[RADIATOR] EAP-SIM Authentication Issue
Mike McCauley
mikem at open.com.au
Thu Jun 24 15:23:30 CDT 2010
HEllo,
On Thursday 24 June 2010 11:55:12 pm Rajesh Thota wrote:
> Hello All,
>
> I am in the process of evaluating Radiator. 2 Main features I would be
> needing is EAP-SIM and EAP-PEAP.
>
> I have been working on modifying the EAP-SIM.pm file I have just modified
> the sim_request_triplets subroutine to pull the GSM triplets using a HTTP
> GET request to a server. The HTTP Server talks to the MAP gateway passing
> the IMSI. For the time being I have hard-coded the IMSI onto the URL.
> The IMSI on the URL and the request is same. I am passing the RAND, SRES &
> Kc from this routine as shown in the sample code(comment).
That looks OK, although I see you are passing the same triplet back 3 times.
The last message indicates the client found a problem with the triplets sent
to it. Suggest you look at the client side logs to determine why it did not
like the triplets. May be related to the above point?
Or may through some error, the triplets are not for the IMSI you are
requesting.
Cheers.
>
> Any help is appreciated on this front.
>
> Thanks & Regards
>
> Rajesh
>
> ---------------------------------------------------------------------------
>----------------------------------------------------------------------------
>----------------------
>
> sub sim_request_triplets
> {
> my ($self, $context, $p, $n) = @_;
>
> my $ua1 = new LWP::UserAgent;
> $ua1->agent("AgentName/0.1 " . $ua1->agent);
>
> # Create a request
> my $req = new HTTP::Request GET => '
> http://192.168.1.127:8080/cgi-bin/hlr_hex_cgi?TRANS_ID=102&IMSI=40580319003
>2618 ';
> $req->content_type('application/x-www-form-urlencoded');
> $req->content('match=www&errors=0');
>
> # Pass request to the user agent and get a response back
> my $res = $ua1->request($req);
> my $webOut;
>
> # Check the outcome of the response
> if ($res->is_success) {
> $webOut = $res->content;
> } else {
> print "Bad luck this time\n";
> }
>
> my $row;
> @$row = split( /\n/, $webOut);
>
> my $myARand;
> my $myASres;
> my $myAKc;
>
> @$myARand=split(/\=/, @$row[6]);
> @$myASres=split(/\=/, @$row[7]);
> @$myAKc=split(/\=/, @$row[8]);
>
> my $myKc = @$myAKc[1];
> my $mySres = @$myASres[1];
> my $myRand = @$myARand[1];
>
> $self->log($main::LOG_DEBUG, "$myRand | $mySres | $myKc
> ...................");
>
> return (
> pack('H*', $myKc), pack('H*', $mySres), pack('H*', $myRand),
> pack('H*', $myKc), pack('H*', $mySres), pack('H*', $myRand),
> pack('H*', $myKc), pack('H*', $mySres), pack('H*', $myRand),
> );
>
> return;
> }
>
> ---------------------------------------------------------------------------
>----------------------------------------------------------------------------
>----------------------
>
> The Radius LOG file prints the following :
>
> *** Received from 192.168.1.152 port 2049 ....
> Code: Access-Request
> Identifier: 9
> Authentic: <145>BZ<135><209><1>Qi<214><11>r<248>e<174><141><224>
> Attributes:
> User-Name = "1405803190032618 at wlan.mnc080.mcc405.3gppnetwork.org"
> NAS-IP-Address = 192.168.1.152
> NAS-Identifier = "Wireless LAN Access Point"
> NAS-Port = 0
> Called-Station-Id = "00-80-48-67-43-25:SIM-Test"
> Calling-Station-Id = "00-24-7D-4A-52-87"
> Framed-MTU = 1400
> NAS-Port-Type = Wireless-IEEE-802-11
> Connect-Info = "CONNECT 11Mbps 802.11b"
> EAP-Message = <2><0><0>8<1>
> 1405803190032618 at wlan.mnc080.mcc405.3gppnetwork.org
> Message-Authenticator = <212>I<163>k?gNAGu<5><228><7><200>"<197>
>
> Thu Jun 24 19:02:13 2010: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Thu Jun 24 19:02:13 2010: DEBUG: Deleting session for
> 1405803190032618 at wlan.mnc080.mcc405.3gppnetwork.org, 192.168.1.152, 0
> Thu Jun 24 19:02:13 2010: DEBUG: Handling with Radius::AuthSIM:
> Thu Jun 24 19:02:13 2010: DEBUG: Handling with EAP: code 2, 0, 56, 1
> Thu Jun 24 19:02:13 2010: DEBUG: Response type 1
> Thu Jun 24 19:02:13 2010: DEBUG: EAP result: 3, EAP SIM/Start
> Thu Jun 24 19:02:13 2010: DEBUG: AuthBy SIM result: CHALLENGE, EAP
> SIM/Start Thu Jun 24 19:02:13 2010: DEBUG: Access challenged for
> 1405803190032618 at wlan.mnc080.mcc405.3gppnetwork.org: EAP SIM/Start
> Thu Jun 24 19:02:13 2010: DEBUG: Packet dump:
> *** Sending to 192.168.1.152 port 2049 ....
> Code: Access-Challenge
> Identifier: 9
> Authentic: <179><251><218><160><134><176><0><241>m'<240><216><136><188>kF
> Attributes:
> EAP-Message = <1><1><0><16><18><10><0><0><15><2><0><4><0><0><0><1>
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Thu Jun 24 19:02:13 2010: DEBUG: Packet dump:
> *** Received from 192.168.1.152 port 2049 ....
> Code: Access-Request
> Identifier: 10
> Authentic:
> <205><19><175><222><132><4>#<7><128><206><241><232><144><169><205>2
> Attributes:
> User-Name = "1405803190032618 at wlan.mnc080.mcc405.3gppnetwork.org"
> NAS-IP-Address = 192.168.1.152
> NAS-Identifier = "Wireless LAN Access Point"
> NAS-Port = 0
> Called-Station-Id = "00-80-48-67-43-25:SIM-Test"
> Calling-Station-Id = "00-24-7D-4A-52-87"
> Framed-MTU = 1400
> NAS-Port-Type = Wireless-IEEE-802-11
> Connect-Info = "CONNECT 11Mbps 802.11b"
> EAP-Message = <2><1><0>
> <18><10><0><0><7><5><0><0><4><171><176><171><217>[$<216><231><10><135>|<181
>><172><167><245><16><1><0><1> Message-Authenticator =
> i<26>=/<243><153>,<192><215><237>~<157><240><163><S
>
> Thu Jun 24 19:02:13 2010: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Thu Jun 24 19:02:13 2010: DEBUG: Deleting session for
> 1405803190032618 at wlan.mnc080.mcc405.3gppnetwork.org, 192.168.1.152, 0
> Thu Jun 24 19:02:13 2010: DEBUG: Handling with Radius::AuthSIM:
> Thu Jun 24 19:02:13 2010: DEBUG: Handling with EAP: code 2, 1, 32, 18
> Thu Jun 24 19:02:13 2010: DEBUG: Response type 18
> Thu Jun 24 19:02:13 2010: DEBUG: ..........................
> 2c191a3d8f1a2fd2553ff272433f142 | c56c879a | 2098f32fbf3e86b1
> ...................
> Thu Jun 24 19:02:13 2010: DEBUG: EAP result: 3, EAP SIM/Challenge
> Thu Jun 24 19:02:13 2010: DEBUG: AuthBy SIM result: CHALLENGE, EAP
> SIM/Challenge
> Thu Jun 24 19:02:13 2010: DEBUG: Access challenged for
> 1405803190032618 at wlan.mnc080.mcc405.3gppnetwork.org: EAP SIM/Challenge
> Thu Jun 24 19:02:13 2010: DEBUG: Packet dump:
> *** Sending to 192.168.1.152 port 2049 ....
> Code: Access-Challenge
> Identifier: 10
> Authentic: g<141><12><241>Bt<201>zf<202>lG<216>W<166>}
> Attributes:
> EAP-Message =
> <1><2><0>P<18><11><0><0><1><13><0><0>,<25><26>=<143><26>/<210>U?<242>rC?<20
>> ,<25><26>=<143><26>/<210>U?<242>rC?<20>
> ,<25><26>=<143><26>/<210>U?<242>rC?<20>
> <11><5><0><0><234><197>L'<152><227><237><153><164>^<200><152>P<239><10>h
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Thu Jun 24 19:02:17 2010: DEBUG: Packet dump:
> *** Received from 192.168.1.152 port 2049 ....
> Code: Access-Request
> Identifier: 11
> Authentic: <238>H<203><145><189><211><135>g<230><145><233><234>R<170>+5
> Attributes:
> User-Name = "1405803190032618 at wlan.mnc080.mcc405.3gppnetwork.org"
> NAS-IP-Address = 192.168.1.152
> NAS-Identifier = "Wireless LAN Access Point"
> NAS-Port = 0
> Called-Station-Id = "00-80-48-67-43-25:SIM-Test"
> Calling-Station-Id = "00-24-7D-4A-52-87"
> Framed-MTU = 1400
> NAS-Port-Type = Wireless-IEEE-802-11
> Connect-Info = "CONNECT 11Mbps 802.11b"
> EAP-Message = <2><2><0><12><18><14><0><0><22><1><0><0>
> Message-Authenticator =
> <164>.n<14><227><19>szL<200><175><193><221><21>#'
>
> Thu Jun 24 19:02:17 2010: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Thu Jun 24 19:02:17 2010: DEBUG: Deleting session for
> 1405803190032618 at wlan.mnc080.mcc405.3gppnetwork.org, 192.168.1.152, 0
> Thu Jun 24 19:02:17 2010: DEBUG: Handling with Radius::AuthSIM:
> Thu Jun 24 19:02:17 2010: DEBUG: Handling with EAP: code 2, 2, 12, 18
> Thu Jun 24 19:02:17 2010: DEBUG: Response type 18
> Thu Jun 24 19:02:17 2010: WARNING: EAP SIM Client Error code 0: Unable to
> Process
> Thu Jun 24 19:02:17 2010: DEBUG: EAP result: 1, EAP SIM Client Error
> Thu Jun 24 19:02:17 2010: DEBUG: AuthBy SIM result: REJECT, EAP SIM Client
> Error
> Thu Jun 24 19:02:17 2010: INFO: Access rejected for
> 1405803190032618 at wlan.mnc080.mcc405.3gppnetwork.org: EAP SIM Client Error
> Thu Jun 24 19:02:17 2010: DEBUG: Packet dump:
> *** Sending to 192.168.1.152 port 2049 ....
> Code: Access-Reject
> Identifier: 11
> Authentic:
> #<145><185><187><185>y<216><180><140><26>B<217><176><210><146><224>
> Attributes:
> EAP-Message = <4><2><0><4>
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> Reply-Message = "Request Denied"
>
> ---------------------------------------------------------------------------
>----------------------------------------------------------------------------
>----------------------
>
> The CGI program I am invoking returns the following
>
> TRANS_ID=102
> PRIM_ID=56242
> IMSI=405803190032618
> RESPONSE_CODE=0
> VECTOR_COUNT=1
> VECTOR_TYPE=2G
> RAND=c2de1c1ec4d73dc1e6ece5ce624e85
> SRES=84566be
> KC=bb2a2c1388718b99
> ;
>
>
> ---------------------------------------------------------------------------
>----------------------------------------------------------------------------
>----------------------
>
>
> Wondering What is going Wrong ? Any help is much appreciated.
--
Mike McCauley mikem at open.com.au
Open System Consultants Pty. Ltd
9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au
Phone +61 7 5598-7474 Fax +61 7 5598-7070
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
More information about the radiator
mailing list