EAP-SIM authentication problem at 2nd stage
dear guest, i have problem in eap-sim authentication.
I'm using freeradius 2.2.0, blackberry 9220
here my simtripletsdat. file
1510012660372465,AF6876E748BD46bf853A99DC2032F0A7,95762655,449177635B92bc00
1510012660372465,A1A9AC744E8D49819D27A79B067BCA69,257b31c6,64ff9467DEa1e400
1510012660372465,603906BFD8DC404197BAC35FF1274EB3,4F41eb06,F3ce89b4FCbc
1510080332618369,23A95DB79B644a4299463F0342069A11,7775d266,B10f3eba2Bc5ed2b
1510080332618369,FDCE8E4F2B0B4b3086BEF230076EAD58,D9e080d9,E2aad63f711e1324
1510080332618369,238100571AD1495fBCE2AD5505634E41,A40e1656,66a098a750d9cd13
here content of users file
1510080332618369Auth-Type := EAP, EAP-Type := SIM
EAP-Sim-Rand1 := 0x23A95DB79B644a4299463F0342069A11,
EAP-Sim-SRES1 := 0x7775d266,
EAP-Sim-KC1 := 0xB10f3eba2Bc5ed2b,
EAP-Sim-Rand2 := 0xFDCE8E4F2B0B4b3086BEF230076EAD58,
EAP-Sim-SRES2 := 0xD9e080d9,
EAP-Sim-KC2 := 0xE2aad63f711e1324,
EAP-Sim-Rand3 := 0x238100571AD1495fBCE2AD5505634E41,
EAP-Sim-SRES3 := 0xA40e1656,
EAP-Sim-KC3 := 0x66a098a750d9cd13,
1510012660372465 Auth-Type := EAP,EAP-Type := sim
EAP-Sim-Rand1 := 0xAF6876E748BD46bf853A99DC2032F0A7,
EAP-Sim-SRES1 := 0x95762655,
EAP-Sim-KC1 := 0x449177635B92bc00,
EAP-Sim-Rand2 := 0xA1A9AC744E8D49819D27A79B067BCA69,
EAP-Sim-SRES2 := 0x257b31c6,
EAP-Sim-KC2 := 0x64ff9467DEa1e400,
EAP-Sim-Rand3 := 0x603906BFD8DC404197BAC35FF1274EB3,
EAP-Sim-SRES3 := 0x4F41eb06,
EAP-Sim-KC3 := 0xF3ce89b4FCbc,
1510080332618369 at wlan.mnc080.mcc510.3gppnetwork.orgAuth-Type :=
EAP, EAP-Type := SIM
EAP-Sim-Rand1 := 0x23A95DB79B644a4299463F0342069A11,
EAP-Sim-SRES1 := 0x7775d266,
EAP-Sim-KC1 := 0xB10f3eba2Bc5ed2b,
EAP-Sim-Rand2 := 0xFDCE8E4F2B0B4b3086BEF230076EAD58,
EAP-Sim-SRES2 := 0xD9e080d9,
EAP-Sim-KC2 := 0xE2aad63f711e1324,
EAP-Sim-Rand3 := 0x238100571AD1495fBCE2AD5505634E41,
EAP-Sim-SRES3 := 0xA40e1656,
EAP-Sim-KC3 := 0x66a098a750d9cd13
Already included sim_files in modules
and sim { } in eap.conf.
I analyze in debug , the firsth authorization success (sim_files return ok
status) , the first authenticating success , the second authorization
success also,
but the problem the second authenticating is failed.
Already read in the past list archive, but no clue .
Here debug of radius
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.111.72 port 34647,
id=129, length=250
User-Name = 1510080332618...@wlan.mnc080.mcc510.3gppnetwork.org
NAS-IP-Address = 192.168.88.52
Called-Station-Id = FA-1A-67-9F-E4-68:NOLSPOT-Secure
NAS-Port-Type = Wireless-802.11
NAS-Port = 1
Calling-Station-Id = 70-AA-B2-EF-8E-9D
Connect-Info = CONNECT 54Mbps 802.11g
Framed-MTU = 1400
EAP-Message =
0x0210003801313531303038303236313833363940776c616e2e6d6e633038302e6d63633531302e336770706e6574776f726b2e6f7267
Message-Authenticator = 0xf0b7f7c3d39dd64797e1ffa08c3c078e
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] Looking up realm wlan.mnc080.mcc510.3gppnetwork.org for
User-Name = 1510080332618...@wlan.mnc080.mcc510.3gppnetwork.org
[suffix] Found realm wlan.mnc080.mcc510.3gppnetwork.org
[suffix] Adding Stripped-User-Name = 1510080332618369
[suffix] Adding Realm = wlan.mnc080.mcc510.3gppnetwork.org
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[files] users: Matched entry 1510080332618369 at line 206
++[files] returns ok
rlm_sim_files: authorized user/imsi 1510080332618369
rlm_sim_files: Adding EAP-Type: eap-sim
++[sim_files] returns ok
[eap] EAP packet type response id 16 length 56
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[sql] expand: %{User-Name} -
1510080332618...@wlan.mnc080.mcc510.3gppnetwork.org
[sql] sql_set_user escaped user -- '
1510080332618...@wlan.mnc080.mcc510.3gppnetwork.org'
rlm_sql (sql): Reserving sql socket id: 4
[sql] expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY
id - SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '
1510080332618...@wlan.mnc080.mcc510.3gppnetwork.org' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup
WHERE username = '%{SQL-User-Name}' ORDER BY priority - SELECT
groupname FROM radusergroup WHERE username = '
1510080332618...@wlan.mnc080.mcc510.3gppnetwork.org' ORDER BY
priority
rlm_sql (sql): Released sql socket id: 4
[sql] User 1510080332618...@wlan.mnc080.mcc510.3gppnetwork.org not found
++[sql]
restricting users using huntgroup
Hi, I want to use huntgroup to restrict users connecting. If the user is added in huntgroup and login and clear password was entered in users file, the user has no problem in accessing. When I add another user in huntgroup but using Unix password file to authenticate, I keep getting invalid user in radius log. Could you please advise on possible solution. huntgroups file: erg-rbs NAS-Identifier == ERG-RBS User-Name == csetest, (No problem) User-Name == akong users file: csetest NAS-Identifier == ERG-RBS, Cleartext-Password := test Fall-Through = No #DEFAULT Auth-Type == PAP, Huntgroup-Name == erg-rbs DEFAULT Auth-Type == System, Huntgroup-Name == erg-rbs Thank you. Regards Alan -- Happy people say Thank You! They Live with a Feeling of Gratitude. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
DB hundler, a big problem to me
Hi everybody, I have FreeRADIUS 2.1.10 in Debian 6. I contact with you because we are checking log file of FreeRADIUS and we are encountering a lot of messages of Info: rlm_sql (sql): There are no DB handles to use! skipped 0, tried to connect 0. I have read in the forum and it is caused because database is broken but, are there any option to adjust in FreeRADIUS server to optimize db handlers? We have 12 sockets configured, we have adjust max_request to 3072 ( ... In our environment we are creating a lots of users in radcheck table. Could help us to execute an OPTIMIZE over radcheck table? (It's not common but in some cases users are removed) Any suggestion? Thanks in advance. Best regards, Antonio. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: restricting users using huntgroup
Alan Kong wrote: I want to use huntgroup to restrict users connecting. If the user is added in huntgroup and login and clear password was entered in users file, the user has no problem in accessing. When I add another user in huntgroup but using Unix password file to authenticate, I keep getting invalid user in radius log. Could you please advise on possible solution. Run the server in debugging mode to see what's going on. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: only 2 dynamic IPs are allocated even the ip pool has many IPs
Koka Krishna wrote: I am using the freeradius 2.2.0 on ubuntu.
When I try to use the dynamic IP pool allocation, RADIUS server is
allocating only 2 IPs . afterwards those 2 IPs repeated for other
subscribers as well. So that I am not able to create more than 2 sessions.
May I know how to resolve this issue?
Read raddb/modules/ippool. Look for the key attribute. Both the
problem and the solution are documented there.
i.e. if you're using a module, it helps to read the module configuration.
ippool main_pool {
So... you posted the stock module configuration to the list. Why?
Did you think we don't have a copy of it?
And you didn't bother reading it.
sigh
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WiMAX TLV value correct in debug but not correct in packet capture
James Leavitt wrote: I've probably missed something or buggered an option, but I've searched and searched and cannot find an answer to this. This is for a WiMAX deployment and am using the built in dictionaries. The issue is with the WiMAX-Packet-Flow-Descriptor tlv . ... Everything looks good but on a pcap / radsniff I get this: Put the raw pcap file somewhere. Maybe the issue is the server, maybe it's radsniff. You could also try the git branch release_branch_3.0.0. It has a re-written WiMAX encoder / decoder, which now works everywhere. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SQL-Relay log - radacctdir - High Disk usage
Hi, I have a high disk utilization because the SQL-RELAY Log. I have this var: radacctdir whats the objetive to keep this log? can I disable it? radacctdir = /var/log/radius/radacct thank you - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: WiMAX TLV value correct in debug but not correct in packet capture
Don't forget if the hardware is Alvarion or Runcom you cannot use the standard dictionaries. Alvarion (now Telrad) is proprietary but similar to the standard dictionary and Runcom only uses their own. David -Original Message- From: freeradius-users-bounces+davidp=wirelessconnections@lists.freeradius.org [mailto:freeradius-users-bounces+davidp=wirelessconnections.net@lists.freera dius.org] On Behalf Of Alan DeKok Sent: Tuesday, July 30, 2013 8:02 AM To: FreeRadius users mailing list Subject: Re: WiMAX TLV value correct in debug but not correct in packet capture James Leavitt wrote: I've probably missed something or buggered an option, but I've searched and searched and cannot find an answer to this. This is for a WiMAX deployment and am using the built in dictionaries. The issue is with the WiMAX-Packet-Flow-Descriptor tlv . ... Everything looks good but on a pcap / radsniff I get this: Put the raw pcap file somewhere. Maybe the issue is the server, maybe it's radsniff. You could also try the git branch release_branch_3.0.0. It has a re-written WiMAX encoder / decoder, which now works everywhere. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WiMAX TLV value correct in debug but not correct in packet capture
Thank you Gentlemen, I am working with Alvarion CPEs but a WiChorus ASN, which I have setup on a commercial AAA without issues. I also have Freeradius working with WiChorus on another instance also but not for receiving these particular TLVs. I initially performed a tcpdump and this was where I was seeing the different values (which match radsniff btw) than what was programmed. I then compared the capture to our working solution (a commercial radius platform) and confirmed that the values radsniff / tcpdump were what I was expecting, which in turn do not match the output from Freeradius. I feel the problem is when the values are copied to the outer tunnel, but just these TLVs get corrupted. I'll take a look at 3.0.0 and see if I can work with that and post back my findings. Thanks again, James On 07/30/2013 11:13 AM, David Peterson wrote: RE: WiMAX TLV value correct in debug but not correct in packet capture Don't forget if the hardware is Alvarion or Runcom you cannot use the standard dictionaries. Alvarion (now Telrad) is proprietary but similar to the standard dictionary and Runcom only uses their own. David -Original Message- From: freeradius-users-bounces+davidp=wirelessconnections@lists.freeradius.org [mailto:freeradius-users-bounces+davidp=wirelessconnections.net@lists.freera dius.org] On Behalf Of Alan DeKok Sent: Tuesday, July 30, 2013 8:02 AM To: FreeRadius users mailing list Subject: Re: WiMAX TLV value correct in debug but not correct in packet capture James Leavitt wrote: I've probably missed something or buggered an option, but I've searched and searched and cannot find an answer to this. This is for a WiMAX deployment and am using the built in dictionaries. The issue is with the WiMAX-Packet-Flow-Descriptor tlv . ... Everything looks good but on a pcap / radsniff I get this: Put the raw pcap file somewhere. Maybe the issue is the server, maybe it's radsniff. You could also try the git branch release_branch_3.0.0. It has a re-written WiMAX encoder / decoder, which now works everywhere. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This message has been scanned by MailScanner - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: DB hundler, a big problem to me
Antonio Fernández Pérez wrote: I contact with you because we are checking log file of FreeRADIUS and we are encountering a lot of messages of Info: rlm_sql (sql): There are no DB handles to use! skipped 0, tried to connect 0. Fix your database. I have read in the forum and it is caused because database is broken but, are there any option to adjust in FreeRADIUS server to optimize db handlers? We have 12 sockets configured, we have adjust max_request to 3072 ( ... No. Fix the database so that it responds to queries. There's nothing you can do to FreeRADIUS to make the DB run faster. In our environment we are creating a lots of users in radcheck table. Could help us to execute an OPTIMIZE over radcheck table? (It's not common but in some cases users are removed) Any suggestion? Fix the database. Check indexes, get rid of unused rows, etc. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL-Relay log - radacctdir - High Disk usage
Alisson wrote: I have a high disk utilization because the SQL-RELAY Log. Edit the configuration to stop logging to that file. See raddb/modules/sql_log whats the objetive to keep this log? To relay accounting information into SQL. It's used *only* when someone enables it. i.e. someone on your system enabled the module. can I disable it? Delete the references to sql_log from the raddb/sites-enabled/default. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: DB hundler, a big problem to me
Thanks for your reply Alan. When you say fix the database you want to say that I have to execute repair table? I have defined some indexes to increase the performance of the database and works fine. Can you help me please? Thanks in advance. Best regards, Antonio. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: DB hundler, a big problem to me
Antonio Fernández Pérez wrote: Thanks for your reply Alan. When you say fix the database you want to say that I have to execute repair table? I have defined some indexes to increase the performance of the database and works fine. Can you help me please? It's a database problem. I'm not a database person. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WiMAX TLV value correct in debug but not correct in packet capture
Ok, After some compiling and configuring, I've managed to get version 3.0.0 up and running, and I seem to be having a similar issue: Radsniff on the wire (verified that it is the same in tcpdump and wireshark): Access-Accept Id 20410.199.10.14:1812 - 10.199.20.240:6217+3.541 Session-Timeout = 86400 Acct-Interim-Interval = 60 WiMAX-Packet-Data-Flow-Id = 18359 WiMAX-Service-Data-Flow-Id = 3513 WiMAX-Service-Profile-Id = 263782400 WiMAX-Packet-Data-Flow-Id = 18359 WiMAX-Service-Data-Flow-Id = 18359 WiMAX-Service-Profile-Id = 0 Microsoft-Attr-17 = 0x86c4d95414f6aecd8f16cc5ef0aa1ff8b5354e553cb724bc9f103636741cdef35a57f89db1afca3711c57d5d900a06b2578b Microsoft-Attr-16 = 0x8812b94254b5c21e2be59bd62927f045f5536b1844f79f45ca7d9442db106f538f8b960b61bb483f61bad39442975af58612 EAP-Message = 0x03070004 Message-Authenticator = 0xd4654370830d4a11371d217714ee7b4f User-Name = 1b2d2f35483d3bef7d8827ea61f8e...@undisclosed.com Debug on the radius server process shows things as they are in the DB: Sending Access-Accept of id 204 to 10.199.20.240 port 6217 Session-Timeout := 86400 Acct-Interim-Interval := 60 WiMAX-Packet-Data-Flow-Id := 14 WiMAX-Service-Data-Flow-Id := 14 WiMAX-Service-Profile-Id := 14 WiMAX-Packet-Data-Flow-Id += 17 WiMAX-Service-Data-Flow-Id += 17 WiMAX-Service-Profile-Id += 17 MS-MPPE-Recv-Key = 0xc5232594526fb99097311c861a49671710a2d6db7c0068788ef0122c9b551ae1 MS-MPPE-Send-Key = 0xed6c9de58fabf8519b09d2900849d611142ece093a7a6973869761872d9c9bc6 EAP-Message = 0x03070004 Message-Authenticator = 0x User-Name = 1b2d2f35483d3bef7d8827ea61f8e...@undisclosed.com I am trying to get a tcp capture but the system is now not letting me re-auth (I was working on fixing the CSID in the accounting and must have changed something it doesn't like) so not sure what's up, but I don't believe v3 is the solution. I will get a tcpdump if it's worth while. Thanks, James On 07/30/2013 12:01 PM, James Leavitt wrote: Re: WiMAX TLV value correct in debug but not correct in packet capture Thank you Gentlemen, I am working with Alvarion CPEs but a WiChorus ASN, which I have setup on a commercial AAA without issues. I also have Freeradius working with WiChorus on another instance also but not for receiving these particular TLVs. I initially performed a tcpdump and this was where I was seeing the different values (which match radsniff btw) than what was programmed. I then compared the capture to our working solution (a commercial radius platform) and confirmed that the values radsniff / tcpdump were what I was expecting, which in turn do not match the output from Freeradius. I feel the problem is when the values are copied to the outer tunnel, but just these TLVs get corrupted. I'll take a look at 3.0.0 and see if I can work with that and post back my findings. Thanks again, James On 07/30/2013 11:13 AM, David Peterson wrote: RE: WiMAX TLV value correct in debug but not correct in packet capture Don't forget if the hardware is Alvarion or Runcom you cannot use the standard dictionaries. Alvarion (now Telrad) is proprietary but similar to the standard dictionary and Runcom only uses their own. David -Original Message- From: freeradius-users-bounces+davidp=wirelessconnections@lists.freeradius.org [mailto:freeradius-users-bounces+davidp=wirelessconnections.net@lists.freera dius.org] On Behalf Of Alan DeKok Sent: Tuesday, July 30, 2013 8:02 AM To: FreeRadius users mailing list Subject: Re: WiMAX TLV value correct in debug but not correct in packet capture James Leavitt wrote: I've probably missed something or buggered an option, but I've searched and searched and cannot find an answer to this. This is for a WiMAX deployment and am using the built in dictionaries. The issue is with the WiMAX-Packet-Flow-Descriptor tlv . ... Everything looks good but on a pcap / radsniff I get this: Put the raw pcap file somewhere. Maybe the issue is the server, maybe it's radsniff. You could also try the git branch release_branch_3.0.0. It has a re-written WiMAX encoder / decoder, which now works everywhere. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This message has been scanned by MailScanner - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This message has been scanned by MailScanner -- James Leavitt Network Systems Architect Xplornet Communications Inc. 300 Lockhart Mill Road Woodstock, NB E7M 5C3 Phone: (506) 324-8659 Fax: (506) 328-1582 Cell: (506) 324-4960 Helpdesk: (888) 439-6511 Email: james.leav...@corp.xplornet.com mailto: james.leav...@corp.xplornet.com
