[RADIATOR] FW: Help with EAP-SIM simulator for evaluation

Effi Rand effi at comability.com
Wed Jan 12 10:01:46 CST 2011


Hi Heikki ,

Thanks ,
I have tried it with your remarks (though I had to use the eap_simoperator.cfg as the /etc/radius.cfg , with the map.cfg as a second instance) and it worked.

I still can't get the iPhone EAPSIM authentication to work even though the MAP output says it's accepted. The log from the main instance says not enough credentials.


Tue Jan 11 17:46:55 2011: DEBUG: Packet dump:
*** Received from 10.22.11.200 port 2048 ....

Packet length = 121
01 00 00 79 c0 41 ff 27 73 09 35 8a 32 3a a9 3b
7c 36 ce b4 01 06 66 72 65 64 04 06 0a 16 0b c8
1e 0e 30 32 31 64 37 65 34 62 30 37 35 62 1f 0e
30 30 31 63 62 33 31 36 36 39 65 38 20 0e 30 32
31 64 37 65 34 62 30 37 35 62 05 06 00 00 00 17
0c 06 00 00 05 78 3d 06 00 00 00 13 4f 0b 02 00
00 09 01 66 72 65 64 50 12 e5 32 c0 96 d0 98 83
0f f8 ad e3 53 e7 63 b6 91
Code:       Access-Request
Identifier: 0
Authentic:  <192>A<255>'s<9>5<138>2:<169>;|6<206><180>
Attributes:
        User-Name = "fred"
        NAS-IP-Address = 10.22.11.200
        Called-Station-Id = "021d7e4b075b"
        Calling-Station-Id = "001cb31669e8"
        NAS-Identifier = "021d7e4b075b"
        NAS-Port = 23
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-IEEE-802-11
        EAP-Message = <2><0><0><9><1>fred
        Message-Authenticator = <229>2<192><150><208><152><131><15><248><173><227>S<231>c<182><145>

Tue Jan 11 17:46:55 2011: DEBUG: Handling request with Handler 'Realm=DEFAULT', Identifier ''
Tue Jan 11 17:46:55 2011: DEBUG:  Deleting session for fred, 10.22.11.200, 23
Tue Jan 11 17:46:55 2011: DEBUG: Handling with Radius::AuthSIMOPERATOR:
Tue Jan 11 17:46:55 2011: DEBUG: Handling with EAP: code 2, 0, 9, 1
Tue Jan 11 17:46:55 2011: DEBUG: Response type 1
Tue Jan 11 17:46:55 2011: DEBUG: EAP result: 3, EAP SIM/Start
Tue Jan 11 17:46:55 2011: DEBUG: AuthBy SIMOPERATOR result: CHALLENGE, EAP SIM/Start
Tue Jan 11 17:46:55 2011: DEBUG: Access challenged for fred: EAP SIM/Start
Tue Jan 11 17:46:55 2011: DEBUG: Packet dump:
*** Sending to 10.22.11.200 port 2048 ....

Packet length = 60
0b 00 00 3c fd 4a f2 f4 80 9b fc 31 1f ea 92 86
ef 37 18 21 4f 16 01 01 00 14 12 0a 00 00 0d 01
00 00 0f 02 00 04 00 00 00 01 50 12 71 b5 d9 b7
4e fa ef a6 3d 1f df a1 bb e2 17 1c
Code:       Access-Challenge
Identifier: 0
Authentic:  <253>J<242><244><128><155><252>1<31><234><146><134><239>7<24>!
Attributes:
        EAP-Message = <1><1><0><20><18><10><0><0><13><1><0><0><15><2><0><4><0><0><0><1>
        Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

Tue Jan 11 17:46:55 2011: DEBUG: Packet dump:
*** Received from 10.22.11.200 port 2048 ....

Packet length = 200
01 00 00 c8 63 44 c6 15 a9 f4 f7 e8 f7 41 b5 69
94 82 aa cf 01 06 66 72 65 64 04 06 0a 16 0b c8
1e 0e 30 32 31 64 37 65 34 62 30 37 35 62 1f 0e
30 30 31 63 62 33 31 36 36 39 65 38 20 0e 30 32
31 64 37 65 34 62 30 37 35 62 05 06 00 00 00 17
0c 06 00 00 05 78 3d 06 00 00 00 13 4f 5a 02 01
00 58 12 0a 00 00 0e 0e 00 33 31 33 31 30 34 31
30 33 31 38 31 39 37 32 38 34 40 77 6c 61 6e 2e
6d 6e 63 34 31 30 2e 6d 63 63 33 31 30 2e 33 67
70 70 6e 65 74 77 6f 72 6b 2e 6f 72 67 00 10 01
00 01 07 05 00 00 d7 6b 41 17 b6 a0 15 5b d7 af
58 74 f2 52 7a 60 50 12 db 79 f8 56 26 ee 46 67
c9 e7 59 8b ec 5b 06 bc
Code:       Access-Request
Identifier: 0
Authentic:  cD<198><21><169><244><247><232><247>A<181>i<148><130><170><207>
Attributes:
        User-Name = "fred"
        NAS-IP-Address = 10.22.11.200
        Called-Station-Id = "021d7e4b075b"
        Calling-Station-Id = "001cb31669e8"
        NAS-Identifier = "021d7e4b075b"
        NAS-Port = 23
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-IEEE-802-11
        EAP-Message = <2><1><0>X<18><10><0><0><14><14><0>31310410318197284 at wlan.mnc410.mcc310.3gppnetwork.org<0><16><1><0><1><7><5><0><0><215>kA<23><182><160><21>[<215><175>Xt<242>Rz`
        Message-Authenticator = <219>y<248>V&<238>Fg<201><231>Y<139><236>[<6><188>

Tue Jan 11 17:46:55 2011: DEBUG: Handling request with Handler 'Realm=DEFAULT', Identifier ''
Tue Jan 11 17:46:55 2011: DEBUG:  Deleting session for fred, 10.22.11.200, 23
Tue Jan 11 17:46:55 2011: DEBUG: Handling with Radius::AuthSIMOPERATOR:
Tue Jan 11 17:46:55 2011: DEBUG: Handling with EAP: code 2, 1, 88, 18
Tue Jan 11 17:46:55 2011: DEBUG: Response type 18
Tue Jan 11 17:46:55 2011: DEBUG: Query is: 'select KC, SRES, RAND from TRIPLET where IMSI=? and AUTH_TIMESTAMP > ?-600 limit ?': 310410318197284 1294760815 2
Tue Jan 11 17:46:55 2011: INFO: Insufficient triplets returned from GetTripletsQuery
Tue Jan 11 17:46:55 2011: DEBUG: Handling with Radius::AuthRADIUS
Tue Jan 11 17:46:55 2011: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 1647 ....

Packet length = 69
01 08 00 45 39 22 ec 1a 53 43 e1 ab d1 09 12 fb
9b e1 87 d3 1a 17 00 00 23 58 65 11 33 31 30 34
31 30 33 31 38 31 39 37 32 38 34 1a 0c 00 00 23
58 64 06 00 00 00 02 1a 0e 00 00 23 58 69 08 4d
59 53 47 53 4e
Code:       Access-Request
Identifier: 8
Authentic:  9"<236><26>SC<225><171><209><9><18><251><155><225><135><211>
Attributes:
        GSM-IMSI = "310410318197284"
        GSM-NumTriplets = 2
        GSM-SGSN = "MYSGSN"

Tue Jan 11 17:46:55 2011: DEBUG: EAP result: 2, Waiting for SIM triplets
Tue Jan 11 17:46:55 2011: DEBUG: AuthBy SIMOPERATOR result: IGNORE, Waiting for SIM triplets
Tue Jan 11 17:46:55 2011: DEBUG: Received reply in AuthRADIUS for req 8 from 127.0.0.1:1647
Tue Jan 11 17:46:55 2011: DEBUG: do query is: 'replace SIMTMSI (IMSI, TMSI) values ('310410318197284', '31f9026a1c923cba5')':
Tue Jan 11 17:46:55 2011: DEBUG: do query is: 'replace SIMUSER (IMSI, REAUTH_ID, COUNTER, MK, K_AUT, K_ENCR, VERSION) values ('310410318197284', '2c4eede2e5a481699 at xyz.com', '1', '255e7984e8ad7b59b1b75338c24b8cca96ddf526', 'eb9f3c1f67ea3453fa0540849d0e0285', '50fc6aeddf6f7d77b1d8547ac1d5f6c4', '1')':
Tue Jan 11 17:46:55 2011: DEBUG: Access challenged for fred: EAP SIM/Challenge
Tue Jan 11 17:46:55 2011: DEBUG: Packet dump:
*** Sending to 10.22.11.200 port 2048 ....

Packet length = 196
0b 00 00 c4 86 e6 2b ca 13 ed 88 fa 17 41 e4 86
a9 96 8a f8 4f 9e 01 02 00 9c 12 0b 00 00 01 09
00 00 c8 46 32 71 59 77 7b 7d f6 53 0b fc 3b 89
b0 5f 43 48 a8 ac a8 c5 00 1c 6b 99 fd cc 61 a8
c1 52 81 05 00 00 5c 40 36 c1 53 aa f5 bb e0 64
2b 56 37 18 96 53 82 11 00 00 f9 d9 52 38 d6 00
95 4b 41 ee 44 3f 0c ff 4b fb 8a 2e c2 2b 34 f7
33 12 7a 6a bc bd 20 31 8d 45 fa 04 3d 41 87 1d
37 f9 2f 3d 0d 8d 0a 72 1c ce e0 13 04 2b c6 91
f7 85 d7 51 f6 0f 81 f6 1c 00 87 01 00 00 0b 05
00 00 e3 e7 1a 8f 2a 71 1c 83 c4 b2 0d d0 c1 7b
f4 5b 50 12 d7 c6 47 8e 0f e7 70 16 a5 94 42 93
c4 e7 7a 38
Code:       Access-Challenge
Identifier: 0
Authentic:  <134><230>+<202><19><237><136><250><23>A<228><134><169><150><138><248>
Attributes:
        EAP-Message = <1><2><0><156><18><11><0><0><1><9><0><0><200>F2qYw{}<246>S<11><252>;<137><176>_CH<168><172><168><197><0><28>k<153><253><204>a<168><193>R<129><5><0><0>\@6<193>S<170><245><187><224>d+V7<24><150>S<130><17><0><0><249><217>R8<214><0><149>KA<238>D?<12><255>K<251><138>.<194>+4<247>3<18>zj<188><189> 1<141>E<250><4>=A<135><29>7<249>/=<13><141><10>r<28><206><224><19><4>+<198><145><247><133><215>Q<246><15><129><246><28><0><135><1><0><0><11><5><0><0><227><231><26><143>*q<28><131><196><178><13><208><193>{<244>[
        Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

Tue Jan 11 17:46:56 2011: DEBUG: Packet dump:
*** Received from 10.22.11.200 port 2048 ....

Packet length = 124
01 00 00 7c 86 bb 47 52 73 08 82 cc 31 7e e2 5a
46 77 cd 12 01 06 66 72 65 64 04 06 0a 16 0b c8
1e 0e 30 32 31 64 37 65 34 62 30 37 35 62 1f 0e
30 30 31 63 62 33 31 36 36 39 65 38 20 0e 30 32
31 64 37 65 34 62 30 37 35 62 05 06 00 00 00 17
0c 06 00 00 05 78 3d 06 00 00 00 13 4f 0e 02 02
00 0c 12 0e 00 00 16 01 00 02 50 12 57 c1 17 eb
f8 fc 50 99 a0 52 cf 5c c5 18 fd 62
Code:       Access-Request
Identifier: 0
Authentic:  <134><187>GRs<8><130><204>1~<226>ZFw<205><18>
Attributes:
        User-Name = "fred"
        NAS-IP-Address = 10.22.11.200
        Called-Station-Id = "021d7e4b075b"
        Calling-Station-Id = "001cb31669e8"
        NAS-Identifier = "021d7e4b075b"
        NAS-Port = 23
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-IEEE-802-11
        EAP-Message = <2><2><0><12><18><14><0><0><22><1><0><2>
        Message-Authenticator = W<193><23><235><248><252>P<153><160>R<207>\<197><24><253>b

Tue Jan 11 17:46:56 2011: DEBUG: Handling request with Handler 'Realm=DEFAULT', Identifier ''
Tue Jan 11 17:46:56 2011: DEBUG:  Deleting session for fred, 10.22.11.200, 23
Tue Jan 11 17:46:56 2011: DEBUG: Handling with Radius::AuthSIMOPERATOR:
Tue Jan 11 17:46:56 2011: DEBUG: Handling with EAP: code 2, 2, 12, 18
Tue Jan 11 17:46:56 2011: DEBUG: Response type 18
Tue Jan 11 17:46:56 2011: WARNING: EAP SIM Client Error code 2: Insufficient Challenges
Tue Jan 11 17:46:56 2011: DEBUG: EAP result: 1, EAP SIM Client Error
Tue Jan 11 17:46:56 2011: DEBUG: AuthBy SIMOPERATOR result: REJECT, EAP SIM Client Error
Tue Jan 11 17:46:56 2011: INFO: Access rejected for fred: EAP SIM Client Error
Tue Jan 11 17:46:56 2011: DEBUG: Packet dump:
*** Sending to 10.22.11.200 port 2048 ....

Packet length = 60
03 00 00 3c 55 fa fc 9d ad d9 05 f1 ff 5d c8 ef
7b 5a 27 de 4f 06 04 02 00 04 50 12 f7 4f 6c fc
c5 f6 1c fc bf b5 cc 34 54 c4 40 f2 12 10 52 65
71 75 65 73 74 20 44 65 6e 69 65 64
Code:       Access-Reject
Identifier: 0
Authentic:  U<250><252><157><173><217><5><241><255>]<200><239>{Z'<222>
Attributes:
        EAP-Message = <4><2><0><4>
        Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
        Reply-Message = "Request Denied"


____


Log from the map:


Tue Jan 11 17:46:55 2011: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 54000 ....

Packet length = 69
01 08 00 45 39 22 ec 1a 53 43 e1 ab d1 09 12 fb
9b e1 87 d3 1a 17 00 00 23 58 65 11 33 31 30 34
31 30 33 31 38 31 39 37 32 38 34 1a 0c 00 00 23
58 64 06 00 00 00 02 1a 0e 00 00 23 58 69 08 4d
59 53 47 53 4e
Code:       Access-Request
Identifier: 8
Authentic:  9"<236><26>SC<225><171><209><9><18><251><155><225><135><211>
Attributes:
        GSM-IMSI = "310410318197284"
        GSM-NumTriplets = 2
        GSM-SGSN = "MYSGSN"

Tue Jan 11 17:46:55 2011: DEBUG: Handling request with Handler 'Realm=DEFAULT', Identifier ''
Tue Jan 11 17:46:55 2011: DEBUG:  Deleting session for , 127.0.0.1,
Tue Jan 11 17:46:55 2011: DEBUG: Triplet 17c538ff292766d7 3d13fabc c846327159777b7df6530bfc3b89b05f
Tue Jan 11 17:46:55 2011: DEBUG: Triplet 5b12dcc62c04603c 3f8c045d 4348a8aca8c5001c6b99fdcc61a8c152
Tue Jan 11 17:46:55 2011: DEBUG: AuthBy MAP result: ACCEPT,
Tue Jan 11 17:46:55 2011: DEBUG: Access accepted for
Tue Jan 11 17:46:55 2011: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 54000 ....

Packet length = 92
02 08 00 5c d8 02 51 08 04 2e 74 aa f1 ec d6 8d
3e 1a b5 ae 1a 24 00 00 23 58 66 1e 17 c5 38 ff
29 27 66 d7 3d 13 fa bc c8 46 32 71 59 77 7b 7d
f6 53 0b fc 3b 89 b0 5f 1a 24 00 00 23 58 66 1e
5b 12 dc c6 2c 04 60 3c 3f 8c 04 5d 43 48 a8 ac
a8 c5 00 1c 6b 99 fd cc 61 a8 c1 52
Code:       Access-Accept
Identifier: 8
Authentic:  <216><2>Q<8><4>.t<170><241><236><214><141>><26><181><174>
Attributes:
        GSM-Triplet = <23><197>8<255>)'f<215>=<19><250><188><200>F2qYw{}<246>S<11><252>;<137><176>_
        GSM-Triplet = [<18><220><198>,<4>`<?<140><4>]CH<168><172><168><197><0><28>k<153><253><204>a<168><193>R




_____

Any idea on the cause ? ofcourse I used the iphone utility to set the EAPSIM authentication.

Thanks

Efi


-----Original Message-----
From: Heikki Vatiainen [mailto:hvn at open.com.au]
Sent: Monday, January 10, 2011 9:02 PM
To: Effi Rand
Cc: radiator at open.com.au
Subject: Re: [RADIATOR] Help with EAP-SIM simulator for evaluation

On 01/10/2011 05:34 PM, Effi Rand wrote:

> I need some help with the configuration of the radiator as a MAP-GATEWAY with radius interface. I'm not that experienced in this product and it's important for me to evaluate this feature since the expire date is due in 2 weeks.
>
> I was able to test the EAP-SIM with the SSGN simulator using the "odyssey" wireless client (after we cached some triplets to a local file)
> However , when I try to test it with the MAP-GATEWAY simulator (same client), I fail to get the access-accept message.

There are a couple of things you should try. I will go through them below:

> # radius.cfg

> # $Id: linux-radius.cfg,v 1.3 2002/03/24 23:07:49 mikem Exp $

Looks like most of the content is from goodies/eap_simoperator.cfg

> AuthPort 1645,1812,1647
> AcctPort 1646,1813,1648

Please remove ports 1647 and 1648 since they will be used by map.cfg

> <Realm DEFAULT>
>         <AuthBy SIMOPERATOR>
>                 # The name or address of the example MAP gateway(s) that will server this instance
>                 # Radius requests are sent to this gateway requesting triplets etc.
>                 Host localhost
>                 AuthPort 1647
>                 Secret cisco

Please check README section "Testing with the Radius MAP gateway
simulator". What you should have listening on localhost port 1647 is
another Radiator running configuration from goodies/map.cfg

The example mpa.cfg uses port 1647 with secret mysecret

What happens now is that this Radiator instanc gets the request that is
intented for the MAP simulator. Like README says, you should two
Radiator instances running at the same time:

4. Run the MAP gateway simulator:
radiusd -config goodies/map.cfg

5. Run Radiator EAP-SIM server
radiusd -config goodies/eap_simoperator.cfg


>         <AuthBy MAP>
>                 TripletsFile /tmp/Modules/Radius-EAP-SIM/goodies/triplets.dat
>                 Pin 0000
>         </AuthBy>

Remove the <AuthBy MAP> block. This AuthBy will be handled by the second
Radiator that uses map.cfg

> </Realm>

> Another thing , in the README file , you mention that there is also a cisco-ipt simulator under Radius-EAP-SIM/goodies/ciscomap.cfg
>
> There is no file like that.

You are correct. If will check what has happened to it.

> Another question , so far I've failed to test the iPhone EAP-SIM client against the EAP-SIM simulator. Any idea what can be done ?

I have not tried iPhone myself, but unless you have already downloaded
iPhone configuration utility from Apple you may want to do that. The
utility gives you control over many things, including WLAN settings
where you can disable all the other WPA-Enterprise methods.

Thanks!

--
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.



************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************





More information about the radiator mailing list