Re: EAP-PEAP GTC vs MSCHAPv2
Don wrote:
I tried one of these inside gtc sub-section of eap.conf, that don't
seem to work:
auth_type = ntlm_auth
Setting that *should* be one step of a working configuration.
or
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--domain=MYDOMAIN --username=%{User-Name} --password=%{User-Password}
Set where? You have been *very* vague about what you're doing. Is it
a secret?
Though I haven't tried replacing User-Password with Cleartext-Password.
Don't do that. Trying random things is *always* a bad idea.
Do I have to place this under gtc sub-section inside inner-eap?
No. You have to configure the ntlm_auth module, and the ntlm_auth
sub-section of the authenticate section. All of that is documented in
the deployingradius.com page.
See my comment earlier. Did I place the configuration at the right
sub-section?
I have no idea. You've been careful to say as little as possible, in
a manner which is as confusing as possible.
Yes, I saw the ntlm_auth configuration under modules/mschap and
modules/ntlm_auth. As stated in my first email, I am able to configure
freeRadius to authenticate against our Active Directory using
EAP-MSCHAPv2 (ntlm_auth) and I am looking to see if using EAP-GTC will
work as well.
It WILL work. Just set auth_type = ntlm_auth in the gtc
configuration. As I said.
As I mentioned earlier, I tried both auth_type = ntlm_auth nor ntlm_auth
= /usr/bin/ntlm_auth ... command execution, but that don't work.
So... rather than following instruction,s you're trying random things.
How about running it in debugging mode, as suggested in the FAQ, man
page, web pages, and daily on this list?
The reason we recommend it is that IT WORKS. If you're trying random
nonsense, you're wasting your time, and ours.
The reason I am asking the question of multiple challenges because I am
currently evaluating another vendor solution for multi-factor
authentication thru EAP-PEAP/TLS with EAP-GTC and the solution prompts 2
additional inputs during authentication. Here is the
link: https://www.duosecurity.com/docs/netmotion. I thought if they can
do it, freeRadius can do it as well.
The issue is the EAP-GTC specification, and the clients. Last I
recall, it didn't support multiple challenge-responses.
If it does, then it's possible to upgrade FreeRADIUS to do it. As
always,
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-PEAP GTC vs MSCHAPv2
On Fri, Sep 27, 2013 at 6:34 AM, Alan DeKok al...@deployingradius.comwrote:
Don wrote:
I tried one of these inside gtc sub-section of eap.conf, that don't
seem to work:
auth_type = ntlm_auth
Setting that *should* be one step of a working configuration.
Ok, thank you for confirming that the above is one step towards working
configuration.
or
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--domain=MYDOMAIN --username=%{User-Name} --password=%{User-Password}
Set where? You have been *very* vague about what you're doing. Is it
a secret?
Nothing secret, as I said I tried both configuration (one at a time) inside
gtc sub-section of eap.conf.
Though I haven't tried replacing User-Password with Cleartext-Password.
Don't do that. Trying random things is *always* a bad idea.
Thank you for confirming again. I won't change it in this case.
Do I have to place this under gtc sub-section inside inner-eap?
No. You have to configure the ntlm_auth module, and the ntlm_auth
sub-section of the authenticate section. All of that is documented in
the deployingradius.com page.
See my comment earlier. Did I place the configuration at the right
sub-section?
I have no idea. You've been careful to say as little as possible, in
a manner which is as confusing as possible.
The two configurations mentioned earlier, I tried it both inside gtc
sub-section of eap.conf.
Yes, I saw the ntlm_auth configuration under modules/mschap and
modules/ntlm_auth. As stated in my first email, I am able to configure
freeRadius to authenticate against our Active Directory using
EAP-MSCHAPv2 (ntlm_auth) and I am looking to see if using EAP-GTC will
work as well.
It WILL work. Just set auth_type = ntlm_auth in the gtc
configuration. As I said.
I did that, but that didn't work. Perhaps I didn't configure the ntlm_auth
module though there is modules/ntlm_auth created when I configured
EAP-MSCHAPv2 with ntlm_auth.
As I mentioned earlier, I tried both auth_type = ntlm_auth nor ntlm_auth
= /usr/bin/ntlm_auth ... command execution, but that don't work.
So... rather than following instruction,s you're trying random things.
How about running it in debugging mode, as suggested in the FAQ, man
page, web pages, and daily on this list?
The reason we recommend it is that IT WORKS. If you're trying random
nonsense, you're wasting your time, and ours.
So far I have tried adding two configurations inside gtc sub-section of
eap.conf. Nothing else was touched. I did run in debug mode (with -XX) and
I will capture the error later.
The reason I am asking the question of multiple challenges because I am
currently evaluating another vendor solution for multi-factor
authentication thru EAP-PEAP/TLS with EAP-GTC and the solution prompts 2
additional inputs during authentication. Here is the
link: https://www.duosecurity.com/docs/netmotion. I thought if they can
do it, freeRadius can do it as well.
The issue is the EAP-GTC specification, and the clients. Last I
recall, it didn't support multiple challenge-responses.
If it does, then it's possible to upgrade FreeRADIUS to do it. As
always,
My understanding about RADIUS is that client sends AccessRequest and wait
for either: AccessReject, AccessAccept, or AccessChallenge. If it gets
AccessChallenge and later gets another AccessChallenge again, it will
response, until it gets AccessAccept or AccessReject. The client that I am
using is NetMotion Mobility XE.
Thank you once again for your response. Apologize if I am wasting your
time, not my intention.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-PEAP GTC vs MSCHAPv2
Don wrote: Nothing secret, as I said I tried both configuration (one at a time) inside gtc sub-section of eap.conf. That's a problem. NOTHING in the documentation or examples says to do that. LOTS of documentation and examples give the CORRECT way to use ntlm_auth. I did that, but that didn't work. See the FAQ for it doesn't work Perhaps I didn't configure the ntlm_auth module though there is modules/ntlm_auth created when I configured EAP-MSCHAPv2 with ntlm_auth. Perhaps you could try following the examples on deployingradius.com, or the examples distributed with the server. My understanding about RADIUS is that client sends AccessRequest and wait for either: AccessReject, AccessAccept, or AccessChallenge. If it gets AccessChallenge and later gets another AccessChallenge again, it will response, until it gets AccessAccept or AccessReject. The client that I am using is NetMotion Mobility XE. Which is all useless and irrelevant. I asked about the EAP-GTC spec, not RADIUS. Thank you once again for your response. Apologize if I am wasting your time, not my intention. If you ask questions on this list, you need to follow the instructions we give. Doing anything else is rude. You've been very careful to say as little as possible about what you're doing. You've also been careful to NOT follow the documentation or examples. That explains why you're having issues making it work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-PEAP GTC vs MSCHAPv2
Alan,
I finally made EAP-GTC using ntlm_auth to work. Basically my initial
configuration inside gtc sub-section of raddb/eap.conf was correct and
modifying raddb/modules/ntlm_auth from %{mschap:User-Name} to
%{User-Name} was also correct. I can also use
%{%{mschap:User-Name}:-%{User-Name}} that is also working fine and won't
break mschap testing thru radtest.
The problem lies somewhere else, in this case something inside file
raddb/users where the following line was added when I configured freeRadius
with EAP-MSCHAPv2 and testing it with radtest:
DEFAULT Auth-Type := ntlm_auth
Once I removed that line from raddb/users, EAP-GTC with ntlm_auth works.
So, the gtc sub-section inside raddb/eap.conf is as follow:
gtc {
challenge = Password:
auth_type = ntlm_auth
}
and raddb/modules/ntlm_auth content:
exec ntlm_auth {
wait yes
program = /usr/bin/ntlm_auth --request-nt-key --domain=MYDOMAIN
--username=%{%{mschap:User-Name}:-%{User-Name}}
--password=%{User-Password}
}
Again, thank you for all the supports.
Regards,
Dono
On Fri, Sep 27, 2013 at 9:50 AM, Alan DeKok al...@deployingradius.comwrote:
Don wrote:
Nothing secret, as I said I tried both configuration (one at a time)
inside gtc sub-section of eap.conf.
That's a problem. NOTHING in the documentation or examples says to do
that. LOTS of documentation and examples give the CORRECT way to use
ntlm_auth.
I did that, but that didn't work.
See the FAQ for it doesn't work
Perhaps I didn't configure the
ntlm_auth module though there is modules/ntlm_auth created when I
configured EAP-MSCHAPv2 with ntlm_auth.
Perhaps you could try following the examples on deployingradius.com,
or the examples distributed with the server.
My understanding about RADIUS is that client sends AccessRequest and
wait for either: AccessReject, AccessAccept, or AccessChallenge. If it
gets AccessChallenge and later gets another AccessChallenge again, it
will response, until it gets AccessAccept or AccessReject. The client
that I am using is NetMotion Mobility XE.
Which is all useless and irrelevant. I asked about the EAP-GTC spec,
not RADIUS.
Thank you once again for your response. Apologize if I am wasting your
time, not my intention.
If you ask questions on this list, you need to follow the instructions
we give. Doing anything else is rude.
You've been very careful to say as little as possible about what
you're doing. You've also been careful to NOT follow the documentation
or examples.
That explains why you're having issues making it work.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-PEAP GTC vs MSCHAPv2
Don wrote:
That said, if EAP-GTC can be used along with ntlm_auth how do I
configure it to make that work?
Read the gtc sub-section of eap.conf. It tells you how to make
EAP-GTC use a particular authentication method.
I tried to execute ntlm_auth passing
--password=%{User-Password}, but that didn't work as User-Password is
empty.
You tried *where*? That matters.
It says in eap.conf that GTC challenges the user with text and
the response from the user is taken to be the User-Password. Perhaps I
am executing ntlm_auth too early before GTC Password challenge is sent
out and received the response.
My questions are:
1. How can I configure freeRadius so GTC will work with ntlm_auth?
a) configure ntlm_auth as per the deployingradius.com docs, and the
examples in the config files
b) tell EAP-GTC to use ntlm_auth as per the examples in the gtc
configuration.
2. Is it possible to send subsequent GTC challenge in addition to
default Password challenge? If possible, how do I configure the
subsequent GTC challenge?
No. EAP-GTC is only challenge-response. It doesn't do multiple
challenges.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-PEAP GTC vs MSCHAPv2
Alan,
Thank you for your reply and please find my inline response below.
On Thu, Sep 26, 2013 at 7:54 PM, Alan DeKok al...@deployingradius.comwrote:
Don wrote:
That said, if EAP-GTC can be used along with ntlm_auth how do I
configure it to make that work?
Read the gtc sub-section of eap.conf. It tells you how to make
EAP-GTC use a particular authentication method.
I tried one of these inside gtc sub-section of eap.conf, that don't seem
to work:
auth_type = ntlm_auth
or
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --domain=MYDOMAIN
--username=%{User-Name} --password=%{User-Password}
Though I haven't tried replacing User-Password with Cleartext-Password.
Do I have to place this under gtc sub-section inside inner-eap?
I tried to execute ntlm_auth passing
--password=%{User-Password}, but that didn't work as User-Password is
empty.
You tried *where*? That matters.
See my comment earlier. Did I place the configuration at the right
sub-section?
It says in eap.conf that GTC challenges the user with text and
the response from the user is taken to be the User-Password. Perhaps I
am executing ntlm_auth too early before GTC Password challenge is sent
out and received the response.
My questions are:
1. How can I configure freeRadius so GTC will work with ntlm_auth?
a) configure ntlm_auth as per the deployingradius.com docs, and the
examples in the config files
Yes, I saw the ntlm_auth configuration under modules/mschap and
modules/ntlm_auth. As stated in my first email, I am able to configure
freeRadius to authenticate against our Active Directory using EAP-MSCHAPv2
(ntlm_auth) and I am looking to see if using EAP-GTC will work as well.
b) tell EAP-GTC to use ntlm_auth as per the examples in the gtc
configuration.
As I mentioned earlier, I tried both auth_type = ntlm_auth nor ntlm_auth =
/usr/bin/ntlm_auth ... command execution, but that don't work.
2. Is it possible to send subsequent GTC challenge in addition to
default Password challenge? If possible, how do I configure the
subsequent GTC challenge?
No. EAP-GTC is only challenge-response. It doesn't do multiple
challenges.
The reason I am asking the question of multiple challenges because I am
currently evaluating another vendor solution for multi-factor
authentication thru EAP-PEAP/TLS with EAP-GTC and the solution prompts 2
additional inputs during authentication. Here is the link:
https://www.duosecurity.com/docs/netmotion. I thought if they can do it,
freeRadius can do it as well.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
Regards,
Dono
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP + SSL + Certificate chains
Hey I wanted to say thanks for the tips! I convinced the peers that it was not a good idea to allow auto certificate acceptance and to just have the clients accept it when the new certificate went online. Cheers, - Trevor On Thu, Sep 12, 2013 at 3:46 PM, Brian Julin bju...@clarku.edu wrote: Mathieu wrote: At least from that side there is hope for improvements with Android 4.3 onwards there are API calls for enterprise wireless configuration. Maybe someone steps up by making an application that can manage profiles or something like this. That is promising, but I hope this does not become a case of Oh, there's an app for that basic system function versus it being in the core UI. Because nobody will have it pre-installed. -- Brian - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS Authentication
--Please suggest any document which can help in better understanding on TLS Authentication. Arvind, I also faced the same issue at beginning , but I would suggest to read Freeradius own documentation. That is probably the best. On Mon, Sep 23, 2013 at 7:45 PM, arvind132 . arvind...@gmail.com wrote: Hi, I am facing some issues with 802.1x EAP-TLS Authentication. Please suggest any document which can help in better understanding on TLS Authentication. Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Best Regards Muhammad Nadeem Muhammad Ali Jinnah University - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap-ttls with SMD5-Password
On 20 Sep 2013, at 17:04, Nasser Heidari nas...@rasana.net wrote: Hi, I'm trying to setup eap-ttls with freeradius, all my tests in LAB was successful. I've test it with both users file and sql and it was working. Now I'm going to prepare it for real setup, my only problem is that all my User-Passwords is database is stored with SMD5-Password attribute and when I'm trying it with EAP authentications fails and I get these messages in debug: http://deployingradius.com/documents/protocols/compatibility.html MD5/SMD5 requires the reference password be in cleartext. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS works but not PEAP/EAP-TLS
On Tue, Sep 17, 2013 at 07:54:12AM +0100, John Carter wrote: I've got a Windows 7 machine attempting to connect to FreeRADIUS 2.2.0. EAP-TLS with a client certificate works fine, but with PEAP/EAP-TLS it doesn't. Hi. make fragment_size in modules/inner-eap smaller then fragment_size in eap.conf I've got 1200 in inner-eap and 1400 in eap.conf cheers mk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS works but not PEAP/EAP-TLS
Thanks Martin, I had already changed this in the config, but it lead me to the real issue which was that I'd added a eap inner-eap section to my eap.conf, but I also had a modules/inner-eap file from the default config. When I removed modules/inner-eap file it all works fine. Thanks again, John. On 17 September 2013 08:46, Martin Kraus lists...@wujiman.net wrote: On Tue, Sep 17, 2013 at 07:54:12AM +0100, John Carter wrote: I've got a Windows 7 machine attempting to connect to FreeRADIUS 2.2.0. EAP-TLS with a client certificate works fine, but with PEAP/EAP-TLS it doesn't. Hi. make fragment_size in modules/inner-eap smaller then fragment_size in eap.conf I've got 1200 in inner-eap and 1400 in eap.conf cheers mk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- John Carter Identity Networks jcar...@identitynetworks.com skype:jcartermeru - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP + SSL + Certificate chains
Trevor Jennings wrote: We are using freeradius with EAP/SSL and although it is working fine, I was wondering if there was a way to prevent the user from getting the prompt to accept the certificate? I have combined the intermediate and server certificates to one file and used that file in the 'certificate_file' config in eap.conf. On OSX, the certificates are marked as valid, including the root, intermediate and server, but still prompts the user to accept. Is there a way around this? About the only way I can think of is to install a profile (.mobileconfig) which pre-approves the use of that certificate authority. Reason being, if you just accept any old certificate authority any compromised certificate will work, and on newer OSX/iOS the only way to check the certificate subject for the name of your RADIUS server. which is a better option for patching the hole, is to install a profile, anyway. So really, this means without prompting the user, any stolen key for any unrevoked certificate from any CA in that entire list, worldwide, could be used to launch a MITM attack and steal passwords or other data. This is not a particularly difficult object to get your hands on. (Incidentally this is why many environments do not like having Android devices on their wireless LANs since they don't have any such native options accessible from the UI or even a decent way to distribute profiles. Heck they don't even fake it by making the first certificate they see sticky. The first time warez to perform an MITM on WPA2-Enterprise is packaged in a way that any old script kiddie can use, there will be pain.) -- Brian Julin Network Administrator Clark University - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP + SSL + Certificate chains
2013/9/12 Brian Julin bju...@clarku.edu Trevor Jennings wrote: [...] On OSX, the certificates are marked as valid, including the root, intermediate and server, but still prompts the user to accept. Is there a way around this? About the only way I can think of is to install a profile (.mobileconfig) which pre-approves the use of that certificate authority. If you want to make things all nice and green-looking for your end-users seek for mobileconfig signing. TERENA has a good example how to do this for eduroam: https://confluence.terena.org/display/tcs/Sign+Apple+mobileconfig+files Reason being, if you just accept any old certificate authority any compromised certificate will work, and on newer OSX/iOS the only way to check the certificate subject for the name of your RADIUS server. And as you mention OS X, yes the same .mobileconfig for iOS will work for OS X 10.7 onwards, which was a quite nice thing in my environment to know. [...] (Incidentally this is why many environments do not like having Android devices on their wireless LANs since they don't have any such native options accessible from the UI or even a decent way to distribute profiles. At least from that side there is hope for improvements with Android 4.3 onwards there are API calls for enterprise wireless configuration. Maybe someone steps up by making an application that can manage profiles or something like this. Heck they don't even fake it by making the first certificate they see sticky. Worse... ;-) It's up to the user to install the CA certificate on its own - even if that is a public CA in the Android, they can't select them otherwise (!) . At least then authentication stops if you put up a server certificate not signed by that specified CA. The only open source provisioning tool for Android (that I believe didn't get much traction) SU1X for Android, made by Swansea University for eduroam. -- Mathieu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP + SSL + Certificate chains
Mathieu wrote: At least from that side there is hope for improvements with Android 4.3 onwards there are API calls for enterprise wireless configuration. Maybe someone steps up by making an application that can manage profiles or something like this. That is promising, but I hope this does not become a case of Oh, there's an app for that basic system function versus it being in the core UI. Because nobody will have it pre-installed. -- Brian - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap-tls ignore client cert expiry check - crazy idea?
Hi All, Just to let you all know I did get all my setup working (took me a while being not a linux guru) but it does work as expected. Just in case anyone was wondering :) Many thanks all Ken :) On 29 August 2013 at 16:05 ken.farrington ken.farring...@802.co.uk wrote: Hi All, Is there a way if I had 10 clients in my home lab and all the certs expire tomorrow, that rather than re-provide all the certs to my clients, I can frigg the radius server time, to still accpet them. Im guessing this is a no, but from what I see, the client cert is presented, and check against the server time. Would this be correct? Many thanks in advanced Ken - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP logging
On 28 Aug 2013, at 23:39, Andrej andrej.gro...@gmail.com wrote:
I would like f_ticks to write out a single line into syslog that
contains the inner and outer
identity of an authentication request, the station ID and MAC address.
In case of a successful authentication or rejection I'd like to have
the inner identity and a status on a line,
We do this by using lots of custom linelog instances. In linelog.conf (just a
few examples):
linelog acceptlog {
filename = /var/log/radius/auth-%D.log
format = %S (%l) id %I ACCEPT %{User-Name} (station %{%{Calling-Station
-Id}:--}) auth-type %{control:Auth-Type}/%{EAP-Type} realm %{%{Realm}:--} nas %{
%{NAS-IP-Address}:-%{%{NAS-IPv6-Address}:--}-}/%{%{NAS-Port}:--} (operator %{%{O
perator-Name}:--}) client %{%{Packet-Src-IP-Address}:-%{%{Packet-Src-IPv6-Addres
s}:--}} (%{Client-Shortname}) ap '%{%{UCam-AP-Name}:--}' essid '%{%{UCam-Essid-N
ame}:--}' = %{%{reply:User-Name}:--} reply-msg '%{reply:Reply-Message}'
}
linelog inner-acceptlog {
filename = /var/log/radius/auth-%D.log
format = %S (%l) id %I INNER-TUNNEL ACCEPT %{User-Name} (station %{%{ou
ter.request:Calling-Station-Id}:--}) outer-id %{outer.request:User-Name} auth-ty
pe %{outer.control:Auth-Type}/%{outer.request:EAP-Type}/%{control:Auth-Type} rea
lm %{%{Realm}:--} nas %{%{outer.request:NAS-IP-Address}:-%{%{outer.request:NAS-I
Pv6-Address}:--}}/%{%{outer.request:NAS-Port}:--} (operator %{%{outer.request:Op
erator-Name}:--}) client %{%{Packet-Src-IP-Address}:-%{%{Packet-Src-IPv6-Address
}:--}} (%{Client-Shortname}) ap '%{%{outer.request:UCam-AP-Name}:--}' essid '%{%
{outer.request:UCam-Essid-Name}:--}' = %{%{reply:User-Name}:--} reply-msg '%{re
ply:Reply-Message}'
}
linelog proxy-replylog {
filename = /var/log/radius/auth-%D.log
format = %S (%l) id %I PROXY REPLY %{User-Name} (station %{%{Calling-St
ation-Id}:--}) auth-type /%{EAP-Type} realm %{%{Realm}:--} nas %{%{NAS-IP-Addres
s}:-%{%{NAS-IPv6-Address}:--}-}/%{%{NAS-Port}:--} (operator %{%{Operator-Name}:-
-}) client %{%{Packet-Src-IP-Address}:-%{%{Packet-Src-IPv6-Address}:--}} (%{Clie
nt-Shortname}) proxy %{%{proxy-reply:Packet-Src-IP-Address}:-%{%{proxy-reply:Pac
ket-Src-IPv6-Address}:--}} proxy-reply-type %{proxy-reply:Packet-Type} proxy-rep
ly-msg '%{proxy-reply:Reply-Message}' = %{%{proxy-reply:User-Name}:--}
}
We call them as follows:
[default]
post-proxy {
...
proxy-replylog
...
}
post-auth {
...
acceptlog
...
}
[inner-tunnel]
post-auth {
...
inner-acceptlog
...
}
There are some references to %{UCam-AP-Name} and things in there -- we set
these with things like:
if (%{Aruba-Location-Id}) {
update request {
UCam-AP-Name := %{Aruba-Location-Id}
UCam-Essid-Name := %{Aruba-Essid-Name}
}
}
... they let us not refer to the direct Aruba attributes and would allow us to
more easily add another wireless system (we used to have Cisco but migrated
away) - if we had to move again, we don't have lots of Cisco-specific bits all
over the place. Note that the attributes are defined in 'dictionary'.
The above stuff will give lines like:
2013-08-29 10:53:02 (1377769982) id 175 INNER-TUNNEL ACCEPT rc...@cam.ac.uk
(station 0015AF81CEB3) outer-id @cam.ac.uk auth-type EAP/PEAP/EAP realm LOCAL
nas 131.111.1.20/0 (operator 1lapwing.cam.ac.uk) client 131.111.1.20
(erri...@lapwing.cam.ac.uk) ap '00:24:6c:c3:24:fd' essid 'eduroam' = rcf34
reply-msg '[cam.ac.uk] Successful authentication ACCEPT'
[example from inner-acceptlog.]
Hope this helps,
- Bob
--
Bob Franklin rc...@cam.ac.uk +44 1223 748479
Network Division, University of Cambridge Computing Service
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP logging
Andrej wrote: This brings me back to my earlier question: what values are available where, and when, via which mechanism? This was asked and answered. I suggest reading responses to your messages. Asking what values are available is wrong. There are no magic values in the server. There are just attributes in a packet. If you want to know what attributes are available, look at the debug output. That REALLY is it. It's not hard. It's not rocket science. There's no magic. I think I still don't fully understand how modules hang together, how I pass information from e.g. an EAP request into line-log, Read doc/aaa.rst You don't passd information into a module. The incoming packet (and associated data) is given to the module. The module then decides what to do. sites-enabled/eap-inner-tunnel, how I tell f_ticks (or linelog, or any other modules for that matter) which values I'd like to work with. Have you tried reading the debug output? It's *telling you* what it's doing. The f_ticks module is telling you what it's doing. Have you tried reading the default configuration for the linelog module? It has LOTS of documentation describing how it works. Ask *specific* questions about what's confusing you. I would like f_ticks to write out a single line into syslog that contains the inner and outer identity of an authentication request, the station ID and MAC address. So... do you see that data in the debug output? If so, read man unlang for how to reference attributes. See the default linelog configuration for how the module works. Put the two together, and you'll have it. Can anyone point me at a walk-through or how-to? I've now spent days flicking from one wiki-page to the next, and reading mailing list archives w/o find anything that helps me understand. There are NO examples which document exactly what you're trying to do. Most deployments are unique. Creating documentation for every possible deployment is impossible. It sounds like you're not understanding basic concepts, and reading random web pages, looking for a magic solution. This isn't the best approach. Read doc/aaa.rst. Read man unlang. Read the debug output. Read the default linelogconfiguration. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-Peap-MSchapv2 proxy from innertunnel
On 29/08/13 14:35, Robert Roll wrote: I'm trying to do a proxy from the inner-tunnel over to another radius server. The primary reason for this is that we need to strip off the realm before passing to the proxy. I'm getting an EAP error response from the other server about it not liking the id number Supplicant sent unmatched EAP response packet identifier ( This is an EAP-PEAP-MSCHAPv2 scenerio) The EAP.conf file is configured with: proxy_tunneled_request_as_eap = yes I've included a TCP dump of the main freeradius server below But not a debug gathered with radiusd -X which is the only thing anyone ever wants to see. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-Peap-MSchapv2 proxy from innertunnel
On Thu, Aug 29, 2013 at 01:35:25PM +, Robert Roll wrote: I'm getting an EAP error response from the other server about it not liking the id number Supplicant sent unmatched EAP response packet identifier EAP Response identifier sent by the client has to match EAP Request identifier sent by the server which would be ISE. can you see the EAP-Message AVPs sent and received by freeradius? identifier is the second byte. mk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP-Peap-MSchapv2 proxy from innertunnel
I guess I assumed the id: in the TCP dump below was the EAP Response Identifier maybe not ? Is there a different EAP response identifier ? I actually have been running with debug radius -X. Obviously a lot longer output than just the TCP dump. That is why I first tried just the TCP dump. I guess I was also hoping somebody might have just had a thought about a common configuration issue... I just went back to run another test and the proxy server now seems to be down. This server is run by our network group and I don't know when it might be back.. As soon as it comes back, I will run and capture the debug and see if I can see the EAP-message AVP's ? I will also post the debug Thanks, Robert 07:03:51.354527 IP FR-2.10.1814 ISE-proxy.radius: RADIUS, Access Request (1), id: 0xde length: 246 07:03:51.371848 IP ISE-proxy.radius FR-2.10.1814: RADIUS, Access Challenge (11), id: 0xde length: 132 07:03:51.384449 IP FR-2.10.1814 ISE-proxy.radius: RADIUS, Access Request (1), id: 0xa8 length: 306 07:03:51.386386 IP ISE-proxy.radius FR-2.10.1814: RADIUS, Access Reject (3), id: 0xa8 length: 49 From: freeradius-users-bounces+robert.roll=utah@lists.freeradius.org [freeradius-users-bounces+robert.roll=utah@lists.freeradius.org] on behalf of Martin Kraus [lists...@wujiman.net] Sent: Thursday, August 29, 2013 8:11 AM To: FreeRadius users mailing list Subject: Re: EAP-Peap-MSchapv2 proxy from innertunnel On Thu, Aug 29, 2013 at 01:35:25PM +, Robert Roll wrote: I'm getting an EAP error response from the other server about it not liking the id number Supplicant sent unmatched EAP response packet identifier EAP Response identifier sent by the client has to match EAP Request identifier sent by the server which would be ISE. can you see the EAP-Message AVPs sent and received by freeradius? identifier is the second byte. mk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-Peap-MSchapv2 proxy from innertunnel
On Thu, Aug 29, 2013 at 02:56:44PM +, Robert Roll wrote: I guess I assumed the id: in the TCP dump below was the EAP Response Identifier maybe not ? Is there a different EAP response identifier ? That is the id of the radius packet. EAP lives insided radius packet AVPs called EAP-Message. You can see the AVPs when you run tcpdump -vv. What is worth noting is that radius Access-Request carries EAP-Response from the client to the server and Access-Challenge carries EAP-Request from the server to the client. mk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-Peap-MSchapv2 proxy from innertunnel
On 29/08/13 15:56, Robert Roll wrote: I guess I assumed the id: in the TCP dump below was the EAP Response Identifier maybe not ? Is there a different EAP response identifier ? Yes, in the EAP-Message attribute (EAP packet) I actually have been running with debug radius -X. Obviously a lot longer output than just the TCP dump. That is why I first tried just the TCP dump. I guess I was also hoping somebody might have just had a thought about a common configuration issue... TBH proxying EAP inner is not common at all; there have been bugs in that area in the past. Re-reading I notice that you're running 2.10 - upgrade. I'm pretty certain that version has inner-eap proxy bugs. Go to 2.2.0. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP-Peap-MSchapv2 proxy from innertunnel
Ok, Below is the TCP dump. I have attached the Freeradius Debug output beginning near the start of the proxy.. WC-- is the wirless controller (155.99.193.24) FR-2.10 -- Freeradius 2.10 (155.97.182.175) ISE-proxy -- ISE proxy server (155.97.185.76) Again, any help would be much appreciated.. Thanks, Robert 09:31:25.451223 IP WC.32769 FR-2.10.radius: RADIUS, Access Request (1), id: 0x72 length: 229 09:31:25.452467 IP FR-2.10.radius WC.32769: RADIUS, Access Challenge (11), id: 0x72 length: 64 09:31:25.454469 IP WC.32769 FR-2.10.radius: RADIUS, Access Request (1), id: 0x73 length: 355 09:31:25.461847 IP FR-2.10.radius WC.32769: RADIUS, Access Challenge (11), id: 0x73 length: 1090 09:31:25.465436 IP WC.32769 FR-2.10.radius: RADIUS, Access Request (1), id: 0x74 length: 239 09:31:25.465779 IP FR-2.10.radius WC.32769: RADIUS, Access Challenge (11), id: 0x74 length: 1086 09:31:25.469322 IP WC.32769 FR-2.10.radius: RADIUS, Access Request (1), id: 0x75 length: 239 09:31:25.469644 IP FR-2.10.radius WC.32769: RADIUS, Access Challenge (11), id: 0x75 length: 1086 09:31:25.472928 IP WC.32769 FR-2.10.radius: RADIUS, Access Request (1), id: 0x76 length: 239 09:31:25.473199 IP FR-2.10.radius WC.32769: RADIUS, Access Challenge (11), id: 0x76 length: 923 09:31:25.482815 IP WC.32769 FR-2.10.radius: RADIUS, Access Request (1), id: 0x77 length: 441 09:31:25.485315 IP FR-2.10.radius WC.32769: RADIUS, Access Challenge (11), id: 0x77 length: 123 09:31:25.488059 IP WC.32769 FR-2.10.radius: RADIUS, Access Request (1), id: 0x78 length: 239 09:31:25.488362 IP FR-2.10.radius WC.32769: RADIUS, Access Challenge (11), id: 0x78 length: 101 09:31:25.490724 IP WC.32769 FR-2.10.radius: RADIUS, Access Request (1), id: 0x79 length: 329 --Begin Proxy 09:31:25.491570 IP FR-2.10.1814 ISE-proxy.radius: RADIUS, Access Request (1), id: 0xd8 length: 242 09:31:25.497310 IP ISE-proxy.radius FR-2.10.1814: RADIUS, Access Challenge (11), id: 0xd8 length: 128 09:31:25.497504 IP FR-2.10.radius WC.32769: RADIUS, Access Challenge (11), id: 0x79 length: 101 09:31:25.499645 IP WC.32769 FR-2.10.radius: RADIUS, Access Request (1), id: 0x7a length: 313 09:31:25.500528 IP FR-2.10.1814 ISE-proxy.radius: RADIUS, Access Request (1), id: 0x47 length: 300 09:31:25.502871 IP ISE-proxy.radius FR-2.10.1814: RADIUS, Access Reject (3), id: 0x47 length: 49 09:31:26.504148 IP FR-2.10.radius WC.32769: RADIUS, Access Reject (3), id: 0x7a length: 101 From: freeradius-users-bounces+robert.roll=utah@lists.freeradius.org [freeradius-users-bounces+robert.roll=utah@lists.freeradius.org] on behalf of Phil Mayers [p.may...@imperial.ac.uk] Sent: Thursday, August 29, 2013 7:58 AM To: freeradius-users@lists.freeradius.org Subject: Re: EAP-Peap-MSchapv2 proxy from innertunnel On 29/08/13 14:35, Robert Roll wrote: I'm trying to do a proxy from the inner-tunnel over to another radius server. The primary reason for this is that we need to strip off the realm before passing to the proxy. I'm getting an EAP error response from the other server about it not liking the id number Supplicant sent unmatched EAP response packet identifier ( This is an EAP-PEAP-MSCHAPv2 scenerio) The EAP.conf file is configured with: proxy_tunneled_request_as_eap = yes I've included a TCP dump of the main freeradius server below But not a debug gathered with radiusd -X which is the only thing anyone ever wants to see. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html rdebug.out Description: rdebug.out - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP-Peap-MSchapv2 proxy from innertunnel
Ok, I've tried this with 2.2 and still get the same behavior..
If I actually look at the proxy-inner-tunnel I see the following for
post-proxy..
post-proxy {
#
# This is necessary for LEAP, or if you set:
#
# proxy_tunneled_request_as_eap = no
#
eap
I see that eap needs be invoked if using
proxy_tunneled_request_as_eap = no
Does it actually need to NOT be there for
proxy_tunneled_request_as_eap = no
I should say I'm actually NOT using the proxy-inner-tunnel server, but
rather the default inner-tunnl with:
# If you want the inner tunnel request to be proxied, delete
# the next few lines.
#
# update control {
# Proxy-To-Realm := LOCAL
# }
Thanks,
Robert
From: freeradius-users-bounces+robert.roll=utah@lists.freeradius.org
[freeradius-users-bounces+robert.roll=utah@lists.freeradius.org] on behalf
of Phil Mayers [p.may...@imperial.ac.uk]
Sent: Thursday, August 29, 2013 9:38 AM
To: freeradius-users@lists.freeradius.org
Subject: Re: EAP-Peap-MSchapv2 proxy from innertunnel
On 29/08/13 15:56, Robert Roll wrote:
I guess I assumed the id: in the TCP dump below was the EAP Response
Identifier maybe not ? Is there a different
EAP response identifier ?
Yes, in the EAP-Message attribute (EAP packet)
I actually have been running with debug radius -X. Obviously a lot longer
output than just the TCP dump.
That is why I first tried just the TCP dump. I guess I was also hoping
somebody might have just
had a thought about a common configuration issue...
TBH proxying EAP inner is not common at all; there have been bugs in
that area in the past.
Re-reading I notice that you're running 2.10 - upgrade. I'm pretty
certain that version has inner-eap proxy bugs. Go to 2.2.0.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-Peap-MSchapv2 proxy from innertunnel
On 29/08/13 17:01, Robert Roll wrote: Ok, Below is the TCP dump. I have attached the Freeradius Debug output beginning near the start of the proxy.. The problem here is pretty straightforward, but not obvious from the debugs since FR is just proxying. Basically, the client sends the inner EAP-identity, and the proxy server responds with an EAP-TLS start i.e. you would be doing EAP-TLS inside PEAP, if this worked: rad_recv: Access-Challenge packet from host 155.97.185.76 port 1812, id=216, length=128 State = ... Proxy-State = 0x313231 EAP-Message = 0x010900060d20 0x0d == 13 == EAP-TLS. This is encrypted and sent down the tunnel. The client then sends an EAP-NAK, listing 26 as the only supported EAP type (which is weird - is it a Windows machines set to some odd combo like cryptobinding enabled?): [peap] Got tunneled request EAP-Message = 0x02090006031a 0x03 == 3 = NAK, 0x1a == 26 == MS-EAP (SoH, I think?) ...which the proxy server then rejects: rad_recv: Access-Reject packet from host 155.97.185.76 port 1812, id=71, length=49 Proxy-State = 0x313232 EAP-Message = 0x04090004 So the solution is simple - if you're going to proxy the inner auth, ensure the client inner auth method and upstream proxy auth method are mutually compatible. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-Peap-MSchapv2 proxy from innertunnel
Phil Mayers wrote: [peap] Got tunneled request EAP-Message = 0x02090006031a 0x03 == 3 = NAK, 0x1a == 26 == MS-EAP (SoH, I think?) That's EAP-MSCHAP-v2. ...which the proxy server then rejects: rad_recv: Access-Reject packet from host 155.97.185.76 port 1812, id=71, length=49 Proxy-State = 0x313232 EAP-Message = 0x04090004 So the solution is simple - if you're going to proxy the inner auth, ensure the client inner auth method and upstream proxy auth method are mutually compatible. i.e. set proxy_tunneled_request_as_eap = no Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-Peap-MSchapv2 proxy from innertunnel
Robert Roll wrote:
If I actually look at the proxy-inner-tunnel I see the following for
post-proxy..
The post-proxy stage has NOTHING to do with the home server. If the
home server rejects the request, the issue is WAY before the
post-process stage.
I see that eap needs be invoked if using
proxy_tunneled_request_as_eap = no
Does it actually need to NOT be there for
proxy_tunneled_request_as_eap = no
No.
See my reply to Phil. You need to set:
proxy_tunneled_request_as_eap = no
in eap.conf, peap{} subsection.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-Peap-MSchapv2 proxy from innertunnel
On 29/08/13 18:16, Alan DeKok wrote: Phil Mayers wrote: [peap] Got tunneled request EAP-Message = 0x02090006031a 0x03 == 3 = NAK, 0x1a == 26 == MS-EAP (SoH, I think?) That's EAP-MSCHAP-v2. Doh, yes, brain fade. TBH this page could be clearer: http://www.iana.org/assignments/eap-numbers/eap-numbers.xhtml ;o) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-Peap-MSchapv2 proxy from innertunnel
On 29/08/13 18:16, Alan DeKok wrote: i.e. set proxy_tunneled_request_as_eap = no Although IIRC that *definitely* had issues in 2.1.10, right? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-Peap-MSchapv2 proxy from innertunnel
Phil Mayers wrote: On 29/08/13 18:16, Alan DeKok wrote: i.e. set proxy_tunneled_request_as_eap = no Although IIRC that *definitely* had issues in 2.1.10, right? I don't recall... that was a long time ago, and I'm trying to get 3.0 out the door. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP logging
Your reference is wrong/unknown which means that there's a noop. This means no operation which means no fticks output alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP logging
On 28 August 2013 18:49, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote: Thanks Alan, Your reference is wrong/unknown which means that there's a noop. This means no operation which means no fticks output This brings me back to my earlier question: what values are available where, and when, via which mechanism? I think I still don't fully understand how modules hang together, how I pass information from e.g. an EAP request into line-log, or, looking at sites-enabled/eap-inner-tunnel, how I tell f_ticks (or linelog, or any other modules for that matter) which values I'd like to work with. I would like f_ticks to write out a single line into syslog that contains the inner and outer identity of an authentication request, the station ID and MAC address. In case of a successful authentication or rejection I'd like to have the inner identity and a status on a line, Can anyone point me at a walk-through or how-to? I've now spent days flicking from one wiki-page to the next, and reading mailing list archives w/o find anything that helps me understand. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP logging
On Thu, Aug 29, 2013 at 10:39:50AM +1200, Andrej wrote: On 28 August 2013 18:49, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote: Thanks Alan, Your reference is wrong/unknown which means that there's a noop. This means no operation which means no fticks output This brings me back to my earlier question: what values are available where, and when, via which mechanism? I think I still don't fully understand how modules hang together, how I pass information from e.g. an EAP request into line-log, or, looking at sites-enabled/eap-inner-tunnel, how I tell f_ticks (or linelog, or any other modules for that matter) which values I'd like to work with. Everything becomes an attribute or a variable and the definitions are mostly at /usr/share/freeradius/dictionary.freeradius.internal and you can also define your own attributes in /etc/freeradius/dictionary. I use this to get time in a format similar to syslog by having a variable My-Local-Time and calling an exec module with date command and assigning the result to this variable which I can then reference in my linelog. the only way I found how to get what I need is to define a linelog, write there the variables I hope will have what I'm looking for and call that linelog from some part of the server configuration and just run my clients against it and see what happens. for the username you can use outer.request:User-Name in the inner-tunnel which should reference the outer tunnel User-Name. User-Name in the inner-tunnel should be the inner EAP username. Also the attribute named Inner-Tunnel-User-Name might have the inner EAP username but that might be defined only in the post-auth section of the default server. mk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-SIM Module Failed to Load
Many thanks indeed. Are you saying I can just take out sim_files from the authorise in the default file and it should work anyway? If so, fantastic :) On 26 August 2013 at 12:11 Iliya Peregoudov iperegu...@cboss.ru wrote: On 25.08.2013 15:03, ken.farrington wrote: Module: Linked to sub-module rlm_eap_sim Module: Instantiating eap-sim rlm_eap_sim is compiled in. /usr/local/etc/raddb/modules/sim_files[1]: Failed to link to module 'rlm_sim_files': rlm_sim_files.so: cannot open shared object file: No such file or directory rlm_sim_files is not compiled in. In fact you do not need rlm_eap_files. All can be done using rlm_files module. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Ken Farrington Director CCIE #12651 802 Limited International House, 221 Bow Road, London, E3 2SJ, United Kingdom Direct: +44 (0)7500 802802 ken.farring...@802.co.uk http://www.802.co.uk Disclaimer This e-mail may contain information that is confidential, privileged or otherwise protected from disclosure. If you are not an intended recipient of this e-mail, do not duplicate or redistribute it by any means. Please delete it and any attachments and notify the sender that you have received it in error. Any views or opinions presented are solely those of the author and do not necessarily represent those of 802 Limited or any subsidiary company of 802 Limited. This email may relate to or be sent from other members of the 802 Group. All rights reserved. 802 Limited. Registered in the UK. Company Number. 7962864.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-SIM Module Failed to Load
On 27.08.2013 10:57, ken.farrington wrote:
Many thanks indeed. Are you saying I can just take out sim_files from
the authorise in the default file and it should work anyway?
If so, fantastic :)
My raddb/sites-enabled/default:
authorize {
preprocess
auth_log
chap
mschap
suffix
eap {
ok = return
}
files
pap
}
My raddb/users:
1250016490216...@wlan.mnc001.mcc250.3gppnetwork.org
EAP-Sim-RAND1 = 0x09844aff4ccf66cdb95e59dba8ec291c,
EAP-Sim-RAND2 = 0x100446e9e8f553a9d87d0444a44b6cf5,
EAP-Sim-RAND3 = 0x753fdfc2d7e834002557a069462a1fa5,
EAP-Sim-SRES1 = 0x5dc9a406,
EAP-Sim-SRES2 = 0x3b3f8ea3,
EAP-Sim-SRES3 = 0x85bb8aeb,
EAP-Sim-KC1 = 0x75e85aff085e917b,
EAP-Sim-KC2 = 0x3055d76de12f1772,
EAP-Sim-KC3 = 0x81806503efeebec1
1250016490216...@wlan.mnc001.mcc250.3gppnetwork.org is a decorated
permanent identity for IMSI 250016490216808.
(EA-Sim-RAND1, EAP-Sim-SRES1, EAP-Sim-KC1) is an authentication vector
(aka GSM triplet). rlm_eap_sim requires three GSM triplets to be available.
You can extract IMSI and GSM triplets from the SIM card using smart card
reader and agsm2 program (http://agsm.sourceforge.net).
Note this will always use same GSM triplets for authentication and
consequently same master session key (MSK) for encryption. You need to
integrate with HLR to retrieve truly random GSM triplets. Usually this
is done by some sort of RADIUS-to-MAP gateway, like Cisco ITP.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-SIM Module Failed to Load
Fantastic and thanks. On it now :)
On 27 August 2013 at 08:54 Iliya Peregoudov iperegu...@cboss.ru wrote:
On 27.08.2013 10:57, ken.farrington wrote:
Many thanks indeed. Are you saying I can just take out sim_files from
the authorise in the default file and it should work anyway?
If so, fantastic :)
My raddb/sites-enabled/default:
authorize {
preprocess
auth_log
chap
mschap
suffix
eap {
ok = return
}
files
pap
}
My raddb/users:
1250016490216...@wlan.mnc001.mcc250.3gppnetwork.org
EAP-Sim-RAND1 = 0x09844aff4ccf66cdb95e59dba8ec291c,
EAP-Sim-RAND2 = 0x100446e9e8f553a9d87d0444a44b6cf5,
EAP-Sim-RAND3 = 0x753fdfc2d7e834002557a069462a1fa5,
EAP-Sim-SRES1 = 0x5dc9a406,
EAP-Sim-SRES2 = 0x3b3f8ea3,
EAP-Sim-SRES3 = 0x85bb8aeb,
EAP-Sim-KC1 = 0x75e85aff085e917b,
EAP-Sim-KC2 = 0x3055d76de12f1772,
EAP-Sim-KC3 = 0x81806503efeebec1
1250016490216...@wlan.mnc001.mcc250.3gppnetwork.org is a decorated
permanent identity for IMSI 250016490216808.
(EA-Sim-RAND1, EAP-Sim-SRES1, EAP-Sim-KC1) is an authentication vector
(aka GSM triplet). rlm_eap_sim requires three GSM triplets to be available.
You can extract IMSI and GSM triplets from the SIM card using smart card
reader and agsm2 program (http://agsm.sourceforge.net).
Note this will always use same GSM triplets for authentication and
consequently same master session key (MSK) for encryption. You need to
integrate with HLR to retrieve truly random GSM triplets. Usually this
is done by some sort of RADIUS-to-MAP gateway, like Cisco ITP.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ken Farrington
Director
CCIE #12651
802 Limited
International House, 221 Bow Road, London, E3 2SJ, United Kingdom
Direct: +44 (0)7500 802802
ken.farring...@802.co.uk
http://www.802.co.uk
Disclaimer
This e-mail may contain information that is confidential, privileged or
otherwise protected from disclosure. If you are not an intended recipient of
this e-mail, do not duplicate or redistribute it by any means. Please delete it
and any attachments and notify the sender that you have received it in error.
Any views or opinions presented are solely those of the author and do not
necessarily represent those of 802 Limited or any subsidiary company of 802
Limited. This email may relate to or be sent from other members of the 802
Group. All rights reserved. 802 Limited. Registered in the UK. Company Number.
7962864.-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP logging
On 27 Aug 2013, at 17:59, Andrej andrej.gro...@gmail.com wrote: Hi, I'm trying to find a way to log EAP requests and responses on an IdP in such way that the inner and outer identity of a request end up on one line; using linelog via f_ticks I managed to get a slightly more concise logging going than the detail level in accounting messages. But I'd like to be able to correlate the two, and am struggling to do so. Is there a way to e.g. pass information from the outer processing on to the inner so I can log both from there, rather than logging both identities individually? While it's feasible to have both when there's not much authentication traffic happening trying to correlate events if there are several within the same time-frame might become impossible. Sure. Just pull in outer.User-Name in your format string, and call it from the inner server. -Arran Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP logging
On 28 August 2013 05:09, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: Hi Arran, Is there a way to e.g. pass information from the outer processing on to the inner so I can log both from there, rather than logging both identities individually? While it's feasible to have both when there's not much authentication traffic happening trying to correlate events if there are several within the same time-frame might become impossible. Sure. Just pull in outer.User-Name in your format string, and call it from the inner server. Cool - I'll give that a go. Is there a comprehensive list anywhere of which kind of values is permissible in which context? -Arran Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team Cheers, Andrej - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP logging
Andrej wrote: Cool - I'll give that a go. Is there a comprehensive list anywhere of which kind of values is permissible in which context? See the debug output. If it's in the debug output, you can use it. If it's not in the debug output, it doesn't exist. And you can't use it. You can always reference the outer tunnel from the inner one. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP logging
On 28 August 2013 09:09, Alan DeKok al...@deployingradius.com wrote:
See the debug output. If it's in the debug output, you can use it.
If it's not in the debug output, it doesn't exist. And you can't use it.
You can always reference the outer tunnel from the inner one.
OK. So, I found a couple of *key* statements in the debug output; and
running the server with -X gives me
[f_ticks] expand: %{proxy-reply:Packet-Type} -
[f_ticks] ... expanding second conditional
[f_ticks] expand: f_ticks.%{%{proxy-reply:Packet-Type}:-format}
- f_ticks.format
WARNING: No such configuration item .f_ticks.format
[f_ticks] No such entry .f_ticks.format
++[f_ticks] returns noop
But I don't seem to be writing any output at all from the f_ticks
module (whether in debug mode or not).
It looks like this:
linelog f_ticks {
filename = ${logdir}/f-ticks
format = %{outer.User-Name}#%{User-Name}#%{Packet-Src-IP-Address}#
reference = f_ticks.%{%{proxy-reply:Packet-Type}:-format}
f_ticks {
Access-Accept =
F-TICKS/eduroam/1.0#REALM=%{Realm}#VISCOUNTRY=EU#VISINST=%{Operator-Name}#CSI=%{Calling-Station-Id}#RESULT=OK#
Access-Reject =
F-TICKS/eduroam/1.0#REALM=%{Realm}#VISCOUNTRY=EU#VISINST=%{Operator-Name}#CSI=%{Calling-Station-Id}#RESULT=FAIL#
}
}
Alan DeKok.
Cheers,
Andrej
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-SIM Module Failed to Load
On 25.08.2013 15:03, ken.farrington wrote: Module: Linked to sub-module rlm_eap_sim Module: Instantiating eap-sim rlm_eap_sim is compiled in. /usr/local/etc/raddb/modules/sim_files[1]: Failed to link to module 'rlm_sim_files': rlm_sim_files.so: cannot open shared object file: No such file or directory rlm_sim_files is not compiled in. In fact you do not need rlm_eap_files. All can be done using rlm_files module. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-SIM Module Failed to Load
On 08/26/2013 12:11 PM, Iliya Peregoudov wrote: On 25.08.2013 15:03, ken.farrington wrote: Module: Linked to sub-module rlm_eap_sim Module: Instantiating eap-sim rlm_eap_sim is compiled in. /usr/local/etc/raddb/modules/sim_files[1]: Failed to link to module 'rlm_sim_files': rlm_sim_files.so: cannot open shared object file: No such file or directory rlm_sim_files is not compiled in. Oops yes sorry. rlm_sim_files, not rlm_eap_sim In fact you do not need rlm_eap_files. All can be done using rlm_files module. I'll defer to you on that ;o) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-SIM Module Failed to Load
Hello all,
I hope this email finds you all well and is my first post.
I think I have a small problem with my backtrack distro and I am trying to
load eap-sim onto my free radius server 2.1.11. I have followed the guide to
add the relevant parts of the config and when I put the config into the
default files for as per
http://freeradius.1045715.n5.nabble.com/EAP-SIM-configuration-on-v2-1-12-td5714134.html
http://freeradius.1045715.n5.nabble.com/EAP-SIM-configuration-on-v2-1-12-td5714134.html
but I get the same message. I think it is a library or link issue. I am not
the best linux person in the world s sorry if this seems like a dumb question
Module: Linked to sub-module rlm_eap_sim
Module: Instantiating eap-sim
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating module preprocess from file
/usr/local/etc/raddb/modules/preprocess
preprocess {
huntgroups = /usr/local/etc/raddb/huntgroups
hints = /usr/local/etc/raddb/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Linked to module rlm_realm
Module: Instantiating module suffix from file
/usr/local/etc/raddb/modules/realm
realm suffix {
format = suffix
delimiter = @
ignore_default = no
ignore_null = no
}
/usr/local/etc/raddb/modules/sim_files[1]: Failed to link to module
'rlm_sim_files': rlm_sim_files.so: cannot open shared object file: No such
file or directory
/usr/local/etc/raddb/sites-enabled/default[138]: Failed to load module
sim_files.
/usr/local/etc/raddb/sites-enabled/default[62]: Errors parsing authorize
section.
root@bt:/usr/local/etc/raddb# more simtriplets.dat
If anyone could help, that would be fantastic
many thx
ken
Ken Farrington
Director
CCIE #12651
802 Limited
International House, 221 Bow Road, London, E3 2SJ, United Kingdom
Direct: +44 (0)7500 802802
ken.farring...@802.co.uk
http://www.802.co.uk
Disclaimer
This e-mail may contain information that is confidential, privileged or
otherwise protected from disclosure. If you are not an intended recipient of
this e-mail, do not duplicate or redistribute it by any means. Please delete it
and any attachments and notify the sender that you have received it in error.
Any views or opinions presented are solely those of the author and do not
necessarily represent those of 802 Limited or any subsidiary company of 802
Limited. This email may relate to or be sent from other members of the 802
Group. All rights reserved. 802 Limited. Registered in the UK. Company Number.
7962864.-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-SIM Module Failed to Load
On 25/08/2013 12:03, ken.farrington wrote: /usr/local/etc/raddb/modules/sim_files[1]: Failed to link to module 'rlm_sim_files': rlm_sim_files.so: cannot open shared object file: No such file or directory Your version of FreeRADIUS wasn't compiled with rlm_eap_sim enabled, or it wasn't installed. I can't remember if you need to build with --experimental-modules or whatever the ./configure options is called. Also, upgrade to 2.2.0 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-SIM Module Failed to Load
Thanks so much I will try that. Much regards ken.farring...@802.co.uk Phil Mayers p.may...@imperial.ac.uk wrote: On 25/08/2013 12:03, ken.farrington wrote: /usr/local/etc/raddb/modules/sim_files[1]: Failed to link to module 'rlm_sim_files': rlm_sim_files.so: cannot open shared object file: No such file or directory Your version of FreeRADIUS wasn't compiled with rlm_eap_sim enabled, or it wasn't installed. I can't remember if you need to build with --experimental-modules or whatever the ./configure options is called. Also, upgrade to 2.2.0 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Sent from my Android device with K-9 Mail. Please excuse my brevity.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP and non-EAP on same port?
Bruce Bauman wrote: Right now we have freeradius configured so that EAP and non-EAP are handled by separate virtual servers which are listening on separate virtual ports. Why? We'd like to simplify our configuration and use the same port for both. I've looked through the documentation without much success. There's no magic here. There's no documentation on how do I do EAP?. Because none is needed. EAP is just another module you list (or not) in a virtual server. So... list eap in the virtual serverm as is done in the example files raddb/sites-available/default, and also raddb/sites-available/inner-tunnel. Does anyone have an example configuration of this? The default configuration does EAP and non-EAP on the same port. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP and non-EAP on same port?
On 03/07/13 15:29, Bruce Bauman wrote:
Right now we have freeradius configured so that EAP and non-EAP are
handled by separate virtual servers which are listening on separate
virtual ports.
We'd like to simplify our configuration and use the same port for both.
I've looked through the documentation without much success.
Does anyone have an example configuration of this?
The default config handles both eap and non-EAP just fine. You just list
the eap and other auth modules (mschap, pap, chap) in authorize
and authenticate, and pull the password info from LDAP/SQL/files as per
usual.
However, it's likely you mean something more than the simple config
you've specified. Can you be more specific about what is unclear to you?
If you want to do some logic conditional on whether the request is EAP
or not, you can do this;
authorize {
...
if (EAP-Message) {
# we're an EAP request
sql
eap
blahblah
}
else {
# we're non-eap
files
ldap
mschap
chap
pap
}
...
}
And of course, the inner EAP auth can be sent to a virtual server - see
the sample eap.conf that comes with the server.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP and non-EAP on same port?
Hi, We'd like to simplify our configuration and use the same port for both. the default configuration does that alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap sim authentication for multiple clients
There is a clear distinction between the two cases.
First case: user record is found in users file:
rad_recv: Access-Request packet from host 192.168.2.1 port 2048, id=1,
length=215
[skipped]
+- entering group authorize {...}
[skipped]
[files] users: Matched entry
1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org at line 1
[skipped]
+- entering group authenticate {...}
[skipped]
Sending Access-Challenge of id 1 to 192.168.2.1 port 2048
Second case: user record is not found in users file:
rad_recv: Access-Request packet from host 192.168.2.1 port 2048, id=2,
length=215
[skipped]
+- entering group authorize {...}
[skipped]
++[files] returns noop
[skipped]
+- entering group authenticate {...}
[skipped]
Failed to authenticate the user.
[skipped]
+- entering group REJECT {...}
[skipped]
Sending Access-Reject of id 2 to 192.168.2.1 port 2048
It seems your users file is broken in some way. You need to fix it.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap sim authorization problem
Hi, thanx for your reply i also tried using patch in http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120914/13b2c044/attachment.ksh but unfortunately, when i already connect with one device successfully, i try another device the result another device is rejected by server any idea? thanx for your time and your answer best regard On Fri, Jun 21, 2013 at 6:31 PM, Iliya Peregoudov iperegu...@cboss.ruwrote: On 20.06.2013 17:56, raptor raptor wrote: my users format 1510019760806391@wlan.mnc001.**mcc510.3gppnetwork.org1510019760806...@wlan.mnc001.mcc510.3gppnetwork.orgEAP-Type := SIM EAP-Sim-Rand1 = 0x 326258E6F77C40f3866DB25DEA60AE**4D, EAP-Sim-SRES1 = 0x DD287535, EAP-Sim-KC1 = 0x 7F743521EBabb000, EAP-Sim-Rand2 = 0x FD9989BD90AD4a03962E6C08C000C1**4B, EAP-Sim-SRES2 = 0x BFf89ad2, EAP-Sim-KC2 = 0x 1C7098005Fea8c00, EAP-Sim-Rand3 = 0x 26CC8DB02C9848c7BBCC2790E3F091**3B, EAP-Sim-SRES3 = 0x 17172cc6, EAP-Sim-KC3 = 0x BF34bf34D4ca4c00, Syntax error here. There should be no comma at the end of stanza. Due to comma next non-blank line is also considered to be part of this stanza. So next stanza (1510080325656501) will not be parsed correctly. rad_recv: Access-Request packet from host 192.168.2.1 port 2048, id=2, length=215 User-Name = 1510080325656501@wlan.mnc008.**mcc510.3gppnetwork.org1510080325656...@wlan.mnc008.mcc510.3gppnetwork.org NAS-IP-Address = 192.168.2.1 Called-Station-Id = 48f8b315461a Calling-Station-Id = 001adc019b98 NAS-Identifier = 48f8b315461a NAS-Port = 2 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x023801313531303038303332** 3536353635303140776c616e2e6d6e**633030382e6d63633531302e336770** 706e6574776f726b2e6f7267 Message-Authenticator = 0x1e6d83334fd94f359c5fda46d916**ce7e [skipped] ++[files] returns noop rlm_files was unable to find stanza for 1510080325656501 due to before mentioned syntax error. [eap] processing type sim can not initiate sim, no RAND1 attribute EAP-Sim-Rand1 attribute is not found in reply list. I don't know why. rlm_sim_files earlier said that it successfully found auth vectors. Definitely rlm_sim_files not working as expected. Try to fix syntax error in users file. - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap sim authorization problem
Hi IIiya, thanx for your answer i tried to fix syntax error in in users file and also i tried using patch in http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120914/13b2c044/attachment.ksh but unfortunately, the result is same, my first device can connect to internet and the second device can't connect if my first device is already connect thanx for your time and your answer best regards On Fri, Jun 21, 2013 at 6:31 PM, Iliya Peregoudov iperegu...@cboss.ruwrote: On 20.06.2013 17:56, raptor raptor wrote: my users format 1510019760806391@wlan.mnc001.**mcc510.3gppnetwork.org1510019760806...@wlan.mnc001.mcc510.3gppnetwork.orgEAP-Type := SIM EAP-Sim-Rand1 = 0x 326258E6F77C40f3866DB25DEA60AE**4D, EAP-Sim-SRES1 = 0x DD287535, EAP-Sim-KC1 = 0x 7F743521EBabb000, EAP-Sim-Rand2 = 0x FD9989BD90AD4a03962E6C08C000C1**4B, EAP-Sim-SRES2 = 0x BFf89ad2, EAP-Sim-KC2 = 0x 1C7098005Fea8c00, EAP-Sim-Rand3 = 0x 26CC8DB02C9848c7BBCC2790E3F091**3B, EAP-Sim-SRES3 = 0x 17172cc6, EAP-Sim-KC3 = 0x BF34bf34D4ca4c00, Syntax error here. There should be no comma at the end of stanza. Due to comma next non-blank line is also considered to be part of this stanza. So next stanza (1510080325656501) will not be parsed correctly. rad_recv: Access-Request packet from host 192.168.2.1 port 2048, id=2, length=215 User-Name = 1510080325656501@wlan.mnc008.**mcc510.3gppnetwork.org1510080325656...@wlan.mnc008.mcc510.3gppnetwork.org NAS-IP-Address = 192.168.2.1 Called-Station-Id = 48f8b315461a Calling-Station-Id = 001adc019b98 NAS-Identifier = 48f8b315461a NAS-Port = 2 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x023801313531303038303332** 3536353635303140776c616e2e6d6e**633030382e6d63633531302e336770** 706e6574776f726b2e6f7267 Message-Authenticator = 0x1e6d83334fd94f359c5fda46d916**ce7e [skipped] ++[files] returns noop rlm_files was unable to find stanza for 1510080325656501 due to before mentioned syntax error. [eap] processing type sim can not initiate sim, no RAND1 attribute EAP-Sim-Rand1 attribute is not found in reply list. I don't know why. rlm_sim_files earlier said that it successfully found auth vectors. Definitely rlm_sim_files not working as expected. Try to fix syntax error in users file. - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap sim authorization problem
On 20.06.2013 17:56, raptor raptor wrote: my users format 1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org EAP-Type := SIM EAP-Sim-Rand1 = 0x 326258E6F77C40f3866DB25DEA60AE4D, EAP-Sim-SRES1 = 0x DD287535, EAP-Sim-KC1 = 0x 7F743521EBabb000, EAP-Sim-Rand2 = 0x FD9989BD90AD4a03962E6C08C000C14B, EAP-Sim-SRES2 = 0x BFf89ad2, EAP-Sim-KC2 = 0x 1C7098005Fea8c00, EAP-Sim-Rand3 = 0x 26CC8DB02C9848c7BBCC2790E3F0913B, EAP-Sim-SRES3 = 0x 17172cc6, EAP-Sim-KC3 = 0x BF34bf34D4ca4c00, Syntax error here. There should be no comma at the end of stanza. Due to comma next non-blank line is also considered to be part of this stanza. So next stanza (1510080325656501) will not be parsed correctly. rad_recv: Access-Request packet from host 192.168.2.1 port 2048, id=2, length=215 User-Name = 1510080325656...@wlan.mnc008.mcc510.3gppnetwork.org NAS-IP-Address = 192.168.2.1 Called-Station-Id = 48f8b315461a Calling-Station-Id = 001adc019b98 NAS-Identifier = 48f8b315461a NAS-Port = 2 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0238013135313030383033323536353635303140776c616e2e6d6e633030382e6d63633531302e336770706e6574776f726b2e6f7267 Message-Authenticator = 0x1e6d83334fd94f359c5fda46d916ce7e [skipped] ++[files] returns noop rlm_files was unable to find stanza for 1510080325656501 due to before mentioned syntax error. [eap] processing type sim can not initiate sim, no RAND1 attribute EAP-Sim-Rand1 attribute is not found in reply list. I don't know why. rlm_sim_files earlier said that it successfully found auth vectors. Definitely rlm_sim_files not working as expected. Try to fix syntax error in users file. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap sim authorization problem
On 20.06.2013 8:38, raptor raptor wrote: i just try one client and success but when i use another client and it fails Post debug log if you want to diagnose authentication failure. is it correct if i add other client in users and simtriplets.dat? Yes, you should add auth vectors for all your SIM cards into users file, one stanza for every SIM card. If you still get insufficient number of challenges message then your simtriplets.dat is not relevant. Just forget about it. Auth vectors from users file are sufficient. Freeradius is very flexible. There is no one single way of correctly configure it. But there are indefinite number of ways to misconfigure it. If you prefer not to diagnose authentication failures but insert random stuff into randomly selected configuration files it's unlikely you accidentally configure it correctly. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap sim authorization problem
Hi IIiya,
thanx for your quick response
here is my log debug
rad_recv: Access-Request packet from host 192.168.2.1 port 2048, id=0,
length=215
User-Name = 1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org
NAS-IP-Address = 192.168.2.1
Called-Station-Id = 48f8b315461a
Calling-Station-Id = 1814563e5189
NAS-Identifier = 48f8b315461a
NAS-Port = 38
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x0238013135313030313937363038303633393140776c616e2e6d6e633030312e6d63633531302e336770706e6574776f726b2e6f7267
Message-Authenticator = 0x1e692ae9b93631a0f54bda0997d713f2
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] Looking up realm wlan.mnc001.mcc510.3gppnetwork.org for
User-Name = 1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org
[suffix] No such realm wlan.mnc001.mcc510.3gppnetwork.org
++[suffix] returns noop
rlm_sim_files: authorized user/imsi
1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org
rlm_sim_files: Adding EAP-Type: eap-sim
++[sim_files] returns ok
[eap] EAP packet type response id 0 length 56
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry
1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org at line 1
++[files] returns ok
++[sql] returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user. Authentication
may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type sim
[eap] Underlying EAP-Type set EAP ID to 116
++[eap] returns handled
Sending Access-Challenge of id 0 to 192.168.2.1 port 2048
EAP-Message = 0x01740014120a0f020002000111010100
Message-Authenticator = 0x
State = 0x2e42338f2e362191820b0799859172e9
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.2.1 port 2048, id=0,
length=265
Cleaning up request 0 ID 0 with timestamp +10
User-Name = 1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org
NAS-IP-Address = 192.168.2.1
Called-Station-Id = 48f8b315461a
Calling-Station-Id = 1814563e5189
NAS-Identifier = 48f8b315461a
NAS-Port = 38
Framed-MTU = 1400
State = 0x2e42338f2e362191820b0799859172e9
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x02740058120a0705c857b63e06e1bb7341a729ea36de8804100100010e0e00333135313030313937363038303633393140776c616e2e6d6e633030312e6d63633531302e336770706e6574776f726b2e6f726700
Message-Authenticator = 0x4228372d93c4496516a4c62a6b0d1f84
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] Looking up realm wlan.mnc001.mcc510.3gppnetwork.org for
User-Name = 1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org
[suffix] No such realm wlan.mnc001.mcc510.3gppnetwork.org
++[suffix] returns noop
rlm_sim_files: authorized user/imsi
1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org
rlm_sim_files: Adding EAP-Type: eap-sim
++[sim_files] returns ok
[eap] EAP packet type response id 116 length 88
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry
1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org at line 1
++[files] returns ok
[sql] User 1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org not found
++[sql] returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user. Authentication
may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/sim
[eap] processing type sim
+++ EAP-sim decoded packet:
User-Name = 1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org
NAS-IP-Address = 192.168.2.1
Called-Station-Id = 48f8b315461a
Calling-Station-Id = 1814563e5189
NAS-Identifier = 48f8b315461a
NAS-Port = 38
Framed-MTU = 1400
State = 0x2e42338f2e362191820b0799859172e9
NAS-Port-Type = Wireless-802.11
EAP-Message =
Re: eap sim authorization problem
On 20.06.2013 13:38, raptor raptor wrote: Sending Access-Accept of id 0 to 192.168.2.1 port 2048 MS-MPPE-Recv-Key = 0x9d0b6b0a9151822473399a9fed44e8f0d74df083532a7d437e436f60866252d8 MS-MPPE-Send-Key = 0xebf07da25ca3cd97267d1fc6a1ce18d68ad2737902f610284bdb45c6eed0cb7f EAP-Message = 0x03760004 Message-Authenticator = 0x User-Name = 1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org Finished request 2. I cannot see authentication failure in this debug log. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap sim authorization problem
Hi, IIiya
i'm sorry my posting above is about one client
first, i connect with one client and it's success
(until Finished request 2 in debug log)
and then in next request, i try with different supplicant/client to
authenticate and i have input identitiy (IMSI, RAND, SRES,KC) in to
simtriplets.dat and users also
my simtriplets.dat format
1510019760806391,326258E6F77C40f3866DB25DEA60AE4D,DD287535,7F743521EBabb000
1510019760806391,FD9989BD90AD4a03962E6C08C000C14B,BFf89ad2,1C7098005Fea8c00
1510019760806391,26CC8DB02C9848c7BBCC2790E3F0913B,17172cc6,BF34bf34D4ca4c00
1510080325656501,5A8F4C0677DE4930B47825B55534CC79,94d66001,AC85d79439b564c0
1510080325656501,8E29A03F8E13466fBF84D12F6A9D4734,E284e39e,13a524d040094ef4
1510080325656501,BC5D3CEB1EAC4164AA463E289222C450,AE8bdfc6,B0354bf3402e42ed
my users format
1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org EAP-Type := SIM
EAP-Sim-Rand1 = 0x 326258E6F77C40f3866DB25DEA60AE4D,
EAP-Sim-SRES1 = 0x DD287535,
EAP-Sim-KC1 = 0x 7F743521EBabb000,
EAP-Sim-Rand2 = 0x FD9989BD90AD4a03962E6C08C000C14B,
EAP-Sim-SRES2 = 0x BFf89ad2,
EAP-Sim-KC2 = 0x 1C7098005Fea8c00,
EAP-Sim-Rand3 = 0x 26CC8DB02C9848c7BBCC2790E3F0913B,
EAP-Sim-SRES3 = 0x 17172cc6,
EAP-Sim-KC3 = 0x BF34bf34D4ca4c00,
1510080325656...@wlan.mnc008.mcc510.3gppnetwork.org EAP-Type := SIM
EAP-Sim-Rand1 = 0x 5A8F4C0677DE4930B47825B55534CC79,
EAP-Sim-SRES1 = 0x 94d66001,
EAP-Sim-KC1 = 0x AC85d79439b564c0,
EAP-Sim-Rand2 = 0x 8E29A03F8E13466fBF84D12F6A9D4734,
EAP-Sim-SRES2 = 0x E284e39e,
EAP-Sim-KC2 = 0x 13a524d040094ef4,
EAP-Sim-Rand3 = 0x BC5D3CEB1EAC4164AA463E289222C450,
EAP-Sim-SRES3 = 0x AE8bdfc6,
EAP-Sim-KC3 = 0x B0354bf3402e42ed
here is my debug log:
rad_recv: Access-Request packet from host 192.168.2.1 port 2048, id=1,
length=215
User-Name = 1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org
NAS-IP-Address = 192.168.2.1
Called-Station-Id = 48f8b315461a
Calling-Station-Id = 1814563e5189
NAS-Identifier = 48f8b315461a
NAS-Port = 38
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x0238013135313030313937363038303633393140776c616e2e6d6e633030312e6d63633531302e336770706e6574776f726b2e6f7267
Message-Authenticator = 0x509abafbd92ee8417dcb22095d89059d
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] Looking up realm wlan.mnc001.mcc510.3gppnetwork.org for
User-Name = 1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org
[suffix] No such realm wlan.mnc001.mcc510.3gppnetwork.org
++[suffix] returns noop
rlm_sim_files: authorized user/imsi
1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org
rlm_sim_files: Adding EAP-Type: eap-sim
++[sim_files] returns ok
[eap] EAP packet type response id 0 length 56
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry
1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org at line 1
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user. Authentication
may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type sim
[eap] Underlying EAP-Type set EAP ID to 161
++[eap] returns handled
Sending Access-Challenge of id 1 to 192.168.2.1 port 2048
EAP-Message = 0x01a10014120a0f020002000111010100
Message-Authenticator = 0x
State = 0x86406e6686e17cf5f398cb77ce20781c
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.2.1 port 2048, id=1,
length=265
Cleaning up request 0 ID 1 with timestamp +25
User-Name = 1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org
NAS-IP-Address = 192.168.2.1
Called-Station-Id = 48f8b315461a
Calling-Station-Id = 1814563e5189
NAS-Identifier = 48f8b315461a
NAS-Port = 38
Framed-MTU = 1400
State = 0x86406e6686e17cf5f398cb77ce20781c
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x02a10058120a07055004b19c6e3aacce33e95d1f3c10c481100100010e0e00333135313030313937363038303633393140776c616e2e6d6e633030312e6d63633531302e336770706e6574776f726b2e6f726700
Message-Authenticator = 0xc9bbe2c285ff35377724d62bb118966b
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+-
Re: eap sim authorization problem
Hi, IIlya Thanx for your advice it works On Thu, Jun 13, 2013 at 2:47 PM, Iliya Peregoudov iperegu...@cboss.ruwrote: On 11.06.2013 12:27, raptor raptor wrote: 1. when i change users entry, i get notification that access-accept has succesfull but unfortunately, when i restart the system cant access-accept and i must change attribute in users from agsm program here the log: I do not understand clearly whether you think you succeed or no. 2. i've changed users entry as you suggest and i still get the same notification rlm_sim_files : isufficient number of challenges of challenges for imsi Changing users file will not fix simtriplets.dat. I do not understand why do you still bother about rlm_sim_files. You've already configured auth vectors using users file and it works well. Just comment out sim_files module invocation and isufficient number of challenges will go away. - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap sim authorization problem
Hi, i have tried with one client and it's success to authenticate and access internet in wlan could this test we use multiple clients? i just try one client and success but when i use another client and it fails is it correct if i add other client in users and simtriplets.dat? ex: simtriplets.dat 151001xx,Rand1,SRES1,kC1 151001xx,Rand2,SRES2,kC2 151001xx,Rand3,SRES3,kC3 151002xx,Rand1,SRES1,kC1 151002xx,Rand2,SRES2,kC2 151002xx,Rand3,SRES3,kC3 and also in users 151001xxx...@wlan.mnc EAP-Type :=SIM EAP-Sim-Rand1 = 0x... . . . . 151002xxx...@wlan.mnc EAP-Type :=SIM EAP-Sim-Rand1 = 0x... . . . . thanx for your time and your advice best regards On Thu, Jun 20, 2013 at 11:24 AM, raptor raptor raptors...@gmail.comwrote: Hi, IIlya Thanx for your advice it works On Thu, Jun 13, 2013 at 2:47 PM, Iliya Peregoudov iperegu...@cboss.ruwrote: On 11.06.2013 12:27, raptor raptor wrote: 1. when i change users entry, i get notification that access-accept has succesfull but unfortunately, when i restart the system cant access-accept and i must change attribute in users from agsm program here the log: I do not understand clearly whether you think you succeed or no. 2. i've changed users entry as you suggest and i still get the same notification rlm_sim_files : isufficient number of challenges of challenges for imsi Changing users file will not fix simtriplets.dat. I do not understand why do you still bother about rlm_sim_files. You've already configured auth vectors using users file and it works well. Just comment out sim_files module invocation and isufficient number of challenges will go away. - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-SIM
you missed to install rlm_sim_files 1. go to /src/modules/rlm_sim_files and sudo make 2. copy rlm_sim_files to library cp ./.libs/rlm_sim_files-2.2.0.so /usr/lib/freeradius 3. create link to usr/lib/freeradius/rlm_sim_files-2.2.0.so sudo ln -s /usr/lib/freeradius/rlm_sim_files-2.2.0.so/usr/lib/freeradius/rlm_sim_files.so that's it may this helps your problem On Thu, Jun 20, 2013 at 11:30 AM, romy rooman roomanro...@gmail.com wrote: Hi all, i have read many posts about eap sim i have create simtriplets.dat and i want to use eap sim for tests and i get notification that rlm_sim_files not found what should i do? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap sim authorization problem
On 11.06.2013 22:21, Rodney Machado wrote:
After reading again the documentation, i got to this point:
[skipped]
I'm going to fix the user file and give it a try again.
rlm_eap_sim expects EAP-Sim-RAND1 (and friends) on reply list, not in
control list.
So correct users entry for EAP-SIM is:
1IMSI EAP-Type:=SIM
EAP-Sim-RAND1:=0x...,
...
EAP-Sim-KC3:=0x...
EAP-Type control attribute is used to set initial EAP method. Initial
EAP method selection performed by rlm_eap when Access-Request with
EAP-Response/Identity handled. If there is no EAP-Type in control list
default method is selected. Default outer EAP method is set in eap
module configuration (eap { default_eap_type = ... }). Default inner EAP
method is set in EAP-PEAP and EAP-TTLS method configuration (eap { peap
{ default_eap_type = ... }}).
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap sim authorization problem
On 11.06.2013 12:27, raptor raptor wrote: 1. when i change users entry, i get notification that access-accept has succesfull but unfortunately, when i restart the system cant access-accept and i must change attribute in users from agsm program here the log: I do not understand clearly whether you think you succeed or no. 2. i've changed users entry as you suggest and i still get the same notification rlm_sim_files : isufficient number of challenges of challenges for imsi Changing users file will not fix simtriplets.dat. I do not understand why do you still bother about rlm_sim_files. You've already configured auth vectors using users file and it works well. Just comment out sim_files module invocation and isufficient number of challenges will go away. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap sim authorization problem
On 11.06.2013 7:00, raptor raptor wrote: i'm sorry i dont understand about LF UNIX line ending, could you show me what should i do to simtriplets.dat format? is there any mistake? Run dos2unix simtriplets.dat in UNIX shell. This will ensure simtriplets.dat has UNIX line endings. i got that format in /src/tests/eapsim-03/users-example.txt what should i fill in Rand1 attribute? I assume that your simtriplets.dat contains correct auth vectors (e.g. generated by SIM card and extracted using agsm program): 1510019760806391,AAC0FAFDC47D4524AC9E2A3D51BDBA39,2A71bac3,7868589a75fdc000 1510019760806391,BF9A9F6EEB36422895D010927D76972C,F49dd880,3Afbcf2fA9b0a000 1510019760806391,C63837CFECD348deB119C35CFECD4898,49312999,FD488938B6f2a000 Equivalent users entry should look like: 1510019760806391 EAP-Type:=SIM EAP-Sim-Rand1:=0xAAC0FAFDC47D4524AC9E2A3D51BDBA39, EAP-Sim-SRES1:=0x2A71bac3, EAP-Sim-KC1:=0x7868589a75fdc000, EAP-Sim-Rans2:=0xBF9A9F6EEB36422895D010927D76972C, EAP-Sim-SRES2:=0xF49dd880, EAP-Sim-KC2:=0x3Afbcf2fA9b0a000, EAP-Sim-Rand3:=0xC63837CFECD348deB119C35CFECD4898, EAP-Sim-SRES3:=0x49312999, EAP-Sim-KC3:=0xFD488938B6f2a000 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap sim authorization problem
Hi Iliya,
I'm been trying my self EAP-SIM auth for a while, with nothing but odd results.
I'm using FreeRADIUS Version 3.0.0 (git #25b6fdd), in wich the support for
sim_files module have been dropped. I tryied setting the vectors vía the users
file for my IMSI but its not working, I was just about to start a fresh thread
for this, but since it seem that raptor and I are struggling with the same
situation I'm popping in here.
Equivalent users entry should look like:
1510019760806391 EAP-Type:=SIM
EAP-Sim-Rand1:=0xAAC0FAFDC47D4524AC9E2A3D51BDBA39,
EAP-Sim-SRES1:=0x2A71bac3,
EAP-Sim-KC1:=0x7868589a75fdc000,
EAP-Sim-Rans2:=0xBF9A9F6EEB36422895D010927D76972C,
EAP-Sim-SRES2:=0xF49dd880,
EAP-Sim-KC2:=0x3Afbcf2fA9b0a000,
EAP-Sim-Rand3:=0xC63837CFECD348deB119C35CFECD4898,
EAP-Sim-SRES3:=0x49312999,
EAP-Sim-KC3:=0xFD488938B6f2a000
The vectors are right, I extracted them directly from our VLR, here is the
portion of my users file:
fragment users_file
1714020096302050 Auth-Type :=EAP, EAP-Type :=SIM, EAP-Sim-Rand1
:=0x9FDDE3536228C010B2CD21081166DE48, EAP-Sim-SRES1 := 0xEF4ED51A, EAP-Sim-KC1
:=0x2F35C251A5CE3C00, EAP-Sim-Rand2 :=0xBA20E6E8BB359BD0843EBF34673D1541,
EAP-Sim-SRES2 :=0xBDC5490D, EAP-Sim-KC2 :=0x8FE8D4E09E5BFC00, EAP-Sim-Rand3
:=0xB4C3D755C3C359E3EF6E928641CA59F1, EAP-Sim-SRES3 :=0x404A3DAA, EAP-Sim-KC3
:=0x83EF559E1B33A000
/fragment users_file
In my proxy.conf I added this entry for stripping the domain/realm from the
username.
fragment proxy.conf_file
realm wlan.mnc002.mcc714.3gppnetwork.org {
}
/fragment proxy.conf_file
in the eap file i added this entry
fragment eap_file
sim {
}
/fragment eap_file
from the logs i got this:
fragment logs_output
Tue Jun 11 09:09:01 2013 : Debug: (1) suffix : Looking up realm
wlan.mnc002.mcc714.3gppnetwork.org for User-Name =
1714020096302...@wlan.mnc002.mcc714.3gppnetwork.org
Tue Jun 11 09:09:01 2013 : Debug: (1) suffix : Found realm
wlan.mnc002.mcc714.3gppnetwork.org
Tue Jun 11 09:09:01 2013 : Debug: (1) suffix : Adding Stripped-User-Name =
1714020096302050
Tue Jun 11 09:09:01 2013 : Debug: (1) suffix : Adding Realm =
wlan.mnc002.mcc714.3gppnetwork.org
Tue Jun 11 09:09:01 2013 : Debug: (1) suffix : Authentication realm is LOCAL.
Tue Jun 11 09:09:01 2013 : Debug: (1) modsingle[authorize]: returned from
suffix (rlm_realm) for request 1
Tue Jun 11 09:09:01 2013 : Debug: (1) [suffix] = ok
Tue Jun 11 09:09:01 2013 : Debug: (1) modsingle[authorize]: calling eap
(rlm_eap) for request 1
Tue Jun 11 09:09:01 2013 : Debug: (1) eap : EAP packet type response id 1
length 6
Tue Jun 11 09:09:01 2013 : Debug: (1) eap : No EAP Start, assuming it's an
on-going EAP conversation
Tue Jun 11 09:09:01 2013 : Debug: (1) modsingle[authorize]: returned from eap
(rlm_eap) for request 1
Tue Jun 11 09:09:01 2013 : Debug: (1) [eap] = updated
Tue Jun 11 09:09:01 2013 : Debug: (1) modsingle[authorize]: calling files
(rlm_files) for request 1
Tue Jun 11 09:09:01 2013 : Debug: (1) files : users: Matched entry
1714020096302050 at line 208
Tue Jun 11 09:09:01 2013 : Debug: (1) modsingle[authorize]: returned from
files (rlm_files) for request 1
Tue Jun 11 09:09:01 2013 : Debug: (1) [files] = ok
Tue Jun 11 09:09:01 2013 : Debug: (1) modsingle[authorize]: calling
expiration (rlm_expiration) for request 1
Tue Jun 11 09:09:01 2013 : Debug: (1) modsingle[authorize]: returned from
expiration (rlm_expiration) for request 1
Tue Jun 11 09:09:01 2013 : Debug: (1) [expiration] = noop
Tue Jun 11 09:09:01 2013 : Debug: (1) modsingle[authorize]: calling logintime
(rlm_logintime) for request 1
Tue Jun 11 09:09:01 2013 : Debug: (1) modsingle[authorize]: returned from
logintime (rlm_logintime) for request 1
Tue Jun 11 09:09:01 2013 : Debug: (1) [logintime] = noop
Tue Jun 11 09:09:01 2013 : Debug: (1) modsingle[authorize]: calling pap
(rlm_pap) for request 1
Tue Jun 11 09:09:01 2013 : WARNING: (1) WARNING: pap : No known good password
found for the user. Not setting Auth-Type.
Tue Jun 11 09:09:01 2013 : WARNING: (1) WARNING: pap : Authentication will fail
unless a known good password is available.
Tue Jun 11 09:09:01 2013 : Debug: (1) modsingle[authorize]: returned from pap
(rlm_pap) for request 1
Tue Jun 11 09:09:01 2013 : Debug: (1) [pap] = noop
Tue Jun 11 09:09:01 2013 : Debug: (1) Found Auth-Type = EAP
Tue Jun 11 09:09:01 2013 : Debug: (1) # Executing group from file
/usr/local/etc/raddb/sites-enabled/default
Tue Jun 11 09:09:01 2013 : Debug: (1) group authenticate {
Tue Jun 11 09:09:01 2013 : Debug: (1) - entering group authenticate {...}
Tue Jun 11 09:09:01 2013 : Debug: (1) modsingle[authenticate]: calling eap
(rlm_eap) for request 1
Tue Jun 11 09:09:01 2013 : Debug: (1) eap : Expiring EAP session with state
0xf386ee4bf387ea0a
Tue Jun 11 09:09:01 2013 : Debug: (1) eap : Finished EAP session with state
0xf386ee4bf387ea0a
Tue Jun 11 09:09:01 2013 : Debug: (1) eap : Previous EAP request found for
Re: eap sim authorization problem
After reading again the documentation, i got to this point: What's with the commas in the raddb/users file? Commas link lists of attributes together. The general format for a raddb/users file entry is: name Check-Item = Value, ..., Check-Item = Value Reply-Item = Value, . . . Reply-Item = Value Where the dots means repetition of attributes. * The first line contains check-items ONLY. * Commas go BETWEEN check-items. * The first line ends WITHOUT a comma. * The next number of lines are reply-items ONLY. * Commas go BETWEEN reply-items. * The last line of the reply-item list ends WITHOUT a comma. Check-items are used to match attributes in a request packet or to set server parameters. Reply-items are used to set attributes which are to go in the reply packet. So things like Simultaneous-Use go on the first line of a raddb/users file entry and Framed-IP-Address goes on any following line. I'm going to fix the user file and give it a try again. Regards, --RM - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap sim authorization problem
On 09.06.2013 5:34, raptor raptor wrote: simtriplets.dat format that i wite: 1imsi,RAND,SRES,Kc 1510019760806391,AAC0FAFDC47D4524AC9E2A3D51BDBA39,2A71bac3,7868589a75fdc000 1510019760806391,BF9A9F6EEB36422895D010927D76972C,F49dd880,3Afbcf2fA9b0a000 1510019760806391,C63837CFECD348deB119C35CFECD4898,49312999,FD488938B6f2a000 Your simtriplets.dat format is ok. i add in users file: DEFAULTAuth-Type := EAP, EAP-Type := SIM EAP-Sim-Rand1 = 0x101112131415161718191a1b1c1d1e1f, EAP-Sim-SRES1 = 0xd1d2d3d4, EAP-Sim-Rand2 = 0x202122232425262728292a2b2c2d2e2f, EAP-Sim-SRES2 = 0xe1e2e3e4, EAP-Sim-Rand3 = 0x303132333435363738393a3b3c3d3e3f, EAP-Sim-SRES3 = 0xf1f2f3f4, EAP-Sim-KC1 = 0xa0a1a2a3a4a5a6a7, EAP-Sim-KC2 = 0xb0b1b2b3b4b5b6b7, EAP-Sim-KC3 = 0xc0c1c2c3c4c5c6c7, Your users format is ok: 16-octet RAND, 4-octet SRES, 8-octet Kc. Auth vectors in users file differ from those in simtriplets.dat. You cannot use arbitrary auth vectors. EAP-SIM is mutual authentication protocol. UE checks that AAA knows correct auth vectors when Request/SIM/Challenge received before sending Response/SIM/Challenge. rlm_sim_files: insufficient number of challenges for imsi 1510019760806391: 0 ++[sim_files] returns notfound It's strange that rlm_sim_files was unable to find auth vectors. Ensure that simtriplets.dat has UNIX line endings (LF, not CRLF). Sending Access-Challenge of id 0 to 192.168.1.1 port 2048 EAP-Message = 0x011a0014120a0f020002000111010100 Message-Authenticator = 0x State = 0x019a1a23018008ce78acd4b07bc4c4ac Here radiusd generates EAP Request/SIM/Start. There is no cryptography yet so UE will respond with Response/SIM/Start. +++ EAP-sim decoded packet: User-Name = 1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org NAS-IP-Address = 192.168.1.1 Called-Station-Id = 48f8b315461a Calling-Station-Id = 1814563e5189 NAS-Identifier = 48f8b315461a NAS-Port = 38 Framed-MTU = 1400 State = 0x019a1a23018008ce78acd4b07bc4c4ac NAS-Port-Type = Wireless-802.11 EAP-Message = 0x021a0058120a070543837c0b63fd6c4dc3fccbebc8439b04100100010e0e00333135313030313937363038303633393140776c616e2e6d6e633030312e6d63633531302e336770706e6574776f726b2e6f726700 Message-Authenticator = 0x441da87c8c81ad6b22b7596fba8b9098 Stripped-User-Name = 1510019760806391 Realm = wlan.mnc001.mcc510.3gppnetwork.org EAP-Type = SIM EAP-Sim-Subtype = Start EAP-Sim-NONCE_MT = 0x43837c0b63fd6c4dc3fccbebc8439b04 EAP-Sim-SELECTED_VERSION = 0x0001 EAP-Sim-IDENTITY = 0x00333135313030313937363038303633393140776c616e2e6d6e633030312e6d63633531302e336770706e6574776f726b2e6f726700 This is Response/SIM/Start from UE. Sending Access-Challenge of id 0 to 192.168.1.1 port 2048 EAP-Message = 0x011b0050120b010d101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f0b05fb675502a3304188312931054f33cd1f Message-Authenticator = 0x State = 0x019a1a23008108ce78acd4b07bc4c4ac Here radiusd generates EAP Request/SIM/Challenge using auth vectors from users file and NONCE_MT from Response/EAP/Start. UE will reject this EAP request (because AAA does not know correct auth vectors) and will restart EAP authentication. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP post auth reject and access-challenge
On 10/06/13 15:45, Franks Andy (RLZ) IT Systems Engineer wrote: Hi, Just wondered if someone could explain the reason why, on rejection of EAP authentication, an access challenge request is sent out to the NAS, and whether it’s something we can control or not? I assume you're referring to the fact that the inner tunnel reject is sent as an outer access-challenge? The packet flow is this: C: Access-Request EAP / TLS-setup S: Access-Challenge EAP / TLS-setup ... C: Access-Request EAP / TLS / inner access-request S: Access-Challenge EAP / TLS / inner access-reject C: Access-Request EAP / TLS [ack] S: Access-RejectEAP / reject Basically, the protocols send the inner reject as a TLS frame, so that the client can't be tricked by a fake reject. The client then ACKs it, and the server then sends the RADIUS-level reject. So no, you can't turn it off - it's part of the protocol specifications. Why is this a problem for you? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP post auth reject and access-challenge
Hi, I have a setup that just does admin logins for NAS equipment, some of it presents via PAP and some of it peap/mschapv2. When the user is rejected I do a linelog or sql insert, capturing a failure reason from each module. Basically an EAP reject of a user creates two entries to the logging. I do failure logging within the inner-tunnel VS as well as the default because I wanted it to capture a failure reason to the line log based on the module-failure-reason string, which is lost after the eap session rejects and can't be seen in the default. As you commented in an email from last week, updating the outer.control variable to try and pass module-failure-reason doesn't work due to the access-challenge presenting a new session. I'm also doing some stuff in the authorization section which can reject a user based on some ldap information. I thought I could perhaps just update the default tunnel post-auth reject section to not do a linelog if auth-type has been set to EAP but it doesn't work when clients are rejected in this ldap section; the EAP auth-type is set but it never authenticates as the reject is triggered first, and so a linelog would never be recorded in the inner tunnel post auth reject section. I hope that's not too confusing, it's hard to explain. Thanks Andy -Original Message- From: freeradius-users-bounces+andy.franks=sath.nhs...@lists.freeradius.org [mailto:freeradius-users-bounces+andy.franks=sath.nhs.uk@lists.freeradiu s.org] On Behalf Of Phil Mayers Sent: 10 June 2013 16:02 To: freeradius-users@lists.freeradius.org Subject: Re: EAP post auth reject and access-challenge On 10/06/13 15:45, Franks Andy (RLZ) IT Systems Engineer wrote: Hi, Just wondered if someone could explain the reason why, on rejection of EAP authentication, an access challenge request is sent out to the NAS, and whether it's something we can control or not? I assume you're referring to the fact that the inner tunnel reject is sent as an outer access-challenge? The packet flow is this: C: Access-Request EAP / TLS-setup S: Access-Challenge EAP / TLS-setup ... C: Access-Request EAP / TLS / inner access-request S: Access-Challenge EAP / TLS / inner access-reject C: Access-Request EAP / TLS [ack] S: Access-RejectEAP / reject Basically, the protocols send the inner reject as a TLS frame, so that the client can't be tricked by a fake reject. The client then ACKs it, and the server then sends the RADIUS-level reject. So no, you can't turn it off - it's part of the protocol specifications. Why is this a problem for you? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP post auth reject and access-challenge
On 10/06/13 17:29, Franks Andy (RLZ) IT Systems Engineer wrote: I'm also doing some stuff in the authorization section which can reject a user based on some ldap information. I thought I could perhaps just update the default tunnel post-auth reject section to not do a linelog if auth-type has been set to EAP but it doesn't work when clients are rejected in this ldap section; the EAP auth-type is set but it never authenticates as the reject is triggered first, and so a linelog would never be recorded in the inner tunnel post auth reject section. I hope that's not too confusing, it's hard to explain. Sorry, I didn't understand that last part. There are a bunch of different ways of solving the logging twice if that's the problem you're trying to solve. The easiest is to just not care - we have a similar logging system and log both the inner and outer rejects. Our log inspection script shows both, and we just look at the relevant one. Note that EAP sessions can fail in ways that never trigger the inner tunnel, but do set Module-Failure-Message, so you can't just not log outer and hope to catch all relevant debugging. You can also have inner accepts with outer rejects (e.g. if the client fails mutual auth) so again, logging just one will miss info. Without knowing what you're trying to accomplish and what your criteria are, I couldn't comment further - logging is a very individual thing that people have different ideas about. But my advice would be to solve this by post-processing the data, not by having extensive logic in your FR config. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS security level
The security depends on the configuration of your clients and the certificate chosen for your radius server alan This smartphone uses eduroam for free WiFi access around the world. Now that's what I call smart. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap sim authorization problem
Iliya Peregoudov wite : 1. rlm_sim_files: insufficient number of challenges for imsi 1510019760806391: 0 ++[sim_files] returns notfound It's strange that rlm_sim_files was unable to find auth vectors. Ensure that simtriplets.dat has UNIX line endings (LF, not CRLF). i'm sorry i dont understand about LF UNIX line ending, could you show me what should i do to simtriplets.dat format? is there any mistake? 2. Your users format is ok: 16-octet RAND, 4-octet SRES, 8-octet Kc. Auth vectors in users file differ from those in simtriplets.dat. You cannot use arbitrary auth vectors. EAP-SIM is mutual authentication protocol. UE checks that AAA knows correct auth vectors when Request/SIM/Challenge received before sending Response/SIM/Challenge. i got that format in /src/tests/eapsim-03/users-example.txt what should i fill in Rand1 attribute? thanx for your advice best regard On Mon, Jun 10, 2013 at 5:29 PM, Iliya Peregoudov iperegu...@cboss.ruwrote: On 09.06.2013 5:34, raptor raptor wrote: simtriplets.dat format that i wite: 1imsi,RAND,SRES,Kc 1510019760806391,**AAC0FAFDC47D4524AC9E2A3D51BDBA** 39,2A71bac3,7868589a75fdc000 1510019760806391,**BF9A9F6EEB36422895D010927D7697** 2C,F49dd880,3Afbcf2fA9b0a000 1510019760806391,**C63837CFECD348deB119C35CFECD48** 98,49312999,FD488938B6f2a000 Your simtriplets.dat format is ok. i add in users file: DEFAULTAuth-Type := EAP, EAP-Type := SIM EAP-Sim-Rand1 = 0x101112131415161718191a1b1c1d**1e1f, EAP-Sim-SRES1 = 0xd1d2d3d4, EAP-Sim-Rand2 = 0x202122232425262728292a2b2c2d**2e2f, EAP-Sim-SRES2 = 0xe1e2e3e4, EAP-Sim-Rand3 = 0x303132333435363738393a3b3c3d**3e3f, EAP-Sim-SRES3 = 0xf1f2f3f4, EAP-Sim-KC1 = 0xa0a1a2a3a4a5a6a7, EAP-Sim-KC2 = 0xb0b1b2b3b4b5b6b7, EAP-Sim-KC3 = 0xc0c1c2c3c4c5c6c7, Your users format is ok: 16-octet RAND, 4-octet SRES, 8-octet Kc. Auth vectors in users file differ from those in simtriplets.dat. You cannot use arbitrary auth vectors. EAP-SIM is mutual authentication protocol. UE checks that AAA knows correct auth vectors when Request/SIM/Challenge received before sending Response/SIM/Challenge. rlm_sim_files: insufficient number of challenges for imsi 1510019760806391: 0 ++[sim_files] returns notfound It's strange that rlm_sim_files was unable to find auth vectors. Ensure that simtriplets.dat has UNIX line endings (LF, not CRLF). Sending Access-Challenge of id 0 to 192.168.1.1 port 2048 EAP-Message = 0x011a0014120a0f0200020001**11010100 Message-Authenticator = 0x** State = 0x019a1a23018008ce78acd4b07bc4**c4ac Here radiusd generates EAP Request/SIM/Start. There is no cryptography yet so UE will respond with Response/SIM/Start. +++ EAP-sim decoded packet: User-Name = 1510019760806391@wlan.mnc001.**mcc510.3gppnetwork.org1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org NAS-IP-Address = 192.168.1.1 Called-Station-Id = 48f8b315461a Calling-Station-Id = 1814563e5189 NAS-Identifier = 48f8b315461a NAS-Port = 38 Framed-MTU = 1400 State = 0x019a1a23018008ce78acd4b07bc4**c4ac NAS-Port-Type = Wireless-802.11 EAP-Message = 0x021a0058120a07054383**7c0b63fd6c4dc3fccbebc8439b0410** 0100010e0e00333135313030313937**363038303633393140776c616e2e6d** 6e633030312e6d63633531302e3367**70706e6574776f726b2e6f726700 Message-Authenticator = 0x441da87c8c81ad6b22b7596fba8b**9098 Stripped-User-Name = 1510019760806391 Realm = wlan.mnc001.mcc510.**3gppnetwork.orghttp://wlan.mnc001.mcc510.3gppnetwork.org EAP-Type = SIM EAP-Sim-Subtype = Start EAP-Sim-NONCE_MT = 0x43837c0b63fd6c4dc3fccbeb**c8439b04 EAP-Sim-SELECTED_VERSION = 0x0001 EAP-Sim-IDENTITY = 0x0033313531303031393736303830**3633393140776c616e2e6d6e633030** 312e6d63633531302e336770706e65**74776f726b2e6f726700 This is Response/SIM/Start from UE. Sending Access-Challenge of id 0 to 192.168.1.1 port 2048 EAP-Message = 0x011b0050120b010d1011**12131415161718191a1b1c1d1e1f20** 2122232425262728292a2b2c2d2e2f**303132333435363738393a3b3c3d3e** 3f0b05fb675502a33041883129**31054f33cd1f Message-Authenticator = 0x** State = 0x019a1a23008108ce78acd4b07bc4**c4ac Here radiusd generates EAP Request/SIM/Challenge using auth vectors from users file and NONCE_MT from Response/EAP/Start. UE will reject this EAP request (because AAA does not know correct auth vectors) and will restart EAP authentication. - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS security level
Emmanuel BILLOT wrote: We are thinking about using radius authentification trough Internet. Considering we use EAP-TTLS method for authenticating wifi users, is there any way to intercept user passwords ? No. Is EAP-TTLS as secure as https or smtps ? Yes. They all use SSL (or TLS as it's now called) Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap sim authorization problem
my simtriplets.dat : 1imsi 1510019760806391,AAC0FAFDC47D4524AC9E2A3D51BDBA39,2A71bac3,7868589a75fdc000 1510019760806391,BF9A9F6EEB36422895D010927D76972C,F49dd880,3Afbcf2fA9b0a000 1510019760806391,C63837CFECD348deB119C35CFECD4898,49312999,FD488938B6f2a000 On Mon, Jun 3, 2013 at 9:26 PM, Alan DeKok al...@deployingradius.comwrote: Iliya Peregoudov wrote: Apparently there is an error in simtriplets.dat. Format is 1IMSI,RAND,SRES,KC RAND, SRES, and KC should be in hexadecimal digits, without 0x prefix. An even number of hexadecimal digits should be in there. The simtriplets.dat dile doesn't have 0x prefixes in its examples In any case, hitting an assertion because of a format error is stupid. I've pushed a fix. It will now complain about syntax errors instead. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap sim authorization problem
simtriplets.dat format that i wite:
1imsi,RAND,SRES,Kc
1510019760806391,AAC0FAFDC47D4524AC9E2A3D51BDBA39,2A71bac3,7868589a75fdc000
1510019760806391,BF9A9F6EEB36422895D010927D76972C,F49dd880,3Afbcf2fA9b0a000
1510019760806391,C63837CFECD348deB119C35CFECD4898,49312999,FD488938B6f2a000
i add in users file:
DEFAULT Auth-Type := EAP, EAP-Type := SIM
EAP-Sim-Rand1 = 0x101112131415161718191a1b1c1d1e1f,
EAP-Sim-SRES1 = 0xd1d2d3d4,
EAP-Sim-Rand2 = 0x202122232425262728292a2b2c2d2e2f,
EAP-Sim-SRES2 = 0xe1e2e3e4,
EAP-Sim-Rand3 = 0x303132333435363738393a3b3c3d3e3f,
EAP-Sim-SRES3 = 0xf1f2f3f4,
EAP-Sim-KC1 = 0xa0a1a2a3a4a5a6a7,
EAP-Sim-KC2 = 0xb0b1b2b3b4b5b6b7,
EAP-Sim-KC3 = 0xc0c1c2c3c4c5c6c7,
i think number of RAND in simtriplets.dat is same in EAP-Sim-Rand1 (32
octet)
is my format wrong?
i'm using freeradius-server-2.1.9 and nokia e63
and i run freeradius so here the log:
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.1.1 port 2048, id=0,
length=215
User-Name = 1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org
NAS-IP-Address = 192.168.1.1
Called-Station-Id = 48f8b315461a
Calling-Station-Id = 1814563e5189
NAS-Identifier = 48f8b315461a
NAS-Port = 38
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x0238013135313030313937363038303633393140776c616e2e6d6e633030312e6d63633531302e336770706e6574776f726b2e6f7267
Message-Authenticator = 0xa01e03afe31bdb73b9c01a64096ec87a
+- entering group authorize {...}
++[preprocess] returns ok
[suffix] Looking up realm wlan.mnc001.mcc510.3gppnetwork.org for
User-Name = 1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org
[suffix] Found realm wlan.mnc001.mcc510.3gppnetwork.org
[suffix] Adding Stripped-User-Name = 1510019760806391
[suffix] Adding Realm = wlan.mnc001.mcc510.3gppnetwork.org
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
rlm_sim_files: insufficient number of challenges for imsi 1510019760806391:
0
++[sim_files] returns notfound
[eap] EAP packet type response id 0 length 56
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 205
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type sim
[eap] Underlying EAP-Type set EAP ID to 26
++[eap] returns handled
Sending Access-Challenge of id 0 to 192.168.1.1 port 2048
EAP-Message = 0x011a0014120a0f020002000111010100
Message-Authenticator = 0x
State = 0x019a1a23018008ce78acd4b07bc4c4ac
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.1 port 2048, id=0,
length=265
Cleaning up request 0 ID 0 with timestamp +227
User-Name = 1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org
NAS-IP-Address = 192.168.1.1
Called-Station-Id = 48f8b315461a
Calling-Station-Id = 1814563e5189
NAS-Identifier = 48f8b315461a
NAS-Port = 38
Framed-MTU = 1400
State = 0x019a1a23018008ce78acd4b07bc4c4ac
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x021a0058120a070543837c0b63fd6c4dc3fccbebc8439b04100100010e0e00333135313030313937363038303633393140776c616e2e6d6e633030312e6d63633531302e336770706e6574776f726b2e6f726700
Message-Authenticator = 0x441da87c8c81ad6b22b7596fba8b9098
+- entering group authorize {...}
++[preprocess] returns ok
[suffix] Looking up realm wlan.mnc001.mcc510.3gppnetwork.org for
User-Name = 1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org
[suffix] Found realm wlan.mnc001.mcc510.3gppnetwork.org
[suffix] Adding Stripped-User-Name = 1510019760806391
[suffix] Adding Realm = wlan.mnc001.mcc510.3gppnetwork.org
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
rlm_sim_files: insufficient number of challenges for imsi 1510019760806391:
0
++[sim_files] returns notfound
[eap] EAP packet type response id 26 length 88
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 205
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/sim
[eap] processing type sim
rlm_eap_sim: subtype= 10
start.
+++ EAP-sim decoded packet:
User-Name = 1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org
NAS-IP-Address = 192.168.1.1
Called-Station-Id = 48f8b315461a
Re: EAP error with Freeradius 3.0
nicolas@ricoh-industrie.fr wrote: Hello, I have a problem with mschap authentication and the external program ntlm_auth. With Freeradius 2.2 I haven't any problem but after upgrade to Freeradius 3, the output of this program was wrong and EAP failed. The output is very strange : Please post text. There is *no* reason to post images. Any ideas ? It means that the system was unable to run ntlm_auth for some reason. Why, I don't know. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-SIM Authentication
On 06/05/2013 04:45 AM, Kranthi K wrote: Hi All, I am Newbie to free radius. I installed freeradius version 2.2.0. i want to configure the EAP-SIM Authentication. Can anyone tell me the steps how to implement it. What's with the sudden interest in EAP-SIM? Is there a school project running somewhere? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-SIM Authentication
Hi Phil, Thanks for your reply, It will be greatful if you show some way to implement the EAP-SIM. Thanks On Wed, Jun 5, 2013 at 6:15 PM, Phil Mayers p.may...@imperial.ac.uk wrote: On 06/05/2013 04:45 AM, Kranthi K wrote: Hi All, I am Newbie to free radius. I installed freeradius version 2.2.0. i want to configure the EAP-SIM Authentication. Can anyone tell me the steps how to implement it. What's with the sudden interest in EAP-SIM? Is there a school project running somewhere? - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap sim authorization problem
Apparently there is an error in simtriplets.dat. Format is 1IMSI,RAND,SRES,KC RAND, SRES, and KC should be in hexadecimal digits, without 0x prefix. An even number of hexadecimal digits should be in there. On 01.06.2013 5:51, raptor raptor wrote: ASSERT FAILED rlm_sim_files.c[212]: k != NULL - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap sim authorization problem
Iliya Peregoudov wrote: Apparently there is an error in simtriplets.dat. Format is 1IMSI,RAND,SRES,KC RAND, SRES, and KC should be in hexadecimal digits, without 0x prefix. An even number of hexadecimal digits should be in there. The simtriplets.dat dile doesn't have 0x prefixes in its examples In any case, hitting an assertion because of a format error is stupid. I've pushed a fix. It will now complain about syntax errors instead. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap sim authorization problem
Call suffix before sim_files.
The rlm_sim_files module uses canonical username as a key for
searching authentication vectors. Initially canonical username points to
User-Name attribute. rlm_realm module (suffix is an instance of this
module) split User-Name to Stripped-User-Name and Realm and set
canonical username to point to Stripped-User-Name.
Or you can put full username 1IMSI@wlan.mnc001.mcc510.3gppnetwork.org
into simtriplets.dat. This will work without calling suffix.
On 30.05.2013 19:26, raptor raptor wrote:
Hi,
i have added simtriplets.dat and create file sim_files in
/freeradius/modules
and also i configure sim_files in authorize{} in /sites-enabled/default
but i dont use suffix module
so my concern is how to solve this message :
rlm_sim_files: insufficient number of challenges for imsi
i...@wlan.mnc001.mcc510.3gppnetwork.org
mailto:i...@wlan.mnc001.mcc510.3gppnetwork.org : 0
[sim_files] returnnot found
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP error
Looks like a client with incorrect settings. Why would you want to add that ca to your server? Your radius server isn't signed by it. alan This smartphone uses eduroam for free WiFi access around the world. Now that's what I call smart. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap sim authorization problem
i have added Stripped-User-Name in sites-enabled/default and also i
disabled suffix module
but, i found like fatal mistake
could someone tell me what i should do to fix this
this is my log
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.1.1 port 2048, id=0,
length=215
User-Name = 15100...@wlan.mnc001.mcc510.3gppnetwork.org
NAS-IP-Address = 192.168.1.1
Called-Station-Id = 48f8b315461a
Calling-Station-Id = 1814563e5189
NAS-Identifier = 48f8b315461a
NAS-Port = 38
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x0238013135313030313937363038303633393140776c616e2e6d6e633030312e6d63633531302e336770706e6574776f726b2e6f7267
Message-Authenticator = 0xe0a42673f8bb72f47e48dcb350887961
+- entering group authorize {...}
++[preprocess] returns ok
++? if (User-Name =~ /^(.*)@(.+)$/)
? Evaluating (User-Name =~ /^(.*)@(.+)$/) - TRUE
++? if (User-Name =~ /^(.*)@(.+)$/) - TRUE
++- entering if (User-Name =~ /^(.*)@(.+)$/) {...}
expand: %{1} - 15100xx
expand: %{2} - wlan.mnc001.mcc510.3gppnetwork.org
+++[request] returns ok
++- if (User-Name =~ /^(.*)@(.+)$/) returns ok
ASSERT FAILED rlm_sim_files.c[212]: k != NULL
Aborted
best regard
On Fri, May 31, 2013 at 12:59 PM, Iliya Peregoudov iperegu...@cboss.ruwrote:
Call suffix before sim_files.
The rlm_sim_files module uses canonical username as a key for searching
authentication vectors. Initially canonical username points to User-Name
attribute. rlm_realm module (suffix is an instance of this module) split
User-Name to Stripped-User-Name and Realm and set canonical username to
point to Stripped-User-Name.
Or you can put full username
1IMSI@wlan.mnc001.mcc510.**3gppnetwork.orghttp://wlan.mnc001.mcc510.3gppnetwork.orginto
simtriplets.dat. This will work without calling suffix.
On 30.05.2013 19:26, raptor raptor wrote:
Hi,
i have added simtriplets.dat and create file sim_files in
/freeradius/modules
and also i configure sim_files in authorize{} in /sites-enabled/default
but i dont use suffix module
so my concern is how to solve this message :
rlm_sim_files: insufficient number of challenges for imsi
imsi@wlan.mnc001.mcc510.**3gppnetwork.orgi...@wlan.mnc001.mcc510.3gppnetwork.org
mailto:imsi@wlan.mnc001.**mcc510.3gppnetwork.orgi...@wlan.mnc001.mcc510.3gppnetwork.org
: 0
[sim_files] returnnot found
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/**
list/users.html http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap sim authorization problem
You should designate realm wlan.mnc001.mcc510.3gppnetwork.org as locally
served in raddb/proxy.conf:
# raddb/proxy.conf
realm wlan.mnc001.mcc510.3gppnetwork.org {
}
Then you should add authentication vectors to raddb/simtriplets.dat:
# raddb/simtriplets.dat
# 1IMSI,RAND,SRES,KC
1250991417456196,cf92007bd3814afaa71a58bbe406b8a0,6b7ace84,b54e3cad99ab2000
...
At least 3 authentication vectors should be present for each IMSI.
You can generate authentication vectors for your SIM card using smart
card reader and agsm program (http://agsm.sourceforge.net/).
On 30.05.2013 10:44, raptor raptor wrote:
Hi all,
i have read anything about my problem, but i dont get any idea to solve
in FR i get message like this :
rlm_sim_files: insufficient number of challenges for imsi
i...@wlan.mnc001.mcc510.3gppnetwork.org
mailto:i...@wlan.mnc001.mcc510.3gppnetwork.org : 0
[sim_files] returnnot found
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap sim authorization problem
On 30/05/2556 13:44, raptor raptor wrote: [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP It 's mean NAS send Auth type as EAP but this user set Auth type to pap. Check your user auth type. -- EasyZone Mikrotik Billing v3.0 - Radius Billing for Mikrotik devices EasyZone Hotspot Billing v3.0 LDAP - supports LDAP , VLAN, Landing Page, Block site by Group, Multi Hotspot, Cisco WLC EasyZone ISP Billing - Billing for Wireless ISP, Local ISP. http://www.easyzonecorp.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap sim authorization problem
On 30/05/13 08:16, Iliya Peregoudov wrote:
You should designate realm wlan.mnc001.mcc510.3gppnetwork.org as locally
served in raddb/proxy.conf:
Better yet, don't use the suffix module; look for the realm and strip
it yourself:
authorize {
if (User-Name =~ /^(.*)@(.+)$/) {
update request {
Stripped-User-Name := %{1}
Realm := %{2}
}
}
}
See the policy.conf/policy.d and list archives for better regexps for
NAI-style usernames.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap sim authorization problem
On 30/05/13 08:22, EasyHorpak.com wrote: On 30/05/2556 13:44, raptor raptor wrote: [pap] WARNING! No known good password found for the user.Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP [pap] WARNING! No known good password found for the user.Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP It 's mean NAS send Auth type as EAP but this user set Auth type to pap. No, it doesn't. This is normal output saying that PAP *wasn't* detected, but EAP *was* - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap sim authorization problem
Hi, Phil
Better yet, don't use the suffix module; look for the realm and strip it
yourself:
authorize {
if (User-Name =~ /^(.*)@(.+)$/) {
update request {
Stripped-User-Name := %{1}
Realm := %{2}
}
}
}
See the policy.conf/policy.d and list archives for better regexps for
NAI-style usernames.
is it in policy.conf or sites-enabled/default?
if in policy.conf i can't find format like authorize {}, but i find
cui_authorize
On Thu, May 30, 2013 at 4:08 PM, Phil Mayers p.may...@imperial.ac.ukwrote:
On 30/05/13 08:16, Iliya Peregoudov wrote:
You should designate realm
wlan.mnc001.mcc510.**3gppnetwork.orghttp://wlan.mnc001.mcc510.3gppnetwork.orgas
locally
served in raddb/proxy.conf:
Better yet, don't use the suffix module; look for the realm and strip it
yourself:
authorize {
if (User-Name =~ /^(.*)@(.+)$/) {
update request {
Stripped-User-Name := %{1}
Realm := %{2}
}
}
}
See the policy.conf/policy.d and list archives for better regexps for
NAI-style usernames.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/**
list/users.html http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap sim authorization problem
Hi,
i have added simtriplets.dat and create file sim_files in
/freeradius/modules
and also i configure sim_files in authorize{} in /sites-enabled/default
but i dont use suffix module
so my concern is how to solve this message :
rlm_sim_files: insufficient number of challenges for imsi
i...@wlan.mnc001.mcc510.3gppnetwork.org : 0
[sim_files] returnnot found
here is my log:
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.1.1 port 2048, id=0,
length=215
User-Name =
1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org
NAS-IP-Address = 192.168.1.1
Called-Station-Id = 48f8b315461a
Calling-Station-Id = 1814563e5189
NAS-Identifier = 48f8b315461a
NAS-Port = 38
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x0238013135313030313937363038303633393140776c616e2e6d6e633030312e6d63633531302e336770706e6574776f726b2e6f7267
Message-Authenticator = 0x91af511bc958602ec652547f08683045
+- entering group authorize {...}
++[preprocess] returns ok
rlm_sim_files: insufficient number of challenges for imsi
1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org: 0
++[sim_files] returns notfound
[eap] EAP packet type response id 0 length 56
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
[files] users: Matched entry
1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org at line 205
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type sim
[eap] Underlying EAP-Type set EAP ID to 218
++[eap] returns handled
Sending Access-Challenge of id 0 to 192.168.1.1 port 2048
EAP-Message = 0x01da0014120a0f020002000111010100
Message-Authenticator = 0x
State = 0x1e96d6021e4cc425cab980602ba77fc7
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.1 port 2048, id=0,
length=265
Cleaning up request 0 ID 0 with timestamp +91
User-Name =
1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org
NAS-IP-Address = 192.168.1.1
Called-Station-Id = 48f8b315461a
Calling-Station-Id = 1814563e5189
NAS-Identifier = 48f8b315461a
NAS-Port = 38
Framed-MTU = 1400
State = 0x1e96d6021e4cc425cab980602ba77fc7
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x02da0058120a070566bf4d6f1cf16dae34700d33b40a2cf2100100010e0e00333135313030313937363038303633393140776c616e2e6d6e633030312e6d63633531302e336770706e6574776f726b2e6f726700
Message-Authenticator = 0x46abb1e0d252ff580dd8d31e5a56ba46
+- entering group authorize {...}
++[preprocess] returns ok
rlm_sim_files: insufficient number of challenges for imsi
1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org: 0
++[sim_files] returns notfound
[eap] EAP packet type response id 218 length 88
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
[files] users: Matched entry
1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org at line 205
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/sim
[eap] processing type sim
+++ EAP-sim decoded packet:
User-Name =
1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org
NAS-IP-Address = 192.168.1.1
Called-Station-Id = 48f8b315461a
Calling-Station-Id = 1814563e5189
NAS-Identifier = 48f8b315461a
NAS-Port = 38
Framed-MTU = 1400
State = 0x1e96d6021e4cc425cab980602ba77fc7
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x02da0058120a070566bf4d6f1cf16dae34700d33b40a2cf2100100010e0e00333135313030313937363038303633393140776c616e2e6d6e633030312e6d63633531302e336770706e6574776f726b2e6f726700
Message-Authenticator = 0x46abb1e0d252ff580dd8d31e5a56ba46
EAP-Type = SIM
EAP-Sim-Subtype = Start
EAP-Sim-NONCE_MT = 0x66bf4d6f1cf16dae34700d33b40a2cf2
EAP-Sim-SELECTED_VERSION = 0x0001
EAP-Sim-IDENTITY =
0x00333135313030313937363038303633393140776c616e2e6d6e633030312e6d63633531302e336770706e6574776f726b2e6f726700
[eap] Underlying EAP-Type set EAP ID to 219
++[eap] returns handled
Sending Access-Challenge of id 0 to 192.168.1.1 port 2048
Re: EAP-TLS and TLS record protocol
On 05/24/2013 09:12 AM, Pieter Hulshoff wrote: Hello all, I'm new to the list, relatively new to authentication, and I'm trying to figure out some details regarding the RFCs. I was hoping some of you might be able and willing to help me out here. As I understand it, using TLS you can authenticate the server and optionally the client, negotiate the encryption/signing algorithm(s) for the TLS record protocol, and exchange the key information before switching to the selected encryption/signing algorithm(s) for secure data transport. EAP-TLS however seems focused on authorization and exchanging the key information, leaving the actual data encryption to be determine by other means (e.g. IEEE 802.1X MKA i.c.w. MACsec). My questions: 1. Is this understanding correct? Sort of. You've focussed on EAP-TLS, but that's misleading. *All* EAP methods are solely for authentication; the EAP protocols are not used to forward traffic, they merely authenticate and, if the link-layer requries it, derive encryption keys. By way of illustrating the implications - note that, on a non-MACSEC 802.1x wired connection, you can (but shouldn't!) use EAP-MD5 which does not derive key material, because there's no link-layer encryption. Similarly, on wireless 802.1x, you can use EAP-PWD or EAP-EKE, both of which derive key material and both of which have nothing to do with TLS. 2. Does this imply that the negotiated encryption/signing algorithm(s) are only used for the EAP-TLS Finished messages? For *all* EAP methods, the only output is success/failure and optionally key material, and the key material is just a securely-derived set of bits. The cryptographic primitives used by the EAP method have no bearing on the cryptographc primitives used by the link layer. Also - this not not a FreeRADIUS question really, and if you have more questions, they might be better off in another forum. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP authentication stopped working
Why does auth_log return fail?
On May 4, 2013 8:04 PM, larry tembu larryte...@yahoo.com wrote:
Hi Freeradius users,
i have FR freeradius-2.2.0-0.fc17.i686 set up on fedora 17 machine. the
wimax clients are supplying EAPttls Mschapv2 for authentication. a few
weeks ago, the configuration was working and authenticating, but it
suddenly stopped. the users are created in the users file and below is the
radiusd -X output. any more info required will be promptly provided. could
someone help me out on this? the wimax system is 4M alvarion and the CPe
are well configured.
ignore_null = no
}
Module: Checking accounting {...} for more modules to load
Module: Instantiating module detail from file /etc/raddb/modules/detail
detail {
detailfile =
/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
header = %t
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Linked to module rlm_radutmp
Module: Instantiating module radutmp from file
/etc/raddb/modules/radutmp
radutmp {
filename = /var/log/radius/radutmp
username = %{User-Name}
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Linked to module rlm_attr_filter
Module: Instantiating module attr_filter.accounting_response from file
/etc/raddb/modules/attr_filter
attr_filter attr_filter.accounting_response {
attrsfile = /etc/raddb/attrs.accounting_response
key = %{User-Name}
relaxed = no
}
reading pairlist file /etc/raddb/attrs.accounting_response
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Instantiating module attr_filter.access_reject from file
/etc/raddb/modules/attr_filter
attr_filter attr_filter.access_reject {
attrsfile = /etc/raddb/attrs.access_reject
key = %{User-Name}
relaxed = no
}
reading pairlist file /etc/raddb/attrs.access_reject
} # modules
} # server
server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
radiusd: Opening IP addresses and Ports
listen {
type = auth
ipaddr = *
port = 0
}
listen {
type = acct
ipaddr = *
port = 0
}
listen {
type = control
listen {
socket = /var/run/radiusd/radiusd.sock
}
}
listen {
type = auth
ipaddr = 127.0.0.1
port = 18120
}
... adding new socket proxy address * port 46422
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /var/run/radiusd/radiusd.sock
Listening on authentication address 127.0.0.1 port 18120 as server
inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 11.0.0.205 port 1812, id=153,
length=196
User-Name = {sm=1}rawlacur...@adn.com
EAP-Message =
0x0201001e017b736d3d317d7261776c616375726f6e654061646e2e636f6d
Message-Authenticator = 0x39a7eb8d6128461e0fa6caf5dd5c26c3
NAS-Identifier = 201
NAS-IP-Address = 11.0.0.205
Calling-Station-Id = AC-81-12-78-CA-6E
WiMAX-BS-Id = 0xfff329010102
NAS-Port-Type = Wireless-802.16
Framed-MTU = 2000
Service-Type = Framed-User
WiMAX-GMT-Timezone-offset = 256
WiMAX-Release = 1.0
WiMAX-Accounting-Capabilities = IP-Session-Based
WiMAX-Attr-1793 = 0x028a
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -
/var/log/radius/radacct/11.0.0.205/auth-detail-20130501
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/11.0.0.205/auth-detail-20130501
[auth_log] expand: %t - Wed May 1 17:46:27 2013
++[auth_log] returns fail
Using Post-Auth-Type REJECT
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - {sm=
1}rawlacur...@adn.com
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 153 to
Re: EAP authentication stopped working
On Sat, May 4, 2013 at 3:24 PM, Peter Lambrechtsen pe...@crypt.co.nzwrote:
Why does auth_log return fail?
On May 4, 2013 8:04 PM, larry tembu larryte...@yahoo.com wrote:
a few weeks ago, the configuration was working and authenticating, but it
suddenly stopped.
[auth_log] expand:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -
/var/log/radius/radacct/11.0.0.205/auth-detail-20130501
[auth_log]
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to
/var/log/radius/radacct/11.0.0.205/auth-detail-20130501
[auth_log] expand: %t - Wed May 1 17:46:27 2013
++[auth_log] returns fail
Using Post-Auth-Type REJECT
My GUESS is that it's something as simple as disk full. Try df -h and df
-i.
--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP authentication stopped working
Hi, My GUESS is that it's something as simple as disk full. Try df -h and df -i. yep. thats the most common error. check in your change log for any changes made to your system , check revision control for any changes, check your 'gold reference' 'radiusd -X' output against what it looks like now etc. if none of tht has changed then you'll need to look elsewhere - such as system patches that have been applied BUT, the obvious failure would be lack of diskspace. and the defauly bahaviour is if the auth etc cannot be logged then the authentication will fail (otherwise you wont have audit trails of the connection/usage) ...and then advice that you start putting system monitoring into place for such things. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-AKA testing without HLR/HSS
Thanks a lot Brian for your Response. Now I am trying to download the source code but i am not able to get as a package within freeradius and android-wpa_supplicant. Could you please point me the location/ repository to get the source code ? Thanks Antoni Milton. From: Brian Candler b.cand...@pobox.com To: antoni milton antoni_in...@yahoo.com Cc: freeradius-users@lists.freeradius.org freeradius-users@lists.freeradius.org Sent: Thursday, April 25, 2013 2:47 PM Subject: Re: EAP-AKA testing without HLR/HSS On Wed, Apr 24, 2013 at 08:11:11AM -0700, antoni milton wrote: Please let me know , if its possible to test EAP-AKA authentication without HLR/HSS using freeradius. Please don't cross-post. There is code in hostapd which you may be able to modify to do what you want: $ grep -R USIM_SIM . ./src/eap_peer/eap_aka.c:#ifdef CONFIG_USIM_SIMULATOR ./src/eap_peer/eap_aka.c:#endif /* CONFIG_USIM_SIMULATOR */ ./wpa_supplicant/android.config:#CONFIG_USIM_SIMULATOR=y ./wpa_supplicant/Android.mk:ifdef CONFIG_USIM_SIMULATOR ./wpa_supplicant/Android.mk:L_CFLAGS += -DCONFIG_USIM_SIMULATOR ./wpa_supplicant/ChangeLog: enable with CONFIG_SIM_SIMULATOR=y/CONFIG_USIM_SIMULATOR=y in .config ./wpa_supplicant/defconfig:#CONFIG_USIM_SIMULATOR=y ./wpa_supplicant/Makefile:ifdef CONFIG_USIM_SIMULATOR ./wpa_supplicant/Makefile:CFLAGS += -DCONFIG_USIM_SIMULATOR 2008-11-23 - v0.6.6 * added Milenage SIM/USIM emulator for EAP-SIM/EAP-AKA (can be used to simulate test SIM/USIM card with a known private key; enable with CONFIG_SIM_SIMULATOR=y/CONFIG_USIM_SIMULATOR=y in .config and password=Ki:OPc/password=Ki:OPc:SQN in network configuration) It looks like src/crypto/milenage.c does the actual checking, and that's what you'd have to move into radius. Any questions about that code need to go to the hostapd list of course. HTH, Brian.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-AKA testing without HLR/HSS
On Tue, Apr 30, 2013 at 02:04:59AM -0700, Antoni Milton wrote: Now I am trying to download the source code but i am not able to get as a package within freeradius and android-wpa_supplicant. That statement doesn't mean anything to me. There is no package within freeradius containing hostapd - they are separate. And I don't know what android-wpa_supplicant has to do with it. Sorry if I wasn't clear before, but I was saying that I think you will need to write your own code to do this authentication within freeradius, I was just pointing out that there are parts in hostapd which may serve as a guide. If you're not able to do this you might be able to find someone else in your organisation who can. Could you please point me the location/ repository to get the source code ? Enter hostapd into google. The first hit is http://hostap.epitest.fi/hostapd/ There are download links and a link to the GIT repo. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-AKA testing without HLR/HSS
Incidentally, there is some discussion about EAP-AKA on freeradius-devel at the moment: http://lists.freeradius.org/pipermail/freeradius-devel/2013-April/008016.html If that user gets it working, they may be able to help you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-AKA testing without HLR/HSS
On Wed, Apr 24, 2013 at 08:11:11AM -0700, antoni milton wrote: Please let me know , if its possible to test EAP-AKA authentication without HLR/HSS using freeradius. Please don't cross-post. There is code in hostapd which you may be able to modify to do what you want: $ grep -R USIM_SIM . ./src/eap_peer/eap_aka.c:#ifdef CONFIG_USIM_SIMULATOR ./src/eap_peer/eap_aka.c:#endif /* CONFIG_USIM_SIMULATOR */ ./wpa_supplicant/android.config:#CONFIG_USIM_SIMULATOR=y ./wpa_supplicant/Android.mk:ifdef CONFIG_USIM_SIMULATOR ./wpa_supplicant/Android.mk:L_CFLAGS += -DCONFIG_USIM_SIMULATOR ./wpa_supplicant/ChangeLog: enable with CONFIG_SIM_SIMULATOR=y/CONFIG_USIM_SIMULATOR=y in .config ./wpa_supplicant/defconfig:#CONFIG_USIM_SIMULATOR=y ./wpa_supplicant/Makefile:ifdef CONFIG_USIM_SIMULATOR ./wpa_supplicant/Makefile:CFLAGS += -DCONFIG_USIM_SIMULATOR 2008-11-23 - v0.6.6 * added Milenage SIM/USIM emulator for EAP-SIM/EAP-AKA (can be used to simulate test SIM/USIM card with a known private key; enable with CONFIG_SIM_SIMULATOR=y/CONFIG_USIM_SIMULATOR=y in .config and password=Ki:OPc/password=Ki:OPc:SQN in network configuration) It looks like src/crypto/milenage.c does the actual checking, and that's what you'd have to move into radius. Any questions about that code need to go to the hostapd list of course. HTH, Brian. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS testing, occasional errors
On 07/03/13 16:01, Bertalan Voros wrote: Has anyone seen this before? I see all kinds of weirdness from clients. Fundamentally, the problem is at the client - it didn't send a certificate - so you need to troubleshoot it there. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap-fast on freeradius 2
On 02/26/2013 06:23 AM, John wrote: Hi, I found freeRADIUS support eap-fast. Can I use eap-fast in eap2, Not easily, AIUI. Bear in mind that eap2 is experimental and unmaintained. meanwhile use other eap types in eap? Does EAP fragmentation issue fixed in eap2? What issue is that? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap over lan simulation
On 02/22/2013 02:56 AM, tabibel sami wrote: between supplicant and nas, i can't find a way to simulate a NAS (Point ACCESS) with 802.1x supplicant thant can controle ethernet and not wireless access from supplicant, because i use linux bridge to connect my virtuel machines to each others (so no wireless or can we simulate wireless connexion too ?) hostapd, from the same people that make wpa_supplicant. Never used it, but I'm pretty sure it can be made to do this. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap testing
Hi, requests to two backend servers. in 'proxy.conf' i have configured 'type=client-balance' so that it can work with EAP. client-port-balance Now i wanna do load testing of this configuration with EAP-TLS. So with configuration i need to have a lot of NAS, with different IP's. But I only have 2. the NAS should be sending their requests using different ports and this other balance method will be fine Could any one please help me in this situation. Could please suggest me a tool or a guideline to achieve my goal. up until now, we are not sure what your goal really is - you seem to be doing a lot of testing but with no real requirements or case. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap testing
On 2/20/13, a.l.m.bu...@lboro.ac.uk a.l.m.bu...@lboro.ac.uk wrote: Hi, requests to two backend servers. in 'proxy.conf' i have configured 'type=client-balance' so that it can work with EAP. client-port-balance Now i wanna do load testing of this configuration with EAP-TLS. So with configuration i need to have a lot of NAS, with different IP's. But I only have 2. the NAS should be sending their requests using different ports and this other balance method will be fine Could any one please help me in this situation. Could please suggest me a tool or a guideline to achieve my goal. up until now, we are not sure what your goal really is - you seem to be doing a lot of testing but with no real requirements or case. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Best Regards Muhammad Nadeem Muhammad Ali Jinnah University thanc A.L.M for your answer,, My primary goal is to configure a fast system to authenticate EAP-TLS requests. For this purpose i used proxy (to distribute requests to different freeradius servers). Now i just wanna confirm NumberOfRequests/second , handled by my system. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
