dear guest, i have problem in eap-sim authentication. I'm using freeradius 2.2.0, blackberry 9220 here my simtripletsdat. file 1510012660372465,AF6876E748BD46bf853A99DC2032F0A7,95762655,449177635B92bc00 1510012660372465,A1A9AC744E8D49819D27A79B067BCA69,257b31c6,64ff9467DEa1e400 1510012660372465,603906BFD8DC404197BAC35FF1274EB3,4F41eb06,F3ce89b4FCbc0000 1510080332618369,23A95DB79B644a4299463F0342069A11,7775d266,B10f3eba2Bc5ed2b 1510080332618369,FDCE8E4F2B0B4b3086BEF230076EAD58,D9e080d9,E2aad63f711e1324 1510080332618369,238100571AD1495fBCE2AD5505634E41,A40e1656,66a098a750d9cd13
here content of users file 1510080332618369 Auth-Type := EAP, EAP-Type := SIM EAP-Sim-Rand1 := 0x23A95DB79B644a4299463F0342069A11, EAP-Sim-SRES1 := 0x7775d266, EAP-Sim-KC1 := 0xB10f3eba2Bc5ed2b, EAP-Sim-Rand2 := 0xFDCE8E4F2B0B4b3086BEF230076EAD58, EAP-Sim-SRES2 := 0xD9e080d9, EAP-Sim-KC2 := 0xE2aad63f711e1324, EAP-Sim-Rand3 := 0x238100571AD1495fBCE2AD5505634E41, EAP-Sim-SRES3 := 0xA40e1656, EAP-Sim-KC3 := 0x66a098a750d9cd13, 1510012660372465 Auth-Type := EAP, EAP-Type := sim EAP-Sim-Rand1 := 0xAF6876E748BD46bf853A99DC2032F0A7, EAP-Sim-SRES1 := 0x95762655, EAP-Sim-KC1 := 0x449177635B92bc00, EAP-Sim-Rand2 := 0xA1A9AC744E8D49819D27A79B067BCA69, EAP-Sim-SRES2 := 0x257b31c6, EAP-Sim-KC2 := 0x64ff9467DEa1e400, EAP-Sim-Rand3 := 0x603906BFD8DC404197BAC35FF1274EB3, EAP-Sim-SRES3 := 0x4F41eb06, EAP-Sim-KC3 := 0xF3ce89b4FCbc0000, 1510080332618369 at wlan.mnc080.mcc510.3gppnetwork.org Auth-Type := EAP, EAP-Type := SIM EAP-Sim-Rand1 := 0x23A95DB79B644a4299463F0342069A11, EAP-Sim-SRES1 := 0x7775d266, EAP-Sim-KC1 := 0xB10f3eba2Bc5ed2b, EAP-Sim-Rand2 := 0xFDCE8E4F2B0B4b3086BEF230076EAD58, EAP-Sim-SRES2 := 0xD9e080d9, EAP-Sim-KC2 := 0xE2aad63f711e1324, EAP-Sim-Rand3 := 0x238100571AD1495fBCE2AD5505634E41, EAP-Sim-SRES3 := 0xA40e1656, EAP-Sim-KC3 := 0x66a098a750d9cd13 Already included sim_files in modules and sim { } in eap.conf. I analyze in debug , the firsth authorization success (sim_files return ok status) , the first authenticating success , the second authorization success also, but the problem the second authenticating is failed. Already read in the past list archive, but no clue . Here debug of radius Ready to process requests. rad_recv: Access-Request packet from host 192.168.111.72 port 34647, id=129, length=250 User-Name = "1510080332618...@wlan.mnc080.mcc510.3gppnetwork.org" NAS-IP-Address = 192.168.88.52 Called-Station-Id = "FA-1A-67-9F-E4-68:NOLSPOT-Secure" NAS-Port-Type = Wireless-802.11 NAS-Port = 1 Calling-Station-Id = "70-AA-B2-EF-8E-9D" Connect-Info = "CONNECT 54Mbps 802.11g" Framed-MTU = 1400 EAP-Message = 0x02100038013135313030383033333236313833363940776c616e2e6d6e633038302e6d63633531302e336770706e6574776f726b2e6f7267 Message-Authenticator = 0xf0b7f7c3d39dd64797e1ffa08c3c078e # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] Looking up realm "wlan.mnc080.mcc510.3gppnetwork.org" for User-Name = "1510080332618...@wlan.mnc080.mcc510.3gppnetwork.org" [suffix] Found realm "wlan.mnc080.mcc510.3gppnetwork.org" [suffix] Adding Stripped-User-Name = "1510080332618369" [suffix] Adding Realm = "wlan.mnc080.mcc510.3gppnetwork.org" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [files] users: Matched entry 1510080332618369 at line 206 ++[files] returns ok rlm_sim_files: authorized user/imsi 1510080332618369 rlm_sim_files: Adding EAP-Type: eap-sim ++[sim_files] returns ok [eap] EAP packet type response id 16 length 56 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [sql] expand: %{User-Name} -> 1510080332618...@wlan.mnc080.mcc510.3gppnetwork.org [sql] sql_set_user escaped user --> ' 1510080332618...@wlan.mnc080.mcc510.3gppnetwork.org' rlm_sql (sql): Reserving sql socket id: 4 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = ' 1510080332618...@wlan.mnc080.mcc510.3gppnetwork.org' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = ' 1510080332618...@wlan.mnc080.mcc510.3gppnetwork.org' ORDER BY priority rlm_sql (sql): Released sql socket id: 4 [sql] User 1510080332618...@wlan.mnc080.mcc510.3gppnetwork.org not found ++[sql] returns notfound ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair ++[noresetcounter] returns noop Found Auth-Type = EAP Found Auth-Type = EAP Warning: Found 2 auth-types on request for user '1510080332618369' # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type sim [eap] Underlying EAP-Type set EAP ID to 182 ++[eap] returns handled Sending Access-Challenge of id 129 to 192.168.111.72 port 34647 EAP-Message = 0x01b60014120a00000f0200020001000011010100 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x876b64d687dd7613c1482e3b4d19abaa Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.111.72 port 34647, id=130, length=300 User-Name = "1510080332618...@wlan.mnc080.mcc510.3gppnetwork.org" NAS-IP-Address = 192.168.88.52 Called-Station-Id = "FA-1A-67-9F-E4-68:NOLSPOT-Secure" NAS-Port-Type = Wireless-802.11 NAS-Port = 1 Calling-Station-Id = "70-AA-B2-EF-8E-9D" Connect-Info = "CONNECT 54Mbps 802.11g" Framed-MTU = 1400 EAP-Message = 0x02b60058120a000007050000c6fb9b6adcacba2f73e0dec777302196100100010e0e00333135313030383033333236313833363940776c616e2e6d6e633038302e6d63633531302e336770706e6574776f726b2e6f726700 State = 0x876b64d687dd7613c1482e3b4d19abaa Message-Authenticator = 0xf06c219eca5af618cf61099f2f79f3a4 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] Looking up realm "wlan.mnc080.mcc510.3gppnetwork.org" for User-Name = "1510080332618...@wlan.mnc080.mcc510.3gppnetwork.org" [suffix] Found realm "wlan.mnc080.mcc510.3gppnetwork.org" [suffix] Adding Stripped-User-Name = "1510080332618369" [suffix] Adding Realm = "wlan.mnc080.mcc510.3gppnetwork.org" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [files] users: Matched entry 1510080332618369 at line 206 ++[files] returns ok rlm_sim_files: authorized user/imsi 1510080332618369 rlm_sim_files: Adding EAP-Type: eap-sim ++[sim_files] returns ok [eap] EAP packet type response id 182 length 88 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [sql] expand: %{User-Name} -> 1510080332618...@wlan.mnc080.mcc510.3gppnetwork.org [sql] sql_set_user escaped user --> ' 1510080332618...@wlan.mnc080.mcc510.3gppnetwork.org' rlm_sql (sql): Reserving sql socket id: 3 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = ' 1510080332618...@wlan.mnc080.mcc510.3gppnetwork.org' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = ' 1510080332618...@wlan.mnc080.mcc510.3gppnetwork.org' ORDER BY priority rlm_sql (sql): Released sql socket id: 3 [sql] User 1510080332618...@wlan.mnc080.mcc510.3gppnetwork.org not found ++[sql] returns notfound ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair ++[noresetcounter] returns noop Found Auth-Type = EAP Found Auth-Type = EAP Warning: Found 2 auth-types on request for user '1510080332618369' # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/sim [eap] processing type sim +++> EAP-sim decoded packet: User-Name = "1510080332618...@wlan.mnc080.mcc510.3gppnetwork.org" NAS-IP-Address = 192.168.88.52 Called-Station-Id = "FA-1A-67-9F-E4-68:NOLSPOT-Secure" NAS-Port-Type = Wireless-802.11 NAS-Port = 1 Calling-Station-Id = "70-AA-B2-EF-8E-9D" Connect-Info = "CONNECT 54Mbps 802.11g" Framed-MTU = 1400 EAP-Message = 0x02b60058120a000007050000c6fb9b6adcacba2f73e0dec777302196100100010e0e00333135313030383033333236313833363940776c616e2e6d6e633038302e6d63633531302e336770706e6574776f726b2e6f726700 State = 0x876b64d687dd7613c1482e3b4d19abaa Message-Authenticator = 0xf06c219eca5af618cf61099f2f79f3a4 Stripped-User-Name = "1510080332618369" Realm = "wlan.mnc080.mcc510.3gppnetwork.org" EAP-Type = SIM EAP-Sim-Subtype = Start EAP-Sim-NONCE_MT = 0x0000c6fb9b6adcacba2f73e0dec777302196 EAP-Sim-SELECTED_VERSION = 0x0001 EAP-Sim-IDENTITY = 0x00333135313030383033333236313833363940776c616e2e6d6e633038302e6d63633531302e336770706e6574776f726b2e6f726700 [eap] Underlying EAP-Type set EAP ID to 183 ++[eap] returns handled Sending Access-Challenge of id 130 to 192.168.111.72 port 34647 EAP-Message = 0x01b70050120b0000010d000023a95db79b644a4299463f0342069a11fdce8e4f2b0b4b3086bef230076ead58238100571ad1495fbce2ad5505634e410b0500002fe3b8c33af56aa2dc9e873f71c4b691 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x876b64d686dc7613c1482e3b4d19abaa Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.111.72 port 34647, id=131, length=224 User-Name = "1510080332618...@wlan.mnc080.mcc510.3gppnetwork.org" NAS-IP-Address = 192.168.88.52 Called-Station-Id = "FA-1A-67-9F-E4-68:NOLSPOT-Secure" NAS-Port-Type = Wireless-802.11 NAS-Port = 1 Calling-Station-Id = "70-AA-B2-EF-8E-9D" Connect-Info = "CONNECT 54Mbps 802.11g" Framed-MTU = 1400 EAP-Message = 0x02b7000c120e000016010000 State = 0x876b64d686dc7613c1482e3b4d19abaa Message-Authenticator = 0xeb64a094fea2ddbf458b0cac3e47686d # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] Looking up realm "wlan.mnc080.mcc510.3gppnetwork.org" for User-Name = "1510080332618...@wlan.mnc080.mcc510.3gppnetwork.org" [suffix] Found realm "wlan.mnc080.mcc510.3gppnetwork.org" [suffix] Adding Stripped-User-Name = "1510080332618369" [suffix] Adding Realm = "wlan.mnc080.mcc510.3gppnetwork.org" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [files] users: Matched entry 1510080332618369 at line 206 ++[files] returns ok rlm_sim_files: authorized user/imsi 1510080332618369 rlm_sim_files: Adding EAP-Type: eap-sim ++[sim_files] returns ok [eap] EAP packet type response id 183 length 12 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [sql] expand: %{User-Name} -> 1510080332618...@wlan.mnc080.mcc510.3gppnetwork.org [sql] sql_set_user escaped user --> ' 1510080332618...@wlan.mnc080.mcc510.3gppnetwork.org' rlm_sql (sql): Reserving sql socket id: 2 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = ' 1510080332618...@wlan.mnc080.mcc510.3gppnetwork.org' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = ' 1510080332618...@wlan.mnc080.mcc510.3gppnetwork.org' ORDER BY priority rlm_sql (sql): Released sql socket id: 2 [sql] User 1510080332618...@wlan.mnc080.mcc510.3gppnetwork.org not found ++[sql] returns notfound ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair ++[noresetcounter] returns noop Found Auth-Type = EAP Found Auth-Type = EAP Warning: Found 2 auth-types on request for user '1510080332618369' # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/sim [eap] processing type sim [eap] Handler failed in EAP/sim [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type REJECT
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html