 35 2c e6 a4 d8 47 e5 7b 21 03 30
Code: Access-Challenge
Identifier: 220
Authentic: <227><12><139><226>+<235>u<219>H54><171><157>F<139>
Attributes:
EAP-Message =
<1><2><0><20><18><10><0><0><10><1><0><0><15><2><0><4><0><0><0><1>
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Proxy-State = 0
Fri Aug 26 10:58:00 2011 234211: DEBUG: Packet dump:
*** Received from 11.22.33.44 port 1817 ....
Packet length = 254
01 dd 00 fe 1f f2 fd 64 2f 14 ed 5f ec 20 55 02
e9 62 95 c9 04 06 0a 80 00 01 05 06 00 00 00 11
0c 06 00 00 05 6c 3d 06 00 00 00 13 06 06 00 00
00 08 1e 24 30 30 2d 31 38 2d 32 35 2d 31 31 2d
30 37 2d 32 30 3a 43 6f 6e 6e 65 78 69 6f 5f 53
74 61 72 48 75 62 1f 13 35 38 2d 31 66 2d 61 61
2d 34 34 2d 65 65 2d 34 66 57 13 35 38 2d 31 66
2d 61 61 2d 34 34 2d 65 65 2d 34 66 01 13 33 35
62 33 62 32 30 38 64 64 63 36 62 65 63 64 61 4f
5a 02 02 00 58 12 0a 00 00 0e 0e 00 33 31 35 32
35 30 35 38 31 30 31 31 32 38 35 37 33 40 77 6c
61 6e 2e 6d 6e 63 30 30 35 2e 6d 63 63 35 32 35
2e 33 67 70 70 6e 65 74 77 6f 72 6b 2e 6f 72 67
67 10 01 00 01 07 05 00 00 78 9f 7d 45 ad 95 28
96 f3 41 d2 8b 81 2d 82 ee 50 12 08 b3 49 68 f8
57 fe 5a 71 4a d3 e8 fb aa 3d 53 21 03 30
Code: Access-Request
Identifier: 221
Authentic: <31><242><253>d/<20><237>_<236> U<2><233>b<149><201>
Attributes:
NAS-IP-Address = 10.128.0.1
NAS-Port = 17
Framed-MTU = 1388
NAS-Port-Type = Wireless-IEEE-802-11
Service-Type = Authenticate-Only
Called-Station-Id = "00-18-25-11-07-20:MySSID"
Calling-Station-Id = "58-1f-aa-44-ee-4f"
NAS-Port-Id = "58-1f-aa-44-ee-4f"
User-Name = "35b3b208ddc6becda"
EAP-Message =
<2><2><0>X<18><10><0><0><14><14><0>[email protected]<16><1><0><1><7><5><0><0>x<159>}E<173><149>(<150><243>A<210><139><129>-<130><238>
Message-Authenticator = <8><179>Ih<248>W<254>ZqJ<211><232><251><170>=S
Proxy-State = 0
Fri Aug 26 10:58:00 2011 234981: DEBUG: Handling request with Handler
'Realm=DEFAULT', Identifier ''
Fri Aug 26 10:58:00 2011 235518: DEBUG: Deleting session for
35b3b208ddc6becda, 10.128.0.1, 17
Fri Aug 26 10:58:00 2011 235745: DEBUG: Handling with Radius::AuthSIMOPERATOR:
Fri Aug 26 10:58:00 2011 236049: DEBUG: Handling with EAP: code 2, 2, 88, 18
Fri Aug 26 10:58:00 2011 236231: DEBUG: Response type 18
Fri Aug 26 10:58:00 2011 522672: DEBUG: Query is: 'select KC, SRES, RAND from
TRIPLET where IMSI='525110101128573' and AUTH_TIMESTAMP > 1314327480-600 limit
3':
Fri Aug 26 10:58:00 2011 524707: INFO: Insufficient triplets returned from
GetTripletsQuery
Fri Aug 26 10:58:00 2011 525343: DEBUG: Handling with Radius::AuthRADIUS
Fri Aug 26 10:58:00 2011 526464: DEBUG: AuthBy RADIUS creates new local socket
'0.0.0.0:0' for sending requests
Fri Aug 26 10:58:00 2011 527219: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 1647 ....
Packet length = 69
01 01 00 45 3c 04 84 b0 09 13 5d 89 3d 5a 14 db
05 84 55 f5 1a 17 00 00 23 58 65 11 35 32 35 30
35 38 31 30 31 31 32 38 35 37 33 1a 0c 00 00 23
58 64 06 00 00 00 03 1a 0e 00 00 23 58 69 08 4d
59 53 47 53 4e
Code: Access-Request
Identifier: 1
Authentic: <<4><132><176><9><19>]<137>=Z<20><219><5><132>U<245>
Attributes:
GSM-IMSI = "525110101128573"
GSM-NumTriplets = 3
GSM-SGSN = "MYSGSN"
Fri Aug 26 10:58:00 2011 527792: DEBUG: EAP result: 2, Waiting for SIM triplets
Fri Aug 26 10:58:00 2011 528067: DEBUG: AuthBy SIMOPERATOR result: IGNORE,
Waiting for SIM triplets
Fri Aug 26 10:58:00 2011 536270: DEBUG: Received reply in AuthRADIUS for req 1
from 127.0.0.1:1647
Fri Aug 26 10:58:00 2011 556754: DEBUG: Access challenged for
35b3b208ddc6becda: EAP SIM/Challenge
Fri Aug 26 10:58:00 2011 557915: DEBUG: Packet dump:
*** Sending to 11.22.33.44 port 1817 ....
Packet length = 127
0b dd 00 7f 84 ef f4 19 fe d2 8e 23 a3 a4 c9 fb
cb af 61 e8 4f 56 01 03 00 54 12 0b 00 00 01 0d
00 00 77 0f 45 c1 a7 c0 49 f8 a0 7e 63 d8 0e 68
9a de 16 dd 02 9f 38 29 49 e2 bd d7 b4 52 ae d2
f7 71 cd d4 ad a3 dc 7e 4c 83 bb 7e 27 d2 ac d4
16 55 87 01 00 00 0b 05 00 00 67 27 3a 65 21 b0
8d 3c 74 a6 46 6e d7 c1 5c 9a 50 12 ae ab e1 fb
fe 26 f6 b8 20 5c 63 9a 4c 3e a3 29 21 03 30
Code: Access-Challenge
Identifier: 221
Authentic:
<132><239><244><25><254><210><142>#<163><164><201><251><203><175>a<232>
Attributes:
EAP-Message =
<1><3><0>T<18><11><0><0><1><13><0><0>w<15>E<193><167><192>I<248><160>~c<216><14>h<154><222><22><221><2><159>8)I<226><189><215><180>R<174><210><247>q<205><212><173><163><220>~L<131><187>~'<210><172><212><22>U<135><1><0><0><11><5><0><0>g':e!<176><141><t<166>Fn<215><193>\<154>
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Proxy-State = 0
Fri Aug 26 10:58:01 2011 850833: DEBUG: Packet dump:
*** Received from 11.22.33.44 port 1817 ....
Packet length = 194
01 de 00 c2 b4 05 56 eb 0d c6 ba f5 98 70 b7 ff
9e a8 e9 54 04 06 0a 80 00 01 05 06 00 00 00 11
0c 06 00 00 05 6c 3d 06 00 00 00 13 06 06 00 00
00 08 1e 24 30 30 2d 31 38 2d 32 35 2d 31 31 2d
30 37 2d 32 30 3a 43 6f 6e 6e 65 78 69 6f 5f 53
74 61 72 48 75 62 1f 13 35 38 2d 31 66 2d 61 61
2d 34 34 2d 65 65 2d 34 66 57 13 35 38 2d 31 66
2d 61 61 2d 34 34 2d 65 65 2d 34 66 01 13 33 35
62 33 62 32 30 38 64 64 63 36 62 65 63 64 61 4f
1e 02 03 00 1c 12 0b 00 00 0b 05 00 00 bf b5 ac
73 d1 68 7e 1a d2 c7 5d f8 91 95 e6 c4 50 12 2f
03 e9 ac f3 02 0f cd 5d a0 1a c1 f8 c1 df ca 21
03 30
Code: Access-Request
Identifier: 222
Authentic: <180><5>V<235><13><198><186><245><152>p<183><255><158><168><233>T
Attributes:
NAS-IP-Address = 10.128.0.1
NAS-Port = 17
Framed-MTU = 1388
NAS-Port-Type = Wireless-IEEE-802-11
Service-Type = Authenticate-Only
Called-Station-Id = "00-18-25-11-07-20:MySSID"
Calling-Station-Id = "58-1f-aa-44-ee-4f"
NAS-Port-Id = "58-1f-aa-44-ee-4f"
User-Name = "35b3b208ddc6becda"
EAP-Message =
<2><3><0><28><18><11><0><0><11><5><0><0><191><181><172>s<209>h~<26><210><199>]<248><145><149><230><196>
Message-Authenticator =
/<3><233><172><243><2><15><205>]<160><26><193><248><193><223><202>
Proxy-State = 0
Fri Aug 26 10:58:01 2011 851657: DEBUG: Handling request with Handler
'Realm=DEFAULT', Identifier ''
Fri Aug 26 10:58:01 2011 852142: DEBUG: Deleting session for
35b3b208ddc6becda, 10.128.0.1, 17
Fri Aug 26 10:58:01 2011 852461: DEBUG: Handling with Radius::AuthSIMOPERATOR:
Fri Aug 26 10:58:01 2011 853004: DEBUG: Handling with EAP: code 2, 3, 28, 18
Fri Aug 26 10:58:01 2011 853393: DEBUG: Response type 18
Fri Aug 26 10:58:01 2011 854152: DEBUG: Handling with Radius::AuthRADIUS
Fri Aug 26 10:58:01 2011 855190: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 1647 ....
Packet length = 69
01 02 00 45 41 92 be 18 f5 86 36 bb 75 8a 89 73
06 aa 03 c9 1a 17 00 00 23 58 65 11 35 32 35 30
35 38 31 30 31 31 32 38 35 37 33 1a 0c 00 00 23
58 67 06 00 00 00 01 1a 0e 00 00 23 58 69 08 4d
59 53 47 53 4e
Code: Access-Request
Identifier: 2
Authentic: A<146><190><24><245><134>6<187>u<138><137>s<6><170><3><201>
Attributes:
GSM-IMSI = "525110101128573"
GSM-UpdateGPRSLocationReq = 1
GSM-SGSN = "MYSGSN"
Fri Aug 26 10:58:01 2011 855737: DEBUG: EAP result: 2, Waiting for
UpdateGPRSLocationREQ
Fri Aug 26 10:58:01 2011 856042: DEBUG: AuthBy SIMOPERATOR result: IGNORE,
Waiting for UpdateGPRSLocationREQ
Fri Aug 26 10:58:01 2011 860567: DEBUG: Received reply in AuthRADIUS for req 2
from 127.0.0.1:1647
Fri Aug 26 10:58:01 2011 861277: DEBUG: Access accepted for 35b3b208ddc6becda
Fri Aug 26 10:58:01 2011 862993: DEBUG: Packet dump:
*** Sending to 11.22.33.44 port 1817 ....
Packet length = 216
02 de 00 d8 8b db 50 cb 09 45 87 0e 59 e7 5b 6c
1d 71 c5 83 1a 3a 00 00 01 37 10 34 ca 27 16 18
41 d0 09 f2 8a f4 cf b5 94 28 65 07 c4 e8 14 4e
03 a8 55 66 ed e3 c0 c8 ef 0a d4 f7 51 52 a9 d5
2d 8a 76 d1 f6 ea 7d d4 a2 91 b4 42 77 52 1a 3a
00 00 01 37 11 34 b0 ff bb 6a b3 58 85 ae 21 3a
a1 26 86 8a 28 16 b7 ef ce 40 73 88 a5 99 73 d7
96 1f 05 50 b4 47 06 5c 18 76 34 fa c1 a2 44 c5
86 02 1e 44 45 bd 1f 32 12 35 43 6f 6e 67 72 61
74 75 6c 61 74 69 6f 6e 73 21 20 59 6f 75 72 20
53 49 4d 20 61 75 74 68 65 6e 74 69 63 61 74 69
6f 6e 20 73 75 63 63 65 65 64 65 64 2e 4f 06 03
03 00 04 50 12 b2 83 f6 3f c2 00 1b 43 02 de 09
be 49 02 85 a4 21 03 30
Code: Access-Accept
Identifier: 222
Authentic: <139><219>P<203><9>E<135><14>Y<231>[l<29>q<197><131>
Attributes:
MS-MPPE-Send-Key =
<187>"<144><16><253><242><132>D7<236>n)H5<232>w<134>M<192>&<224>/<156><157><136>s<253>&<198>E<215><142>
MS-MPPE-Recv-Key =
}<248>#<156><173><24><193>0<245><255><252>)<169><133><248>Qe<187><188><186><246>2i<229><241><151>N<25><220><211><19><189>
Reply-Message = "Congratulations! Your SIM authentication succeeded."
EAP-Message = <3><3><0><4>
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Proxy-State = 0
Fri Aug 26 11:00:55 2011 422328: NOTICE: SIGTERM received: stopping
_______________________________________________
radiator mailing list
[email protected]
http://www.open.com.au/mailman/listinfo/radiator
