[RADIATOR] EAP-SIM Authentication Issue

Mike McCauley mikem at open.com.au
Tue Jun 29 02:42:23 CDT 2010


Hello,

Thanks for the update.
Pls let us know if we can help further

Cheers.

On Tuesday 29 June 2010 05:28:26 pm Rajesh Thota wrote:
> Mike/Hugh,
>
> Appreciate  your help on this.  I got it working.  The problem was with
> RAND attribute.  Fixed the CGI which is delivering the Kc & RAND.
>
> Thanks.
>
> Rajesh.
>
> On Fri, Jun 25, 2010 at 1:53 AM, Mike McCauley <mikem at open.com.au> wrote:
> > HEllo,
> >
> > On Thursday 24 June 2010 11:55:12 pm Rajesh Thota wrote:
> > > Hello All,
> > >
> > > I am in the process of evaluating Radiator.  2 Main features I would be
> > > needing is EAP-SIM and EAP-PEAP.
> > >
> > > I have been working on modifying the EAP-SIM.pm  file  I have just
> >
> > modified
> >
> > > the sim_request_triplets subroutine to pull the GSM triplets using a
> > > HTTP GET request to a server.  The HTTP Server talks to the MAP gateway
> >
> > passing
> >
> > > the IMSI.  For the time being I have hard-coded the IMSI onto the URL.
> > > The IMSI on the URL and the request is same.  I am passing the RAND,
> > > SRES
> >
> > &
> >
> > > Kc from this routine as shown in the sample code(comment).
> >
> > That looks OK, although I see you are passing the same triplet back 3
> > times.
> >
> > The last message indicates the client found a problem with the triplets
> > sent
> > to it. Suggest you look at the client side logs to determine why it did
> > not like the triplets. May be related to the above point?
> >
> > Or may through some error, the triplets are not for the IMSI you are
> > requesting.
> >
> > Cheers.
> >
> > > Any help is appreciated on this front.
> > >
> > > Thanks & Regards
> > >
> > > Rajesh
> >
> > -------------------------------------------------------------------------
> >--
> >
> > >------------------------------------------------------------------------
> > >---- ----------------------
> > >
> > > sub sim_request_triplets
> > > {
> > >     my ($self, $context, $p, $n) = @_;
> > >
> > >     my $ua1 = new LWP::UserAgent;
> > >     $ua1->agent("AgentName/0.1 " . $ua1->agent);
> > >
> > >     # Create a request
> > >     my $req = new HTTP::Request GET => '
> >
> > http://192.168.1.127:8080/cgi-bin/hlr_hex_cgi?TRANS_ID=102&IMSI=405803190
> >03
> >
> > >2618 ';
> > >     $req->content_type('application/x-www-form-urlencoded');
> > >     $req->content('match=www&errors=0');
> > >
> > >     # Pass request to the user agent and get a response back
> > >     my $res = $ua1->request($req);
> > >     my $webOut;
> > >
> > >     # Check the outcome of the response
> > >     if ($res->is_success) {
> > >         $webOut = $res->content;
> > >     } else {
> > >         print "Bad luck this time\n";
> > >     }
> > >
> > >     my $row;
> > >     @$row = split( /\n/, $webOut);
> > >
> > >     my $myARand;
> > >     my $myASres;
> > >     my $myAKc;
> > >
> > >     @$myARand=split(/\=/, @$row[6]);
> > >     @$myASres=split(/\=/, @$row[7]);
> > >     @$myAKc=split(/\=/, @$row[8]);
> > >
> > >     my $myKc = @$myAKc[1];
> > >     my $mySres = @$myASres[1];
> > >     my $myRand = @$myARand[1];
> > >
> > >     $self->log($main::LOG_DEBUG, "$myRand | $mySres | $myKc
> > > ...................");
> > >
> > >     return (
> > >             pack('H*', $myKc), pack('H*', $mySres), pack('H*',
> > > $myRand), pack('H*', $myKc), pack('H*', $mySres), pack('H*', $myRand),
> > > pack('H*', $myKc), pack('H*', $mySres), pack('H*', $myRand), );
> > >
> > >     return;
> > > }
> >
> > -------------------------------------------------------------------------
> >--
> >
> > >------------------------------------------------------------------------
> > >---- ----------------------
> > >
> > > The Radius LOG file prints the following :
> > >
> > > *** Received from 192.168.1.152 port 2049 ....
> > > Code:       Access-Request
> > > Identifier: 9
> > > Authentic:  <145>BZ<135><209><1>Qi<214><11>r<248>e<174><141><224>
> > > Attributes:
> > >         User-Name =
> > > "1405803190032618 at wlan.mnc080.mcc405.3gppnetwork.org
> >
> > "
> >
> > >         NAS-IP-Address = 192.168.1.152
> > >         NAS-Identifier = "Wireless LAN Access Point"
> > >         NAS-Port = 0
> > >         Called-Station-Id = "00-80-48-67-43-25:SIM-Test"
> > >         Calling-Station-Id = "00-24-7D-4A-52-87"
> > >         Framed-MTU = 1400
> > >         NAS-Port-Type = Wireless-IEEE-802-11
> > >         Connect-Info = "CONNECT 11Mbps 802.11b"
> > >         EAP-Message = <2><0><0>8<1>
> > > 1405803190032618 at wlan.mnc080.mcc405.3gppnetwork.org
> > >         Message-Authenticator =
> > > <212>I<163>k?gNAGu<5><228><7><200>"<197>
> > >
> > > Thu Jun 24 19:02:13 2010: DEBUG: Handling request with Handler
> > > 'Realm=DEFAULT'
> > > Thu Jun 24 19:02:13 2010: DEBUG:  Deleting session for
> > > 1405803190032618 at wlan.mnc080.mcc405.3gppnetwork.org, 192.168.1.152, 0
> > > Thu Jun 24 19:02:13 2010: DEBUG: Handling with Radius::AuthSIM:
> > > Thu Jun 24 19:02:13 2010: DEBUG: Handling with EAP: code 2, 0, 56, 1
> > > Thu Jun 24 19:02:13 2010: DEBUG: Response type 1
> > > Thu Jun 24 19:02:13 2010: DEBUG: EAP result: 3, EAP SIM/Start
> > > Thu Jun 24 19:02:13 2010: DEBUG: AuthBy SIM result: CHALLENGE, EAP
> > > SIM/Start Thu Jun 24 19:02:13 2010: DEBUG: Access challenged for
> > > 1405803190032618 at wlan.mnc080.mcc405.3gppnetwork.org: EAP SIM/Start
> > > Thu Jun 24 19:02:13 2010: DEBUG: Packet dump:
> > > *** Sending to 192.168.1.152 port 2049 ....
> > > Code:       Access-Challenge
> > > Identifier: 9
> > > Authentic:
> >
> >  <179><251><218><160><134><176><0><241>m'<240><216><136><188>kF
> >
> > > Attributes:
> > >         EAP-Message =
> >
> > <1><1><0><16><18><10><0><0><15><2><0><4><0><0><0><1>
> >
> > >         Message-Authenticator =
> > > <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> > >
> > > Thu Jun 24 19:02:13 2010: DEBUG: Packet dump:
> > > *** Received from 192.168.1.152 port 2049 ....
> > > Code:       Access-Request
> > > Identifier: 10
> > > Authentic:
> > >  <205><19><175><222><132><4>#<7><128><206><241><232><144><169><205>2
> > > Attributes:
> > >         User-Name =
> > > "1405803190032618 at wlan.mnc080.mcc405.3gppnetwork.org
> >
> > "
> >
> > >         NAS-IP-Address = 192.168.1.152
> > >         NAS-Identifier = "Wireless LAN Access Point"
> > >         NAS-Port = 0
> > >         Called-Station-Id = "00-80-48-67-43-25:SIM-Test"
> > >         Calling-Station-Id = "00-24-7D-4A-52-87"
> > >         Framed-MTU = 1400
> > >         NAS-Port-Type = Wireless-IEEE-802-11
> > >         Connect-Info = "CONNECT 11Mbps 802.11b"
> > >         EAP-Message = <2><1><0>
> >
> > <18><10><0><0><7><5><0><0><4><171><176><171><217>[$<216><231><10><135>|<1
> >81
> >
> > >><172><167><245><16><1><0><1> Message-Authenticator =
> > >
> > > i<26>=/<243><153>,<192><215><237>~<157><240><163><S
> > >
> > > Thu Jun 24 19:02:13 2010: DEBUG: Handling request with Handler
> > > 'Realm=DEFAULT'
> > > Thu Jun 24 19:02:13 2010: DEBUG:  Deleting session for
> > > 1405803190032618 at wlan.mnc080.mcc405.3gppnetwork.org, 192.168.1.152, 0
> > > Thu Jun 24 19:02:13 2010: DEBUG: Handling with Radius::AuthSIM:
> > > Thu Jun 24 19:02:13 2010: DEBUG: Handling with EAP: code 2, 1, 32, 18
> > > Thu Jun 24 19:02:13 2010: DEBUG: Response type 18
> > > Thu Jun 24 19:02:13 2010: DEBUG: ..........................
> > >  2c191a3d8f1a2fd2553ff272433f142 | c56c879a | 2098f32fbf3e86b1
> > > ...................
> > > Thu Jun 24 19:02:13 2010: DEBUG: EAP result: 3, EAP SIM/Challenge
> > > Thu Jun 24 19:02:13 2010: DEBUG: AuthBy SIM result: CHALLENGE, EAP
> > > SIM/Challenge
> > > Thu Jun 24 19:02:13 2010: DEBUG: Access challenged for
> > > 1405803190032618 at wlan.mnc080.mcc405.3gppnetwork.org: EAP SIM/Challenge
> > > Thu Jun 24 19:02:13 2010: DEBUG: Packet dump:
> > > *** Sending to 192.168.1.152 port 2049 ....
> > > Code:       Access-Challenge
> > > Identifier: 10
> > > Authentic:  g<141><12><241>Bt<201>zf<202>lG<216>W<166>}
> > > Attributes:
> > >         EAP-Message =
> >
> > <1><2><0>P<18><11><0><0><1><13><0><0>,<25><26>=<143><26>/<210>U?<242>rC?<
> >20
> >
> > >> ,<25><26>=<143><26>/<210>U?<242>rC?<20>
> > >
> > > ,<25><26>=<143><26>/<210>U?<242>rC?<20>
> > > <11><5><0><0><234><197>L'<152><227><237><153><164>^<200><152>P<239><10>
> > >h Message-Authenticator =
> > > <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> > >
> > > Thu Jun 24 19:02:17 2010: DEBUG: Packet dump:
> > > *** Received from 192.168.1.152 port 2049 ....
> > > Code:       Access-Request
> > > Identifier: 11
> > > Authentic: 
> > > <238>H<203><145><189><211><135>g<230><145><233><234>R<170>+5
> > > Attributes:
> > >         User-Name =
> > > "1405803190032618 at wlan.mnc080.mcc405.3gppnetwork.org
> >
> > "
> >
> > >         NAS-IP-Address = 192.168.1.152
> > >         NAS-Identifier = "Wireless LAN Access Point"
> > >         NAS-Port = 0
> > >         Called-Station-Id = "00-80-48-67-43-25:SIM-Test"
> > >         Calling-Station-Id = "00-24-7D-4A-52-87"
> > >         Framed-MTU = 1400
> > >         NAS-Port-Type = Wireless-IEEE-802-11
> > >         Connect-Info = "CONNECT 11Mbps 802.11b"
> > >         EAP-Message = <2><2><0><12><18><14><0><0><22><1><0><0>
> > >         Message-Authenticator =
> > > <164>.n<14><227><19>szL<200><175><193><221><21>#'
> > >
> > > Thu Jun 24 19:02:17 2010: DEBUG: Handling request with Handler
> > > 'Realm=DEFAULT'
> > > Thu Jun 24 19:02:17 2010: DEBUG:  Deleting session for
> > > 1405803190032618 at wlan.mnc080.mcc405.3gppnetwork.org, 192.168.1.152, 0
> > > Thu Jun 24 19:02:17 2010: DEBUG: Handling with Radius::AuthSIM:
> > > Thu Jun 24 19:02:17 2010: DEBUG: Handling with EAP: code 2, 2, 12, 18
> > > Thu Jun 24 19:02:17 2010: DEBUG: Response type 18
> > > Thu Jun 24 19:02:17 2010: WARNING: EAP SIM Client Error code 0: Unable
> > > to Process
> > > Thu Jun 24 19:02:17 2010: DEBUG: EAP result: 1, EAP SIM Client Error
> > > Thu Jun 24 19:02:17 2010: DEBUG: AuthBy SIM result: REJECT, EAP SIM
> >
> > Client
> >
> > > Error
> > > Thu Jun 24 19:02:17 2010: INFO: Access rejected for
> > > 1405803190032618 at wlan.mnc080.mcc405.3gppnetwork.org: EAP SIM Client
> >
> > Error
> >
> > > Thu Jun 24 19:02:17 2010: DEBUG: Packet dump:
> > > *** Sending to 192.168.1.152 port 2049 ....
> > > Code:       Access-Reject
> > > Identifier: 11
> > > Authentic:
> > >  #<145><185><187><185>y<216><180><140><26>B<217><176><210><146><224>
> > > Attributes:
> > >         EAP-Message = <4><2><0><4>
> > >         Message-Authenticator =
> > > <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> > >         Reply-Message = "Request Denied"
> >
> > -------------------------------------------------------------------------
> >--
> >
> > >------------------------------------------------------------------------
> > >---- ----------------------
> > >
> > > The CGI program I am invoking returns the following
> > >
> > > TRANS_ID=102
> > > PRIM_ID=56242
> > > IMSI=405803190032618
> > > RESPONSE_CODE=0
> > > VECTOR_COUNT=1
> > > VECTOR_TYPE=2G
> > > RAND=c2de1c1ec4d73dc1e6ece5ce624e85
> > > SRES=84566be
> > > KC=bb2a2c1388718b99
> > > ;
> >
> > -------------------------------------------------------------------------
> >--
> >
> > >------------------------------------------------------------------------
> > >---- ----------------------
> > >
> > >
> > > Wondering What is going Wrong ?  Any help is much appreciated.
> >
> > --
> > Mike McCauley                               mikem at open.com.au
> > Open System Consultants Pty. Ltd
> > 9 Bulbul Place Currumbin Waters QLD 4223 Australia
> > http://www.open.com.au
> > Phone +61 7 5598-7474                       Fax   +61 7 5598-7070
> >
> > Radiator: the most portable, flexible and configurable RADIUS server
> > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> > Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> > TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> > DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare
> > etc.



-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.


More information about the radiator mailing list