[RADIATOR] Help with EAP-SIM simulator for evaluation

Effi Rand effi at comability.com
Mon Jan 10 09:34:46 CST 2011


Hi ,

I need some help with the configuration of the radiator as a MAP-GATEWAY with radius interface. I'm not that experienced in this product and it's important for me to evaluate this feature since the expire date is due in 2 weeks.

I was able to test the EAP-SIM with the SSGN simulator using the "odyssey" wireless client (after we cached some triplets to a local file)
However , when I try to test it with the MAP-GATEWAY simulator (same client), I fail to get the access-accept message.

Radius.cfg:

# radius.cfg
#
# Example Radiator configuration file.
# This very simple file will allow you to get started with
# a simple system. You can then add and change features.
# We suggest you start simple, prove to yourself that it
# works and then develop a more complicated configuration as required.
#
# This example will authenticate from a standard users file in
# DbDir/users and log accounting to LogDir/detail.
#
# It will accept requests from any client and try to handle request
# for any realm.
#
# You should consider this file to be a starting point only
# $Id: linux-radius.cfg,v 1.3 2002/03/24 23:07:49 mikem Exp $

#Foreground
LicenseMaxRequests 1000
LicenseExpires 2011-01-23
LicenseOwner comability.com
LicenseKey 17345414cac159c421d6ca1dcf1498a9
AuthPort 1645,1812,1647
AcctPort 1646,1813,1648
DictionaryFile  /etc/radiator/dictionary, /tmp/Modules/Radius-EAP-SIM/dictionary.sim
LogDir          /var/log/radius
DbDir           /etc/radiator
Trace           5
<Client DEFAULT>
        Secret  cisco
        DupInterval 0
</Client>
<Realm DEFAULT>
        <AuthBy SIMOPERATOR>
                # The name or address of the example MAP gateway(s) that will server this instance
                # Radius requests are sent to this gateway requesting triplets etc.
                Host localhost
                AuthPort 1647
                Secret cisco
                EAPType SIM
                NumTriplets 2
#               TestClient
                # $_[0] is a pointer to this AuthSIM
                # $_[1] is a pointer to the current EAP context structure for this user
                # $_[2] is a pointer to the last request from the client ->{rp} is the repl
                #  packet that will be sent back
                #AuthorisedHook sub {print "here in AuthorisedHook @_\n";}
                UseTMSI
                 SaveTMSIQuery replace SIMTMSI (IMSI, TMSI) values (%0, %1)
                GetTMSIQuery select IMSI from SIMTMSI where TMSI = %0
                UseReauthentication
                UseResultInd
                ReauthenticationRealm @xyz.com
                SaveReauthQuery replace SIMUSER (IMSI, REAUTH_ID, COUNTER, MK, K_AUT, K_ENCR, VERSION) values (%1, %0, %2, %3, %4, %5, %6)
                UpdateReauthQuery update SIMUSER set  REAUTH_ID=%0, COUNTER=%2, NONCE_S=%3, NEXT_REAUTH_ID=%4 where IMSI=%1
                # Example of how to use UpdateReauthQuery with bind variables for improved performance:
#               UpdateReauthQuery update SIMUSER set  REAUTH_ID=?, COUNTER=?, NONCE_S=?, NEXT_REAUTH_ID=? where IMSI=?
#               UpdateReauthQueryParam %0
#               UpdateReauthQueryParam %2
#               UpdateReauthQueryParam %3
#               UpdateReauthQueryParam %4
#               UpdateReauthQueryParam %1

                GetReauthQuery select IMSI, REAUTH_ID, NONCE_S, COUNTER, MK, K_AUT, K_ENCR, NEXT_REAUTH_ID, VERSION from SIMUSER where REAUTH_ID = %0
                DeleteReauthQuery update SIMUSER set  REAUTH_ID=NULL, COUNTER=NULL, NONCE_S=NULL, NEXT_REAUTH_ID=NULL where REAUTH_ID=%0
        <AuthBy MAP>
                TripletsFile /tmp/Modules/Radius-EAP-SIM/goodies/triplets.dat
                Pin 0000
        </AuthBy>
</Realm>

Debug:

Mon Jan 10 17:12:48 2011: DEBUG: Handling request with Handler 'Realm=DEFAULT', Identifier ''
Mon Jan 10 17:12:48 2011: DEBUG:  Deleting session for fred, 10.22.11.200, 35
Mon Jan 10 17:12:48 2011: DEBUG: Handling with Radius::AuthSIMOPERATOR:
Mon Jan 10 17:12:48 2011: DEBUG: Handling with EAP: code 2, 1, 56, 18
Mon Jan 10 17:12:48 2011: DEBUG: Response type 18
Mon Jan 10 17:12:48 2011: DEBUG: EAP result: 3, EAP SIM/Start
Mon Jan 10 17:12:48 2011: DEBUG: AuthBy SIMOPERATOR result: CHALLENGE, EAP SIM/Start
Mon Jan 10 17:12:48 2011: DEBUG: Access challenged for fred: EAP SIM/Start
Mon Jan 10 17:12:48 2011: DEBUG: Packet dump:
*** Sending to 10.22.11.200 port 2048 ....

Packet length = 60
0b 00 00 3c f6 a8 13 d8 4d a9 c5 92 9a 8f 28 cc
b6 0c 1c 38 4f 16 01 02 00 14 12 0a 00 00 0a 01
00 00 0f 02 00 04 00 01 00 00 50 12 48 36 fe a7
15 64 ca 2e fa 98 a8 45 34 30 dc cf
Code:       Access-Challenge
Identifier: 0
Authentic:  <246><168><19><216>M<169><197><146><154><143>(<204><182><12><28>8
Attributes:
        EAP-Message = <1><2><0><20><18><10><0><0><10><1><0><0><15><2><0><4><0><1><0><0>
        Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

Mon Jan 10 17:12:48 2011: DEBUG: Packet dump:
*** Received from 10.22.11.200 port 2048 ....

Packet length = 164
01 00 00 a4 e1 d4 c6 21 9d d2 02 7f 4c 4b b6 1f
d1 f5 c8 cb 01 06 66 72 65 64 04 06 0a 16 0b c8
1e 0e 30 32 31 64 37 65 34 62 30 37 35 62 1f 0e
30 30 32 32 66 61 35 66 62 65 34 32 20 0e 30 32
31 64 37 65 34 62 30 37 35 62 05 06 00 00 00 23
0c 06 00 00 05 78 3d 06 00 00 00 13 4f 36 02 02
00 34 12 0a 00 00 0e 05 00 10 31 33 31 30 34 31
30 33 31 38 31 39 37 32 38 34 07 05 00 00 7f 24
f7 da 63 fe 06 ef 69 93 4d 99 75 5a d2 bb 10 01
00 01 50 12 ee 72 e5 8a 3b ba 10 8c 34 db 2e b0
02 3f f5 41
Code:       Access-Request
Identifier: 0
Authentic:  <225><212><198>!<157><210><2><127>LK<182><31><209><245><200><203>
Attributes:
        User-Name = "fred"
        NAS-IP-Address = 10.22.11.200
        Called-Station-Id = "021d7e4b075b"
        Calling-Station-Id = "0022fa5fbe42"
        NAS-Identifier = "021d7e4b075b"
        NAS-Port = 35
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-IEEE-802-11
        EAP-Message = <2><2><0>4<18><10><0><0><14><5><0><16>1310410318197284<7><5><0><0><127>$<247><218>c<254><6><239>i<147>M<153>uZ<210><187><16><1><0><1>
        Message-Authenticator = <238>r<229><138>;<186><16><140>4<219>.<176><2>?<245>A

Mon Jan 10 17:12:48 2011: DEBUG: Handling request with Handler 'Realm=DEFAULT', Identifier ''
Mon Jan 10 17:12:48 2011: DEBUG:  Deleting session for fred, 10.22.11.200, 35
Mon Jan 10 17:12:48 2011: DEBUG: Handling with Radius::AuthSIMOPERATOR:
Mon Jan 10 17:12:48 2011: DEBUG: Handling with EAP: code 2, 2, 52, 18
Mon Jan 10 17:12:48 2011: DEBUG: Response type 18
Mon Jan 10 17:12:48 2011: DEBUG: Handling with Radius::AuthRADIUS
Mon Jan 10 17:12:48 2011: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 1647 ....

Packet length = 69
01 02 00 45 94 87 82 0e 81 90 fd 7e dd e0 f5 e8
19 f2 55 5f 1a 17 00 00 23 58 65 11 33 31 30 34
31 30 33 31 38 31 39 37 32 38 34 1a 0c 00 00 23
58 64 06 00 00 00 02 1a 0e 00 00 23 58 69 08 4d
59 53 47 53 4e
Code:       Access-Request
Identifier: 2
Authentic:  <148><135><130><14><129><144><253>~<221><224><245><232><25><242>U_
Attributes:
        GSM-IMSI = "310410318197284"
        GSM-NumTriplets = 2
        GSM-SGSN = "MYSGSN"

Mon Jan 10 17:12:48 2011: DEBUG: EAP result: 2, Waiting for SIM triplets
Mon Jan 10 17:12:48 2011: DEBUG: AuthBy SIMOPERATOR result: IGNORE, Waiting for SIM triplets
Mon Jan 10 17:12:48 2011: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 58185 ....

Packet length = 69
01 02 00 45 94 87 82 0e 81 90 fd 7e dd e0 f5 e8
19 f2 55 5f 1a 17 00 00 23 58 65 11 33 31 30 34
31 30 33 31 38 31 39 37 32 38 34 1a 0c 00 00 23
58 64 06 00 00 00 02 1a 0e 00 00 23 58 69 08 4d
59 53 47 53 4e
Code:       Access-Request
Identifier: 2
Authentic:  <148><135><130><14><129><144><253>~<221><224><245><232><25><242>U_
Attributes:
        GSM-IMSI = "310410318197284"
        GSM-NumTriplets = 2
        GSM-SGSN = "MYSGSN"

Mon Jan 10 17:12:48 2011: DEBUG: Handling request with Handler 'Realm=DEFAULT', Identifier ''
Mon Jan 10 17:12:48 2011: DEBUG:  Deleting session for , 127.0.0.1,
Mon Jan 10 17:12:48 2011: DEBUG: Handling with Radius::AuthSIMOPERATOR:
Mon Jan 10 17:12:48 2011: ERR: findUser not defined for Radius::AuthSIMOPERATOR
Mon Jan 10 17:12:48 2011: DEBUG: Radius::AuthSIMOPERATOR looks for match with  []
Mon Jan 10 17:12:48 2011: DEBUG: Radius::AuthSIMOPERATOR REJECT: No such user:  []
Mon Jan 10 17:12:48 2011: ERR: findUser not defined for Radius::AuthSIMOPERATOR
Mon Jan 10 17:12:48 2011: DEBUG: AuthBy SIMOPERATOR result: REJECT, No such user
Mon Jan 10 17:12:48 2011: INFO: Access rejected for : No such user
Mon Jan 10 17:12:48 2011: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 58185 ....

Packet length = 36
03 02 00 24 13 31 92 49 6f bf b4 ba a1 8a 73 e4
11 17 7d 10 12 10 52 65 71 75 65 73 74 20 44 65
6e 69 65 64
Code:       Access-Reject
Identifier: 2
Authentic:  <19>1<146>Io<191><180><186><161><138>s<228><17><23>}<16>
Attributes:
        Reply-Message = "Request Denied"

Mon Jan 10 17:12:48 2011: DEBUG: Received reply in AuthRADIUS for req 2 from 127.0.0.1:1647
Mon Jan 10 17:12:48 2011: ERR: access denied by HLR
Mon Jan 10 17:12:48 2011: INFO: Access rejected for fred: access denied by HLR
Mon Jan 10 17:12:48 2011: DEBUG: Packet dump:
*** Sending to 10.22.11.200 port 2048 ....

Packet length = 36
03 00 00 24 c4 f6 b2 81 cd bc 81 a1 9f 43 2e 32
82 cb 8c e2 12 10 52 65 71 75 65 73 74 20 44 65
6e 69 65 64
Code:       Access-Reject
Identifier: 0
Authentic:  <196><246><178><129><205><188><129><161><159>C.2<130><203><140><226>
Attributes:
        Reply-Message = "Request Denied"



Another thing , in the README file , you mention that there is also a cisco-ipt simulator under Radius-EAP-SIM/goodies/ciscomap.cfg

There is no file like that.


Another question , so far I've failed to test the iPhone EAP-SIM client against the EAP-SIM simulator. Any idea what can be done ?


Thanks

Efi





Efi Rand

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20110110/ff376219/attachment-0001.html 


More information about the radiator mailing list