(RADIATOR) EAP-SIM authentication fails --- RADIATOR: "EAP SIM could not decode SIM attributes"
Mike McCauley
mikem at open.com.au
Mon Jul 11 17:13:29 CDT 2005
Hello Ronald,
The problem here appears to be a bug in Xsupplicant.
The AT_IDENTITY field in the last SIM request from the Xsupplicant is
malformed:
<14><4><0><15>262015920055409<0>
It correctly claims there are 15 bytes of identity (15 in the 4th octet), but
the total word count is incorrect: it claims there are 4 words (4 in the
second octet), whereas there are really 5.
You should report this to the open1x people.
Cheers.
On Tuesday 12 July 2005 05:23, Ronald Marx wrote:
> Hello,
>
> I want to make tests with EAP-SIM in our testbed but I can't perform a
> successful authentication with EAP-SIM. The notebook has a card reader
> installed and should authenticate itself against the RADIUS server via a
> wireless access point.
>
> Operating system, network card and card reader are fine but when I start
> the authentication RADIATOR tells me:
> "EAP SIM could not decode SIM attributes". (You can find the full debug
> printout below)
>
> The additional text " (at SIM Start)" I added myself to the
> "AuthSIM.pm"-file to find out where this error occurs.
>
> RADIATOR answers the first time it receives an Access-Request but after
> sending the Access-Challenge it fails it decode the SIM attributes every
> time.
>
> I attached the configuration files that I use.
>
> My xsupplicant-config-file looks something like that:
> ~> cat xsupplicant.conf
> ### GLOBAL SECTION
> network_list = all
> default_netname = default
> logfile = /var/log/xsupplicant.log
>
> ### NETWORK SECTION
> MIP_Network_2
> {
> allow_types = eap-sim
> identity = "1234"
> eap-sim{
> username = "123456789012345"
> password = "0000"
> auto_realm = yes
> }
> }
> <EOF>
>
> I tried many different configurations of xsupplicant but the problem
> persists.
>
> - Testbed-setup -
>
> Notebook: Dell Latitude C510
> OS: Suse Linux 9.3
> Kernel: 2.6.11.4-21.7
> Supplicant: XSupplicant (newest version from cvs)
> Cardreader: SCM SCR335
> PCSC-lite 1.2.9-beta6
> ccid-0.9.3 driver
> Option Globetrotter Fusion PCMCIA WLAN UMTS GPRS card
> Linuxant DriverLoader 2.28
>
> RADIUS server: RADIATOR 3.12 with EAP-SIM plugin
>
> Authenticator: Cisco Aironet 1200 Wireless Access Point
>
>
> Do you have an idea what could cause this problem?
>
> Regards,
> Ronald Marx
>
>
>
> - DEBUG printout -
>
> Mon Jul 11 19:57:46 2005: DEBUG: Packet dump:
> *** Received from 141.12.238.158 port 21647 ....
> Code: Access-Request
> Identifier: 226
> Authentic: <248>{<213>}<221>xUS<201><18><203><12><164><149><186>)
> Attributes:
> User-Name = "1234"
> Framed-MTU = 1400
> Called-Station-Id = "000e.38fc.1000"
> Calling-Station-Id = "000c.e311.c9ee"
> Message-Authenticator =
> <193>a'`<159><164><24><132><143><247>WG<174><<187>P
> EAP-Message = <2><2><0><9><1>1234
> NAS-Port-Type = Wireless-IEEE-802-11
> NAS-Port = 275
> Service-Type = Framed-User
> NAS-IP-Address = 141.12.238.158
> NAS-Identifier = "AP2"
>
> Mon Jul 11 19:57:46 2005: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Mon Jul 11 19:57:46 2005: DEBUG: Deleting session for 1234,
> 141.12.238.158, 275
> Mon Jul 11 19:57:46 2005: DEBUG: Handling with Radius::AuthSIMOPERATOR:
> Mon Jul 11 19:57:46 2005: DEBUG: Handling with EAP: code 2, 2, 9
> Mon Jul 11 19:57:46 2005: DEBUG: Response type 1
> Mon Jul 11 19:57:46 2005: DEBUG: EAP result: 3, EAP SIM/Start
> Mon Jul 11 19:57:46 2005: DEBUG: AuthBy SIMOPERATOR result: CHALLENGE, EAP
> SIM/Start
> Mon Jul 11 19:57:46 2005: DEBUG: Access challenged for 1234: EAP SIM/Start
> Mon Jul 11 19:57:46 2005: DEBUG: Packet dump:
> *** Sending to 141.12.238.158 port 21647 ....
> Code: Access-Challenge
> Identifier: 226
> Authentic: <248>{<213>}<221>xUS<201><18><203><12><164><149><186>)
> Attributes:
> EAP-Message =
> <1><3><0><20><18><10><0><0><13><1><0><0><15><2><0><4><0><0><0><1>
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Mon Jul 11 19:57:46 2005: DEBUG: Packet dump:
> *** Received from 141.12.238.158 port 21647 ....
> Code: Access-Request
> Identifier: 227
> Authentic: <242>j<254><171><178>~<243>Z<183><225><29>:<182><17><148><145>
> Attributes:
> User-Name = "1234"
> Framed-MTU = 1400
> Called-Station-Id = "000e.38fc.1000"
> Calling-Station-Id = "000c.e311.c9ee"
> Message-Authenticator =
> KT<189>m8<135>{<199><136><0>H4<193>m<155><223>
> EAP-Message =
> <2><3><0>4<18><10><0><0><7><5><0><0>oM<167><210>/<131>^<237><172><185><247>
><23>~<236><240><191><14><4><0><15>262015920055409<0><16><1><0><1>
> NAS-Port-Type = Wireless-IEEE-802-11
> NAS-Port = 275
> Service-Type = Framed-User
> NAS-IP-Address = 141.12.238.158
> NAS-Identifier = "AP2"
>
> Mon Jul 11 19:57:46 2005: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Mon Jul 11 19:57:46 2005: DEBUG: Deleting session for 1234,
> 141.12.238.158, 275
> Mon Jul 11 19:57:46 2005: DEBUG: Handling with Radius::AuthSIMOPERATOR:
> Mon Jul 11 19:57:46 2005: DEBUG: Handling with EAP: code 2, 3, 52
> Mon Jul 11 19:57:46 2005: DEBUG: Response type 18
> Mon Jul 11 19:57:46 2005: WARNING: EAP SIM Notification: 16384, EAP SIM
> could
> not decode SIM attributes (at SIM Start)
> Mon Jul 11 19:57:46 2005: DEBUG: EAP result: 2, EAP SIM Notification
> Fail 16384
> in version 0: EAP SIM could not decode SIM attributes (at SIM Start)
> Mon Jul 11 19:57:46 2005: DEBUG: AuthBy SIMOPERATOR result: IGNORE, EAP SIM
> Notification Fail 16384 in version 0: EAP SIM could not decode SIM
> attributes
> (at SIM Start)
> Mon Jul 11 19:57:51 2005: DEBUG: Packet dump:
> *** Received from 141.12.238.158 port 21647 ....
> Code: Access-Request
> Identifier: 227
> Authentic: <242>j<254><171><178>~<243>Z<183><225><29>:<182><17><148><145>
> Attributes:
> User-Name = "1234"
> Framed-MTU = 1400
> Called-Station-Id = "000e.38fc.1000"
> Calling-Station-Id = "000c.e311.c9ee"
> Message-Authenticator =
> KT<189>m8<135>{<199><136><0>H4<193>m<155><223>
> EAP-Message =
> <2><3><0>4<18><10><0><0><7><5><0><0>oM<167><210>/<131>^<237><172><185><247>
><23>~<236><240><191><14><4><0><15>262015920055409<0><16><1><0><1>
> NAS-Port-Type = Wireless-IEEE-802-11
> NAS-Port = 275
> Service-Type = Framed-User
> NAS-IP-Address = 141.12.238.158
> NAS-Identifier = "AP2"
>
> Mon Jul 11 19:57:51 2005: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Mon Jul 11 19:57:51 2005: DEBUG: Deleting session for 1234,
> 141.12.238.158, 275
> Mon Jul 11 19:57:51 2005: DEBUG: Handling with Radius::AuthSIMOPERATOR:
> Mon Jul 11 19:57:51 2005: DEBUG: Handling with EAP: code 2, 3, 52
> Mon Jul 11 19:57:51 2005: DEBUG: Response type 18
> Mon Jul 11 19:57:51 2005: WARNING: EAP SIM Notification: 16384, EAP SIM
> could
> not decode SIM attributes (at SIM Start)
> Mon Jul 11 19:57:51 2005: DEBUG: EAP result: 2, EAP SIM Notification
> Fail 16384
> in version 0: EAP SIM could not decode SIM attributes (at SIM Start)
> Mon Jul 11 19:57:51 2005: DEBUG: AuthBy SIMOPERATOR result: IGNORE, EAP SIM
> Notification Fail 16384 in version 0: EAP SIM could not decode SIM
> attributes
> (at SIM Start)
> [...]
--
Mike McCauley mikem at open.com.au
Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au
Phone +61 7 5598-7474 Fax +61 7 5598-7070
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP etc on Unix, Windows, MacOS etc.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list