[RADIATOR] FW: Help with EAP-SIM simulator for evaluation

Thu Jan 13 03:12:38 CST 2011

Hi ,

I've tried with 3 triplets option like you suggested cached more triplets, and now it's just stuck at some challenge phase , and iPhone just says "unable to connect"

This is the log from the radius:

*** Sending to 127.0.0.1 port 1647 ....

Packet length = 69
01 01 00 45 09 e8 83 e6 1d 5e 66 8f fc 1f fb 8b
0b 97 50 c4 1a 17 00 00 23 58 65 11 33 31 30 34
31 30 33 31 38 31 39 37 32 38 34 1a 0c 00 00 23
58 64 06 00 00 00 03 1a 0e 00 00 23 58 69 08 4d
59 53 47 53 4e
Code:       Access-Request
Identifier: 1
Authentic:  <9><232><131><230><29>^f<143><252><31><251><139><11><151>P<196>
Attributes:
        GSM-IMSI = "310410318197284"
        GSM-NumTriplets = 3
        GSM-SGSN = "MYSGSN"

Thu Jan 13 11:01:29 2011: DEBUG: EAP result: 2, Waiting for SIM triplets
Thu Jan 13 11:01:29 2011: DEBUG: AuthBy SIMOPERATOR result: IGNORE, Waiting for SIM triplets
Thu Jan 13 11:01:29 2011: DEBUG: Received reply in AuthRADIUS for req 1 from 127.0.0.1:1647
Thu Jan 13 11:01:29 2011: DEBUG: do query is: 'replace SIMTMSI (IMSI, TMSI) values ('310410318197284', '39209cc51d1987d83')':
Thu Jan 13 11:01:29 2011: DEBUG: do query is: 'replace SIMUSER (IMSI, REAUTH_ID, COUNTER, MK, K_AUT, K_ENCR, VERSION) values ('310410318197284', '25faf9ec97cc9830c at xyz.com', '1', 'fbeb659b4610aea21492d31c5ab77e29afee2b4c', '911f4365f8ccaa6f0d845b24ac374cdd', 'd2eb6bd6c6e244a5ae7bebd043681950', '1')':
Thu Jan 13 11:01:29 2011: DEBUG: Access challenged for fred: EAP SIM/Challenge
Thu Jan 13 11:01:29 2011: DEBUG: Packet dump:
*** Sending to 10.22.11.200 port 2048 ....

Packet length = 212
0b 00 00 d4 7b 7e af 59 ef 7f 75 2a 21 17 a2 f1
61 ec 96 a8 4f ae 01 02 00 ac 12 0b 00 00 01 0d
00 00 e0 93 05 cf 50 7a 54 cd cb 11 52 c7 dd 8e
1d ed 86 21 81 11 e5 65 57 25 9f ff 07 49 88 28
fe ac 33 9e cb 06 47 e1 83 ed 87 d7 b9 57 24 4b
16 5c 81 05 00 00 61 5d c1 65 90 fa 89 cf 5c 08
c0 5a 7c da 0f 25 82 11 00 00 70 62 f9 e8 b7 8d
e7 12 89 cf eb a6 10 f3 14 2f f7 d6 9e 3f c0 ea
83 85 d1 90 9e 4f 6e 06 d2 52 77 c9 41 6d f2 c4
a0 92 dc 7e 91 95 72 5f 00 a6 66 43 e7 f7 e6 4f
87 7b fc 18 24 15 aa d2 9f de 87 01 00 00 0b 05
00 00 e9 e9 7e 6a 68 7a 5e 21 9e 11 58 8a 48 fd
f3 6a 50 12 7b 8b 56 3d 50 4a 31 2a 74 f5 f1 7b
66 8c 64 16
Code:       Access-Challenge
Identifier: 0
Authentic:  {~<175>Y<239><127>u*!<23><162><241>a<236><150><168>
Attributes:
        EAP-Message = <1><2><0><172><18><11><0><0><1><13><0><0><224><147><5><207>PzT<205><203><17>R<199><221><142><29><237><134>!<129><17><229>eW%<159><255><7>I<136>(<254><172>3<158><203><6>G<225><131><237><135><215><185>W$K<22>\<129><5><0><0>a]<193>e<144><250><137><207>\<8><192>Z|<218><15>%<130><17><0><0>pb<249><232><183><141><231><18><137><207><235><166><16><243><20>/<247><214><158>?<192><234><131><133><209><144><158>On<6><210>Rw<201>Am<242><196><160><146><220>~<145><149>r_<0><166>fC<231><247><230>O<135>{<252><24>$<21><170><210><159><222><135><1><0><0><11><5><0><0><233><233>~jhz^!<158><17>X<138>H<253><243>j
        Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

Thu Jan 13 11:06:40 2011: DEBUG: Packet dump:
*** Received from 10.22.11.200 port 2048 ....

Packet length = 121
01 00 00 79 65 16 ea 64 be 86 2a da 05 8f 1c 14
17 43 85 0f 01 06 66 72 65 64 04 06 0a 16 0b c8
1e 0e 30 32 31 64 37 65 34 62 30 37 35 62 1f 0e
30 30 31 63 62 33 31 36 36 39 65 38 20 0e 30 32
31 64 37 65 34 62 30 37 35 62 05 06 00 00 00 17
0c 06 00 00 05 78 3d 06 00 00 00 13 4f 0b 02 00
00 09 01 66 72 65 64 50 12 d1 e4 61 1d ed b2 c5
b7 f4 3e 90 78 bf fb 26 6d
Code:       Access-Request
Identifier: 0
Authentic:  e<22><234>d<190><134>*<218><5><143><28><20><23>C<133><15>
Attributes:
        User-Name = "fred"
        NAS-IP-Address = 10.22.11.200
        Called-Station-Id = "021d7e4b075b"
        Calling-Station-Id = "001cb31669e8"
        NAS-Identifier = "021d7e4b075b"
        NAS-Port = 23
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-IEEE-802-11
        EAP-Message = <2><0><0><9><1>fred
        Message-Authenticator = <209><228>a<29><237><178><197><183><244>><144>x<191><251>&m

Thu Jan 13 11:06:40 2011: DEBUG: Handling request with Handler 'Realm=DEFAULT', Identifier ''
Thu Jan 13 11:06:40 2011: DEBUG:  Deleting session for fred, 10.22.11.200, 23
Thu Jan 13 11:06:40 2011: DEBUG: Handling with Radius::AuthSIMOPERATOR:
Thu Jan 13 11:06:40 2011: DEBUG: Handling with EAP: code 2, 0, 9, 1
Thu Jan 13 11:06:40 2011: DEBUG: Response type 1
Thu Jan 13 11:06:40 2011: DEBUG: EAP result: 3, EAP SIM/Start
Thu Jan 13 11:06:40 2011: DEBUG: AuthBy SIMOPERATOR result: CHALLENGE, EAP SIM/Start
Thu Jan 13 11:06:40 2011: DEBUG: Access challenged for fred: EAP SIM/Start
Thu Jan 13 11:06:40 2011: DEBUG: Packet dump:
*** Sending to 10.22.11.200 port 2048 ....

Packet length = 60
0b 00 00 3c 0c 36 91 03 1c a8 4d d5 cc cb 2b d0
0c 67 b2 80 4f 16 01 01 00 14 12 0a 00 00 0d 01
00 00 0f 02 00 04 00 00 00 01 50 12 e8 3e 92 7f
c6 5a d0 54 80 87 f6 66 8c f2 07 6f
Code:       Access-Challenge
Identifier: 0
Authentic:  <12>6<145><3><28><168>M<213><204><203>+<208><12>g<178><128>
Attributes:
        EAP-Message = <1><1><0><20><18><10><0><0><13><1><0><0><15><2><0><4><0><0><0><1>
        Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

Thu Jan 13 11:06:40 2011: DEBUG: Packet dump:
*** Received from 10.22.11.200 port 2048 ....

Packet length = 200
01 00 00 c8 f8 a3 9a 4f 15 e8 e1 d3 80 82 7b 9b
7b 1f e3 8a 01 06 66 72 65 64 04 06 0a 16 0b c8
1e 0e 30 32 31 64 37 65 34 62 30 37 35 62 1f 0e
30 30 31 63 62 33 31 36 36 39 65 38 20 0e 30 32
31 64 37 65 34 62 30 37 35 62 05 06 00 00 00 17
0c 06 00 00 05 78 3d 06 00 00 00 13 4f 5a 02 01
00 58 12 0a 00 00 0e 0e 00 33 31 33 31 30 34 31
30 33 31 38 31 39 37 32 38 34 40 77 6c 61 6e 2e
6d 6e 63 34 31 30 2e 6d 63 63 33 31 30 2e 33 67
70 70 6e 65 74 77 6f 72 6b 2e 6f 72 67 00 10 01
00 01 07 05 00 00 42 86 80 33 e7 bd bf 6f 80 a7
7e c6 30 ad dd a3 50 12 29 be 0f 7a 18 ad 3f 1a
93 5c 18 1f 2d 28 91 fa
Code:       Access-Request
Identifier: 0
Authentic:  <248><163><154>O<21><232><225><211><128><130>{<155>{<31><227><138>
Attributes:
        User-Name = "fred"
        NAS-IP-Address = 10.22.11.200
        Called-Station-Id = "021d7e4b075b"
        Calling-Station-Id = "001cb31669e8"
        NAS-Identifier = "021d7e4b075b"
        NAS-Port = 23
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-IEEE-802-11
        EAP-Message = <2><1><0>X<18><10><0><0><14><14><0>31310410318197284 at wlan.mnc410.mcc310.3gppnetwork.org<0><16><1><0><1><7><5><0><0>B<134><128>3<231><189><191>o<128><167>~<198>0<173><221><163>
        Message-Authenticator = )<190><15>z<24><173>?<26><147>\<24><31>-(<145><250>

Thu Jan 13 11:06:40 2011: DEBUG: Handling request with Handler 'Realm=DEFAULT', Identifier ''
Thu Jan 13 11:06:40 2011: DEBUG:  Deleting session for fred, 10.22.11.200, 23
Thu Jan 13 11:06:40 2011: DEBUG: Handling with Radius::AuthSIMOPERATOR:
Thu Jan 13 11:06:40 2011: DEBUG: Handling with EAP: code 2, 1, 88, 18
Thu Jan 13 11:06:40 2011: DEBUG: Response type 18
Thu Jan 13 11:06:40 2011: DEBUG: Query is: 'select KC, SRES, RAND from TRIPLET where IMSI=? and AUTH_TIMESTAMP > ?-600 limit ?': 310410318197284 1294909600 3
Thu Jan 13 11:06:40 2011: INFO: Insufficient triplets returned from GetTripletsQuery
Thu Jan 13 11:06:40 2011: DEBUG: Handling with Radius::AuthRADIUS
Thu Jan 13 11:06:40 2011: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 1647 ....

Packet length = 69
01 02 00 45 13 81 6e 70 f6 f9 9a 83 6f 84 33 b2
74 0d b6 33 1a 17 00 00 23 58 65 11 33 31 30 34
31 30 33 31 38 31 39 37 32 38 34 1a 0c 00 00 23
58 64 06 00 00 00 03 1a 0e 00 00 23 58 69 08 4d
59 53 47 53 4e
Code:       Access-Request
Identifier: 2
Authentic:  <19><129>np<246><249><154><131>o<132>3<178>t<13><182>3
Attributes:
        GSM-IMSI = "310410318197284"
        GSM-NumTriplets = 3
        GSM-SGSN = "MYSGSN"

Thu Jan 13 11:06:40 2011: DEBUG: EAP result: 2, Waiting for SIM triplets
Thu Jan 13 11:06:40 2011: DEBUG: AuthBy SIMOPERATOR result: IGNORE, Waiting for SIM triplets
Thu Jan 13 11:06:40 2011: DEBUG: Received reply in AuthRADIUS for req 2 from 127.0.0.1:1647
Thu Jan 13 11:06:40 2011: DEBUG: do query is: 'replace SIMTMSI (IMSI, TMSI) values ('310410318197284', '3b44bfc992f7f9285')':
Thu Jan 13 11:06:40 2011: DEBUG: do query is: 'replace SIMUSER (IMSI, REAUTH_ID, COUNTER, MK, K_AUT, K_ENCR, VERSION) values ('310410318197284', '2485da3aae33ca325 at xyz.com', '1', 'c1cc9fab531965742c39a72f0488f7877fc70b7c', 'c199060d6f14d54b0879c315c6ac3164', '409866e11d3ffc93bb7bf00e5e71c6e3', '1')':
Thu Jan 13 11:06:40 2011: DEBUG: Access challenged for fred: EAP SIM/Challenge
Thu Jan 13 11:06:40 2011: DEBUG: Packet dump:
*** Sending to 10.22.11.200 port 2048 ....

Packet length = 212
0b 00 00 d4 a4 84 56 1c aa 04 02 92 19 c2 7d eb
f2 94 5d 89 4f ae 01 02 00 ac 12 0b 00 00 01 0d
00 00 76 81 c0 28 bc 29 c5 c0 cf 51 19 88 7f e6
f6 03 c8 46 32 71 59 77 7b 7d f6 53 0b fc 3b 89
b0 5f 43 48 a8 ac a8 c5 00 1c 6b 99 fd cc 61 a8
c1 52 81 05 00 00 71 a4 68 2a a8 a9 b4 6a 91 57
e6 e2 ee 19 4c 25 82 11 00 00 8f 74 36 f1 2d 9c
a3 a5 5d 0b de ab 0c 23 9d 50 1b a7 c3 0b 70 e0
b7 e6 b1 75 2c 26 8b 97 6e 4a 4c 25 11 26 ec 5e
a0 12 37 aa 86 26 9d 33 58 6b fa 1e 7a 60 6e ab
ae 1a fa d2 a6 8c 15 d9 40 03 87 01 00 00 0b 05
00 00 44 3b f6 1c 41 e3 63 29 99 50 e5 fb 5c de
1a 67 50 12 21 bf 8f 78 98 3d 28 f0 f9 7e 07 5b
40 0d 7d e2
Code:       Access-Challenge
Identifier: 0
Authentic:  <164><132>V<28><170><4><2><146><25><194>}<235><242><148>]<137>
Attributes:
        EAP-Message = <1><2><0><172><18><11><0><0><1><13><0><0>v<129><192>(<188>)<197><192><207>Q<25><136><127><230><246><3><200>F2qYw{}<246>S<11><252>;<137><176>_CH<168><172><168><197><0><28>k<153><253><204>a<168><193>R<129><5><0><0>q<164>h*<168><169><180>j<145>W<230><226><238><25>L%<130><17><0><0><143>t6<241>-<156><163><165>]<11><222><171><12>#<157>P<27><167><195><11>p<224><183><230><177>u,&<139><151>nJL%<17>&<236>^<160><18>7<170><134>&<157>3Xk<250><30>z`n<171><174><26><250><210><166><140><21><217>@<3><135><1><0><0><11><5><0><0>D;<246><28>A<227>c)<153>P<229><251>\<222><26>g
        Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

____

This is from MAP:

Packet length = 128
02 02 00 80 1c 7a 98 38 15 15 57 21 60 91 28 3a
6a b0 fa c4 1a 24 00 00 23 58 66 1e 6f 31 fa 16
e7 19 55 57 57 39 34 9e 76 81 c0 28 bc 29 c5 c0
cf 51 19 88 7f e6 f6 03 1a 24 00 00 23 58 66 1e
17 c5 38 ff 29 27 66 d7 3d 13 fa bc c8 46 32 71
59 77 7b 7d f6 53 0b fc 3b 89 b0 5f 1a 24 00 00
23 58 66 1e 5b 12 dc c6 2c 04 60 3c 3f 8c 04 5d
43 48 a8 ac a8 c5 00 1c 6b 99 fd cc 61 a8 c1 52
Code:       Access-Accept
Identifier: 2
Authentic:  <28>z<152>8<21><21>W!`<145>(:j<176><250><196>
Attributes:
        GSM-Triplet = o1<250><22><231><25>UWW94<158>v<129><192>(<188>)<197><192><207>Q<25><136><127><230><246><3>
        GSM-Triplet = <23><197>8<255>)'f<215>=<19><250><188><200>F2qYw{}<246>S<11><252>;<137><176>_
        GSM-Triplet = [<18><220><198>,<4>`<?<140><4>]CH<168><172><168><197><0><28>k<153><253><204>a<168><193>R

Any idea what's the problem there ?

Thanks ,

Efi

-----Original Message-----
From: Heikki Vatiainen [mailto:hvn at open.com.au]
Sent: Wednesday, January 12, 2011 7:41 PM
To: Effi Rand
Cc: radiator at open.com.au
Subject: Re: [RADIATOR] FW: Help with EAP-SIM simulator for evaluation

On 01/12/2011 06:01 PM, Effi Rand wrote:

Hello Effi,

> I have tried it with your remarks (though I had to use the eap_simoperator.cfg as the /etc/radius.cfg , with the map.cfg as a second instance) and it worked.

Good to hear.

> I still can't get the iPhone EAPSIM authentication to work even though the MAP output says it's accepted. The log from the main instance says not enough credentials.

Please check the value of NumTriplets in your configuration file. Based
on the log below, the value seems to be 2. Try with 3. The EAP SIM RFC
says valid values are 2 or 3 and the correct settings depends on the
peer policy.

Note that if you are using triplets file, you need to extract more
triplets in it in case you have only extracted two so far.

> Code:       Access-Request
> Identifier: 8
> Authentic:  9"<236><26>SC<225><171><209><9><18><251><155><225><135><211>
> Attributes:
>         GSM-IMSI = "310410318197284"
>         GSM-NumTriplets = 2

Two triplets are being requests from MAP.

> Tue Jan 11 17:46:56 2011: WARNING: EAP SIM Client Error code 2: Insufficient Challenges

Two is not enough for the client.

> Log from the map:

The MAP log also shows two triplets being used.

> Any idea on the cause ? ofcourse I used the iphone utility to set the EAPSIM authentication.

Please let us know if this gets iPhone working.

Thanks!
Heikki

--
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************