[RADIATOR] EAP-SIM Authentication Issue

Hugh Irvine hugh at open.com.au
Fri Jun 25 04:09:48 CDT 2010


Hello Rajesh -

Mike is away until next week.

regards

Hugh


On 25 Jun 2010, at 18:20, Rajesh Thota wrote:

> Hi Mike,
> 
> Appreciate your quick response.  I modified the code to pull 3 triplets from the HTTP server and pass it like this.  I also modified the radius.cfg (NumTriplets 3).
> 
> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> 
> sub sim_request_triplets
> {   
>     my ($self, $context, $p, $n) = @_;
>     
>     my $ua = new LWP::UserAgent;
>     $ua->agent("AgentName/0.1 " . $ua->agent);
>     
>     # Create a request
>     my $req = new HTTP::Request GET => 'http://192.168.1.127:8080/cgi-bin/hlr_hex_cgi?TRANS_ID=102&IMSI=405803190032618';
>     $req->content_type('application/x-www-form-urlencoded');
>     $req->content('match=www&errors=0');
> 
>     # Pass request to the user agent and get a response back
>     my $res = $ua->request($req);
>     my $webOut;
> 
>     # Check the outcome of the response
>     if ($res->is_success) {
>         $webOut = $res->content;
>     } else {
>         print "Bad luck this time\n";
>     }
>     my $row;
>     @$row = split( /\n/, $webOut);
> 
>     my $ua1 = new LWP::UserAgent;
>     $ua1->agent("AgentName/0.1 " . $ua1->agent);
> 
>     # Create a request
>     my $req1 = new HTTP::Request GET => 'http://192.168.1.127:8080/cgi-bin/hlr_hex_cgi?TRANS_ID=103&IMSI=405803190032618';
>     $req1->content_type('application/x-www-form-urlencoded');
>     $req1->content('match=www&errors=0');
> 
>     # Pass request to the user agent and get a response back
>     my $res1 = $ua1->request($req1);
>     my $webOut1;
> 
>     # Check the outcome of the response
>     if ($res1->is_success) {
>         $webOut1 = $res1->content;
>     } else {
>         print "Bad luck this time\n";
>     }
>     my $row1;
>     @$row1 = split( /\n/, $webOut1);
> 
>     my $ua2 = new LWP::UserAgent;
>     $ua2->agent("AgentName/0.1 " . $ua2->agent);
> 
>     # Create a request
>     my $req2 = new HTTP::Request GET => 'http://192.168.1.127:8080/cgi-bin/hlr_hex_cgi?TRANS_ID=104&IMSI=405803190032618';
>     $req2->content_type('application/x-www-form-urlencoded');
>     $req2->content('match=www&errors=0');
> 
>     # Pass request to the user agent and get a response back
>     my $res2 = $ua1->request($req2);
>     my $webOut2;
> 
>     # Check the outcome of the response
>     if ($res2->is_success) {
>         $webOut2 = $res2->content;
>     } else {
>         print "Bad luck this time\n";
>     }
>     my $row2;
>     @$row2 = split( /\n/, $webOut2);
> 
>     my $myARand;
>     my $myARand1;
>     my $myARand2;
>     my $myASres;
>     my $myASres1;
>     my $myASres2;
>     my $myAKc;
>     my $myAKc1;
>     my $myAKc2;
> 
>     @$myARand=split(/\=/, @$row[6]);
>     @$myASres=split(/\=/, @$row[7]);
>     @$myAKc=split(/\=/, @$row[8]);
> 
>     @$myARand1=split(/\=/, @$row1[6]);
>     @$myASres1=split(/\=/, @$row1[7]);
>     @$myAKc1=split(/\=/, @$row1[8]);
> 
>     @$myARand2=split(/\=/, @$row2[6]);
>     @$myASres2=split(/\=/, @$row2[7]);
>     @$myAKc2=split(/\=/, @$row2[8]);
> 
>     my $myKc = @$myAKc[1];
>     my $mySres = @$myASres[1];
>     my $myRand = @$myARand[1];
> 
>     my $myKc1 = @$myAKc1[1];
>     my $mySres1 = @$myASres1[1];
>     my $myRand1 = @$myARand1[1];
> 
>     my $myKc2 = @$myAKc2[1];
>     my $mySres2 = @$myASres2[1];
>     my $myRand2 = @$myARand2[1];
> 
>     $self->log($main::LOG_DEBUG, ".......................... $myRand | $mySres | $myKc ...................");
>     $self->log($main::LOG_DEBUG, ".......................... $myRand1 | $mySres1 | $myKc1 ...................");
>     $self->log($main::LOG_DEBUG, ".......................... $myRand2 | $mySres2 | $myKc2 ...................");
> 
>     return (
>             pack('H*', $myKc), pack('H*', $mySres), pack('H*', $myRand),
>             pack('H*', $myKc1), pack('H*', $mySres1), pack('H*', $myRand1),
>             pack('H*', $myKc2), pack('H*', $mySres2), pack('H*', $myRand2),
>             );
> }
> 
> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> 
> The Client seems to still send the same ERROR.   The IMSI which I am passing to the CGI is the same I am testing with.  I have just removed the leading '1' and anything after @ in the identity attribute of the EAP Message.  Somehow it is not going into SIM_CHALLENGE sub.  Any help would be much appreciated.
> 
> Thanks
> 
> Rajesh.
> 
> 
> 
> 
> On Fri, Jun 25, 2010 at 1:53 AM, Mike McCauley <mikem at open.com.au> wrote:
> HEllo,
> 
> On Thursday 24 June 2010 11:55:12 pm Rajesh Thota wrote:
> > Hello All,
> >
> > I am in the process of evaluating Radiator.  2 Main features I would be
> > needing is EAP-SIM and EAP-PEAP.
> >
> > I have been working on modifying the EAP-SIM.pm  file  I have just modified
> > the sim_request_triplets subroutine to pull the GSM triplets using a HTTP
> > GET request to a server.  The HTTP Server talks to the MAP gateway passing
> > the IMSI.  For the time being I have hard-coded the IMSI onto the URL.
> > The IMSI on the URL and the request is same.  I am passing the RAND, SRES &
> > Kc from this routine as shown in the sample code(comment).
> 
> That looks OK, although I see you are passing the same triplet back 3 times.
> 
> The last message indicates the client found a problem with the triplets sent
> to it. Suggest you look at the client side logs to determine why it did not
> like the triplets. May be related to the above point?
> 
> Or may through some error, the triplets are not for the IMSI you are
> requesting.
> 
> Cheers.
> 
> >
> > Any help is appreciated on this front.
> >
> > Thanks & Regards
> >
> > Rajesh
> >
> > ---------------------------------------------------------------------------
> >----------------------------------------------------------------------------
> >----------------------
> >
> > sub sim_request_triplets
> > {
> >     my ($self, $context, $p, $n) = @_;
> >
> >     my $ua1 = new LWP::UserAgent;
> >     $ua1->agent("AgentName/0.1 " . $ua1->agent);
> >
> >     # Create a request
> >     my $req = new HTTP::Request GET => '
> > http://192.168.1.127:8080/cgi-bin/hlr_hex_cgi?TRANS_ID=102&IMSI=40580319003
> >2618 ';
> >     $req->content_type('application/x-www-form-urlencoded');
> >     $req->content('match=www&errors=0');
> >
> >     # Pass request to the user agent and get a response back
> >     my $res = $ua1->request($req);
> >     my $webOut;
> >
> >     # Check the outcome of the response
> >     if ($res->is_success) {
> >         $webOut = $res->content;
> >     } else {
> >         print "Bad luck this time\n";
> >     }
> >
> >     my $row;
> >     @$row = split( /\n/, $webOut);
> >
> >     my $myARand;
> >     my $myASres;
> >     my $myAKc;
> >
> >     @$myARand=split(/\=/, @$row[6]);
> >     @$myASres=split(/\=/, @$row[7]);
> >     @$myAKc=split(/\=/, @$row[8]);
> >
> >     my $myKc = @$myAKc[1];
> >     my $mySres = @$myASres[1];
> >     my $myRand = @$myARand[1];
> >
> >     $self->log($main::LOG_DEBUG, "$myRand | $mySres | $myKc
> > ...................");
> >
> >     return (
> >             pack('H*', $myKc), pack('H*', $mySres), pack('H*', $myRand),
> >             pack('H*', $myKc), pack('H*', $mySres), pack('H*', $myRand),
> >             pack('H*', $myKc), pack('H*', $mySres), pack('H*', $myRand),
> >             );
> >
> >     return;
> > }
> >
> > ---------------------------------------------------------------------------
> >----------------------------------------------------------------------------
> >----------------------
> >
> > The Radius LOG file prints the following :
> >
> > *** Received from 192.168.1.152 port 2049 ....
> > Code:       Access-Request
> > Identifier: 9
> > Authentic:  <145>BZ<135><209><1>Qi<214><11>r<248>e<174><141><224>
> > Attributes:
> >         User-Name = "1405803190032618 at wlan.mnc080.mcc405.3gppnetwork.org"
> >         NAS-IP-Address = 192.168.1.152
> >         NAS-Identifier = "Wireless LAN Access Point"
> >         NAS-Port = 0
> >         Called-Station-Id = "00-80-48-67-43-25:SIM-Test"
> >         Calling-Station-Id = "00-24-7D-4A-52-87"
> >         Framed-MTU = 1400
> >         NAS-Port-Type = Wireless-IEEE-802-11
> >         Connect-Info = "CONNECT 11Mbps 802.11b"
> >         EAP-Message = <2><0><0>8<1>
> > 1405803190032618 at wlan.mnc080.mcc405.3gppnetwork.org
> >         Message-Authenticator = <212>I<163>k?gNAGu<5><228><7><200>"<197>
> >
> > Thu Jun 24 19:02:13 2010: DEBUG: Handling request with Handler
> > 'Realm=DEFAULT'
> > Thu Jun 24 19:02:13 2010: DEBUG:  Deleting session for
> > 1405803190032618 at wlan.mnc080.mcc405.3gppnetwork.org, 192.168.1.152, 0
> > Thu Jun 24 19:02:13 2010: DEBUG: Handling with Radius::AuthSIM:
> > Thu Jun 24 19:02:13 2010: DEBUG: Handling with EAP: code 2, 0, 56, 1
> > Thu Jun 24 19:02:13 2010: DEBUG: Response type 1
> > Thu Jun 24 19:02:13 2010: DEBUG: EAP result: 3, EAP SIM/Start
> > Thu Jun 24 19:02:13 2010: DEBUG: AuthBy SIM result: CHALLENGE, EAP
> > SIM/Start Thu Jun 24 19:02:13 2010: DEBUG: Access challenged for
> > 1405803190032618 at wlan.mnc080.mcc405.3gppnetwork.org: EAP SIM/Start
> > Thu Jun 24 19:02:13 2010: DEBUG: Packet dump:
> > *** Sending to 192.168.1.152 port 2049 ....
> > Code:       Access-Challenge
> > Identifier: 9
> > Authentic:  <179><251><218><160><134><176><0><241>m'<240><216><136><188>kF
> > Attributes:
> >         EAP-Message = <1><1><0><16><18><10><0><0><15><2><0><4><0><0><0><1>
> >         Message-Authenticator =
> > <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> >
> > Thu Jun 24 19:02:13 2010: DEBUG: Packet dump:
> > *** Received from 192.168.1.152 port 2049 ....
> > Code:       Access-Request
> > Identifier: 10
> > Authentic:
> >  <205><19><175><222><132><4>#<7><128><206><241><232><144><169><205>2
> > Attributes:
> >         User-Name = "1405803190032618 at wlan.mnc080.mcc405.3gppnetwork.org"
> >         NAS-IP-Address = 192.168.1.152
> >         NAS-Identifier = "Wireless LAN Access Point"
> >         NAS-Port = 0
> >         Called-Station-Id = "00-80-48-67-43-25:SIM-Test"
> >         Calling-Station-Id = "00-24-7D-4A-52-87"
> >         Framed-MTU = 1400
> >         NAS-Port-Type = Wireless-IEEE-802-11
> >         Connect-Info = "CONNECT 11Mbps 802.11b"
> >         EAP-Message = <2><1><0>
> > <18><10><0><0><7><5><0><0><4><171><176><171><217>[$<216><231><10><135>|<181
> >><172><167><245><16><1><0><1> Message-Authenticator =
> > i<26>=/<243><153>,<192><215><237>~<157><240><163><S
> >
> > Thu Jun 24 19:02:13 2010: DEBUG: Handling request with Handler
> > 'Realm=DEFAULT'
> > Thu Jun 24 19:02:13 2010: DEBUG:  Deleting session for
> > 1405803190032618 at wlan.mnc080.mcc405.3gppnetwork.org, 192.168.1.152, 0
> > Thu Jun 24 19:02:13 2010: DEBUG: Handling with Radius::AuthSIM:
> > Thu Jun 24 19:02:13 2010: DEBUG: Handling with EAP: code 2, 1, 32, 18
> > Thu Jun 24 19:02:13 2010: DEBUG: Response type 18
> > Thu Jun 24 19:02:13 2010: DEBUG: ..........................
> >  2c191a3d8f1a2fd2553ff272433f142 | c56c879a | 2098f32fbf3e86b1
> > ...................
> > Thu Jun 24 19:02:13 2010: DEBUG: EAP result: 3, EAP SIM/Challenge
> > Thu Jun 24 19:02:13 2010: DEBUG: AuthBy SIM result: CHALLENGE, EAP
> > SIM/Challenge
> > Thu Jun 24 19:02:13 2010: DEBUG: Access challenged for
> > 1405803190032618 at wlan.mnc080.mcc405.3gppnetwork.org: EAP SIM/Challenge
> > Thu Jun 24 19:02:13 2010: DEBUG: Packet dump:
> > *** Sending to 192.168.1.152 port 2049 ....
> > Code:       Access-Challenge
> > Identifier: 10
> > Authentic:  g<141><12><241>Bt<201>zf<202>lG<216>W<166>}
> > Attributes:
> >         EAP-Message =
> > <1><2><0>P<18><11><0><0><1><13><0><0>,<25><26>=<143><26>/<210>U?<242>rC?<20
> >> ,<25><26>=<143><26>/<210>U?<242>rC?<20>
> > ,<25><26>=<143><26>/<210>U?<242>rC?<20>
> > <11><5><0><0><234><197>L'<152><227><237><153><164>^<200><152>P<239><10>h
> >         Message-Authenticator =
> > <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> >
> > Thu Jun 24 19:02:17 2010: DEBUG: Packet dump:
> > *** Received from 192.168.1.152 port 2049 ....
> > Code:       Access-Request
> > Identifier: 11
> > Authentic:  <238>H<203><145><189><211><135>g<230><145><233><234>R<170>+5
> > Attributes:
> >         User-Name = "1405803190032618 at wlan.mnc080.mcc405.3gppnetwork.org"
> >         NAS-IP-Address = 192.168.1.152
> >         NAS-Identifier = "Wireless LAN Access Point"
> >         NAS-Port = 0
> >         Called-Station-Id = "00-80-48-67-43-25:SIM-Test"
> >         Calling-Station-Id = "00-24-7D-4A-52-87"
> >         Framed-MTU = 1400
> >         NAS-Port-Type = Wireless-IEEE-802-11
> >         Connect-Info = "CONNECT 11Mbps 802.11b"
> >         EAP-Message = <2><2><0><12><18><14><0><0><22><1><0><0>
> >         Message-Authenticator =
> > <164>.n<14><227><19>szL<200><175><193><221><21>#'
> >
> > Thu Jun 24 19:02:17 2010: DEBUG: Handling request with Handler
> > 'Realm=DEFAULT'
> > Thu Jun 24 19:02:17 2010: DEBUG:  Deleting session for
> > 1405803190032618 at wlan.mnc080.mcc405.3gppnetwork.org, 192.168.1.152, 0
> > Thu Jun 24 19:02:17 2010: DEBUG: Handling with Radius::AuthSIM:
> > Thu Jun 24 19:02:17 2010: DEBUG: Handling with EAP: code 2, 2, 12, 18
> > Thu Jun 24 19:02:17 2010: DEBUG: Response type 18
> > Thu Jun 24 19:02:17 2010: WARNING: EAP SIM Client Error code 0: Unable to
> > Process
> > Thu Jun 24 19:02:17 2010: DEBUG: EAP result: 1, EAP SIM Client Error
> > Thu Jun 24 19:02:17 2010: DEBUG: AuthBy SIM result: REJECT, EAP SIM Client
> > Error
> > Thu Jun 24 19:02:17 2010: INFO: Access rejected for
> > 1405803190032618 at wlan.mnc080.mcc405.3gppnetwork.org: EAP SIM Client Error
> > Thu Jun 24 19:02:17 2010: DEBUG: Packet dump:
> > *** Sending to 192.168.1.152 port 2049 ....
> > Code:       Access-Reject
> > Identifier: 11
> > Authentic:
> >  #<145><185><187><185>y<216><180><140><26>B<217><176><210><146><224>
> > Attributes:
> >         EAP-Message = <4><2><0><4>
> >         Message-Authenticator =
> > <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> >         Reply-Message = "Request Denied"
> >
> > ---------------------------------------------------------------------------
> >----------------------------------------------------------------------------
> >----------------------
> >
> > The CGI program I am invoking returns the following
> >
> > TRANS_ID=102
> > PRIM_ID=56242
> > IMSI=405803190032618
> > RESPONSE_CODE=0
> > VECTOR_COUNT=1
> > VECTOR_TYPE=2G
> > RAND=c2de1c1ec4d73dc1e6ece5ce624e85
> > SRES=84566be
> > KC=bb2a2c1388718b99
> > ;
> >
> >
> > ---------------------------------------------------------------------------
> >----------------------------------------------------------------------------
> >----------------------
> >
> >
> > Wondering What is going Wrong ?  Any help is much appreciated.
> 
> 
> 
> --
> Mike McCauley                               mikem at open.com.au
> Open System Consultants Pty. Ltd
> 9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
> Phone +61 7 5598-7474                       Fax   +61 7 5598-7070
> 
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
> 
> 
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator



NB: 

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets), 
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.





More information about the radiator mailing list