[RADIATOR] EAP-SIM Authentication Issue
Hugh Irvine
hugh at open.com.au
Fri Jun 25 04:09:48 CDT 2010
Hello Rajesh -
Mike is away until next week.
regards
Hugh
On 25 Jun 2010, at 18:20, Rajesh Thota wrote:
> Hi Mike,
>
> Appreciate your quick response. I modified the code to pull 3 triplets from the HTTP server and pass it like this. I also modified the radius.cfg (NumTriplets 3).
>
> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> sub sim_request_triplets
> {
> my ($self, $context, $p, $n) = @_;
>
> my $ua = new LWP::UserAgent;
> $ua->agent("AgentName/0.1 " . $ua->agent);
>
> # Create a request
> my $req = new HTTP::Request GET => 'http://192.168.1.127:8080/cgi-bin/hlr_hex_cgi?TRANS_ID=102&IMSI=405803190032618';
> $req->content_type('application/x-www-form-urlencoded');
> $req->content('match=www&errors=0');
>
> # Pass request to the user agent and get a response back
> my $res = $ua->request($req);
> my $webOut;
>
> # Check the outcome of the response
> if ($res->is_success) {
> $webOut = $res->content;
> } else {
> print "Bad luck this time\n";
> }
> my $row;
> @$row = split( /\n/, $webOut);
>
> my $ua1 = new LWP::UserAgent;
> $ua1->agent("AgentName/0.1 " . $ua1->agent);
>
> # Create a request
> my $req1 = new HTTP::Request GET => 'http://192.168.1.127:8080/cgi-bin/hlr_hex_cgi?TRANS_ID=103&IMSI=405803190032618';
> $req1->content_type('application/x-www-form-urlencoded');
> $req1->content('match=www&errors=0');
>
> # Pass request to the user agent and get a response back
> my $res1 = $ua1->request($req1);
> my $webOut1;
>
> # Check the outcome of the response
> if ($res1->is_success) {
> $webOut1 = $res1->content;
> } else {
> print "Bad luck this time\n";
> }
> my $row1;
> @$row1 = split( /\n/, $webOut1);
>
> my $ua2 = new LWP::UserAgent;
> $ua2->agent("AgentName/0.1 " . $ua2->agent);
>
> # Create a request
> my $req2 = new HTTP::Request GET => 'http://192.168.1.127:8080/cgi-bin/hlr_hex_cgi?TRANS_ID=104&IMSI=405803190032618';
> $req2->content_type('application/x-www-form-urlencoded');
> $req2->content('match=www&errors=0');
>
> # Pass request to the user agent and get a response back
> my $res2 = $ua1->request($req2);
> my $webOut2;
>
> # Check the outcome of the response
> if ($res2->is_success) {
> $webOut2 = $res2->content;
> } else {
> print "Bad luck this time\n";
> }
> my $row2;
> @$row2 = split( /\n/, $webOut2);
>
> my $myARand;
> my $myARand1;
> my $myARand2;
> my $myASres;
> my $myASres1;
> my $myASres2;
> my $myAKc;
> my $myAKc1;
> my $myAKc2;
>
> @$myARand=split(/\=/, @$row[6]);
> @$myASres=split(/\=/, @$row[7]);
> @$myAKc=split(/\=/, @$row[8]);
>
> @$myARand1=split(/\=/, @$row1[6]);
> @$myASres1=split(/\=/, @$row1[7]);
> @$myAKc1=split(/\=/, @$row1[8]);
>
> @$myARand2=split(/\=/, @$row2[6]);
> @$myASres2=split(/\=/, @$row2[7]);
> @$myAKc2=split(/\=/, @$row2[8]);
>
> my $myKc = @$myAKc[1];
> my $mySres = @$myASres[1];
> my $myRand = @$myARand[1];
>
> my $myKc1 = @$myAKc1[1];
> my $mySres1 = @$myASres1[1];
> my $myRand1 = @$myARand1[1];
>
> my $myKc2 = @$myAKc2[1];
> my $mySres2 = @$myASres2[1];
> my $myRand2 = @$myARand2[1];
>
> $self->log($main::LOG_DEBUG, ".......................... $myRand | $mySres | $myKc ...................");
> $self->log($main::LOG_DEBUG, ".......................... $myRand1 | $mySres1 | $myKc1 ...................");
> $self->log($main::LOG_DEBUG, ".......................... $myRand2 | $mySres2 | $myKc2 ...................");
>
> return (
> pack('H*', $myKc), pack('H*', $mySres), pack('H*', $myRand),
> pack('H*', $myKc1), pack('H*', $mySres1), pack('H*', $myRand1),
> pack('H*', $myKc2), pack('H*', $mySres2), pack('H*', $myRand2),
> );
> }
>
> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> The Client seems to still send the same ERROR. The IMSI which I am passing to the CGI is the same I am testing with. I have just removed the leading '1' and anything after @ in the identity attribute of the EAP Message. Somehow it is not going into SIM_CHALLENGE sub. Any help would be much appreciated.
>
> Thanks
>
> Rajesh.
>
>
>
>
> On Fri, Jun 25, 2010 at 1:53 AM, Mike McCauley <mikem at open.com.au> wrote:
> HEllo,
>
> On Thursday 24 June 2010 11:55:12 pm Rajesh Thota wrote:
> > Hello All,
> >
> > I am in the process of evaluating Radiator. 2 Main features I would be
> > needing is EAP-SIM and EAP-PEAP.
> >
> > I have been working on modifying the EAP-SIM.pm file I have just modified
> > the sim_request_triplets subroutine to pull the GSM triplets using a HTTP
> > GET request to a server. The HTTP Server talks to the MAP gateway passing
> > the IMSI. For the time being I have hard-coded the IMSI onto the URL.
> > The IMSI on the URL and the request is same. I am passing the RAND, SRES &
> > Kc from this routine as shown in the sample code(comment).
>
> That looks OK, although I see you are passing the same triplet back 3 times.
>
> The last message indicates the client found a problem with the triplets sent
> to it. Suggest you look at the client side logs to determine why it did not
> like the triplets. May be related to the above point?
>
> Or may through some error, the triplets are not for the IMSI you are
> requesting.
>
> Cheers.
>
> >
> > Any help is appreciated on this front.
> >
> > Thanks & Regards
> >
> > Rajesh
> >
> > ---------------------------------------------------------------------------
> >----------------------------------------------------------------------------
> >----------------------
> >
> > sub sim_request_triplets
> > {
> > my ($self, $context, $p, $n) = @_;
> >
> > my $ua1 = new LWP::UserAgent;
> > $ua1->agent("AgentName/0.1 " . $ua1->agent);
> >
> > # Create a request
> > my $req = new HTTP::Request GET => '
> > http://192.168.1.127:8080/cgi-bin/hlr_hex_cgi?TRANS_ID=102&IMSI=40580319003
> >2618 ';
> > $req->content_type('application/x-www-form-urlencoded');
> > $req->content('match=www&errors=0');
> >
> > # Pass request to the user agent and get a response back
> > my $res = $ua1->request($req);
> > my $webOut;
> >
> > # Check the outcome of the response
> > if ($res->is_success) {
> > $webOut = $res->content;
> > } else {
> > print "Bad luck this time\n";
> > }
> >
> > my $row;
> > @$row = split( /\n/, $webOut);
> >
> > my $myARand;
> > my $myASres;
> > my $myAKc;
> >
> > @$myARand=split(/\=/, @$row[6]);
> > @$myASres=split(/\=/, @$row[7]);
> > @$myAKc=split(/\=/, @$row[8]);
> >
> > my $myKc = @$myAKc[1];
> > my $mySres = @$myASres[1];
> > my $myRand = @$myARand[1];
> >
> > $self->log($main::LOG_DEBUG, "$myRand | $mySres | $myKc
> > ...................");
> >
> > return (
> > pack('H*', $myKc), pack('H*', $mySres), pack('H*', $myRand),
> > pack('H*', $myKc), pack('H*', $mySres), pack('H*', $myRand),
> > pack('H*', $myKc), pack('H*', $mySres), pack('H*', $myRand),
> > );
> >
> > return;
> > }
> >
> > ---------------------------------------------------------------------------
> >----------------------------------------------------------------------------
> >----------------------
> >
> > The Radius LOG file prints the following :
> >
> > *** Received from 192.168.1.152 port 2049 ....
> > Code: Access-Request
> > Identifier: 9
> > Authentic: <145>BZ<135><209><1>Qi<214><11>r<248>e<174><141><224>
> > Attributes:
> > User-Name = "1405803190032618 at wlan.mnc080.mcc405.3gppnetwork.org"
> > NAS-IP-Address = 192.168.1.152
> > NAS-Identifier = "Wireless LAN Access Point"
> > NAS-Port = 0
> > Called-Station-Id = "00-80-48-67-43-25:SIM-Test"
> > Calling-Station-Id = "00-24-7D-4A-52-87"
> > Framed-MTU = 1400
> > NAS-Port-Type = Wireless-IEEE-802-11
> > Connect-Info = "CONNECT 11Mbps 802.11b"
> > EAP-Message = <2><0><0>8<1>
> > 1405803190032618 at wlan.mnc080.mcc405.3gppnetwork.org
> > Message-Authenticator = <212>I<163>k?gNAGu<5><228><7><200>"<197>
> >
> > Thu Jun 24 19:02:13 2010: DEBUG: Handling request with Handler
> > 'Realm=DEFAULT'
> > Thu Jun 24 19:02:13 2010: DEBUG: Deleting session for
> > 1405803190032618 at wlan.mnc080.mcc405.3gppnetwork.org, 192.168.1.152, 0
> > Thu Jun 24 19:02:13 2010: DEBUG: Handling with Radius::AuthSIM:
> > Thu Jun 24 19:02:13 2010: DEBUG: Handling with EAP: code 2, 0, 56, 1
> > Thu Jun 24 19:02:13 2010: DEBUG: Response type 1
> > Thu Jun 24 19:02:13 2010: DEBUG: EAP result: 3, EAP SIM/Start
> > Thu Jun 24 19:02:13 2010: DEBUG: AuthBy SIM result: CHALLENGE, EAP
> > SIM/Start Thu Jun 24 19:02:13 2010: DEBUG: Access challenged for
> > 1405803190032618 at wlan.mnc080.mcc405.3gppnetwork.org: EAP SIM/Start
> > Thu Jun 24 19:02:13 2010: DEBUG: Packet dump:
> > *** Sending to 192.168.1.152 port 2049 ....
> > Code: Access-Challenge
> > Identifier: 9
> > Authentic: <179><251><218><160><134><176><0><241>m'<240><216><136><188>kF
> > Attributes:
> > EAP-Message = <1><1><0><16><18><10><0><0><15><2><0><4><0><0><0><1>
> > Message-Authenticator =
> > <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> >
> > Thu Jun 24 19:02:13 2010: DEBUG: Packet dump:
> > *** Received from 192.168.1.152 port 2049 ....
> > Code: Access-Request
> > Identifier: 10
> > Authentic:
> > <205><19><175><222><132><4>#<7><128><206><241><232><144><169><205>2
> > Attributes:
> > User-Name = "1405803190032618 at wlan.mnc080.mcc405.3gppnetwork.org"
> > NAS-IP-Address = 192.168.1.152
> > NAS-Identifier = "Wireless LAN Access Point"
> > NAS-Port = 0
> > Called-Station-Id = "00-80-48-67-43-25:SIM-Test"
> > Calling-Station-Id = "00-24-7D-4A-52-87"
> > Framed-MTU = 1400
> > NAS-Port-Type = Wireless-IEEE-802-11
> > Connect-Info = "CONNECT 11Mbps 802.11b"
> > EAP-Message = <2><1><0>
> > <18><10><0><0><7><5><0><0><4><171><176><171><217>[$<216><231><10><135>|<181
> >><172><167><245><16><1><0><1> Message-Authenticator =
> > i<26>=/<243><153>,<192><215><237>~<157><240><163><S
> >
> > Thu Jun 24 19:02:13 2010: DEBUG: Handling request with Handler
> > 'Realm=DEFAULT'
> > Thu Jun 24 19:02:13 2010: DEBUG: Deleting session for
> > 1405803190032618 at wlan.mnc080.mcc405.3gppnetwork.org, 192.168.1.152, 0
> > Thu Jun 24 19:02:13 2010: DEBUG: Handling with Radius::AuthSIM:
> > Thu Jun 24 19:02:13 2010: DEBUG: Handling with EAP: code 2, 1, 32, 18
> > Thu Jun 24 19:02:13 2010: DEBUG: Response type 18
> > Thu Jun 24 19:02:13 2010: DEBUG: ..........................
> > 2c191a3d8f1a2fd2553ff272433f142 | c56c879a | 2098f32fbf3e86b1
> > ...................
> > Thu Jun 24 19:02:13 2010: DEBUG: EAP result: 3, EAP SIM/Challenge
> > Thu Jun 24 19:02:13 2010: DEBUG: AuthBy SIM result: CHALLENGE, EAP
> > SIM/Challenge
> > Thu Jun 24 19:02:13 2010: DEBUG: Access challenged for
> > 1405803190032618 at wlan.mnc080.mcc405.3gppnetwork.org: EAP SIM/Challenge
> > Thu Jun 24 19:02:13 2010: DEBUG: Packet dump:
> > *** Sending to 192.168.1.152 port 2049 ....
> > Code: Access-Challenge
> > Identifier: 10
> > Authentic: g<141><12><241>Bt<201>zf<202>lG<216>W<166>}
> > Attributes:
> > EAP-Message =
> > <1><2><0>P<18><11><0><0><1><13><0><0>,<25><26>=<143><26>/<210>U?<242>rC?<20
> >> ,<25><26>=<143><26>/<210>U?<242>rC?<20>
> > ,<25><26>=<143><26>/<210>U?<242>rC?<20>
> > <11><5><0><0><234><197>L'<152><227><237><153><164>^<200><152>P<239><10>h
> > Message-Authenticator =
> > <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> >
> > Thu Jun 24 19:02:17 2010: DEBUG: Packet dump:
> > *** Received from 192.168.1.152 port 2049 ....
> > Code: Access-Request
> > Identifier: 11
> > Authentic: <238>H<203><145><189><211><135>g<230><145><233><234>R<170>+5
> > Attributes:
> > User-Name = "1405803190032618 at wlan.mnc080.mcc405.3gppnetwork.org"
> > NAS-IP-Address = 192.168.1.152
> > NAS-Identifier = "Wireless LAN Access Point"
> > NAS-Port = 0
> > Called-Station-Id = "00-80-48-67-43-25:SIM-Test"
> > Calling-Station-Id = "00-24-7D-4A-52-87"
> > Framed-MTU = 1400
> > NAS-Port-Type = Wireless-IEEE-802-11
> > Connect-Info = "CONNECT 11Mbps 802.11b"
> > EAP-Message = <2><2><0><12><18><14><0><0><22><1><0><0>
> > Message-Authenticator =
> > <164>.n<14><227><19>szL<200><175><193><221><21>#'
> >
> > Thu Jun 24 19:02:17 2010: DEBUG: Handling request with Handler
> > 'Realm=DEFAULT'
> > Thu Jun 24 19:02:17 2010: DEBUG: Deleting session for
> > 1405803190032618 at wlan.mnc080.mcc405.3gppnetwork.org, 192.168.1.152, 0
> > Thu Jun 24 19:02:17 2010: DEBUG: Handling with Radius::AuthSIM:
> > Thu Jun 24 19:02:17 2010: DEBUG: Handling with EAP: code 2, 2, 12, 18
> > Thu Jun 24 19:02:17 2010: DEBUG: Response type 18
> > Thu Jun 24 19:02:17 2010: WARNING: EAP SIM Client Error code 0: Unable to
> > Process
> > Thu Jun 24 19:02:17 2010: DEBUG: EAP result: 1, EAP SIM Client Error
> > Thu Jun 24 19:02:17 2010: DEBUG: AuthBy SIM result: REJECT, EAP SIM Client
> > Error
> > Thu Jun 24 19:02:17 2010: INFO: Access rejected for
> > 1405803190032618 at wlan.mnc080.mcc405.3gppnetwork.org: EAP SIM Client Error
> > Thu Jun 24 19:02:17 2010: DEBUG: Packet dump:
> > *** Sending to 192.168.1.152 port 2049 ....
> > Code: Access-Reject
> > Identifier: 11
> > Authentic:
> > #<145><185><187><185>y<216><180><140><26>B<217><176><210><146><224>
> > Attributes:
> > EAP-Message = <4><2><0><4>
> > Message-Authenticator =
> > <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> > Reply-Message = "Request Denied"
> >
> > ---------------------------------------------------------------------------
> >----------------------------------------------------------------------------
> >----------------------
> >
> > The CGI program I am invoking returns the following
> >
> > TRANS_ID=102
> > PRIM_ID=56242
> > IMSI=405803190032618
> > RESPONSE_CODE=0
> > VECTOR_COUNT=1
> > VECTOR_TYPE=2G
> > RAND=c2de1c1ec4d73dc1e6ece5ce624e85
> > SRES=84566be
> > KC=bb2a2c1388718b99
> > ;
> >
> >
> > ---------------------------------------------------------------------------
> >----------------------------------------------------------------------------
> >----------------------
> >
> >
> > Wondering What is going Wrong ? Any help is much appreciated.
>
>
>
> --
> Mike McCauley mikem at open.com.au
> Open System Consultants Pty. Ltd
> 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au
> Phone +61 7 5598-7474 Fax +61 7 5598-7070
>
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
>
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
More information about the radiator
mailing list