<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 10pt;
font-family:Tahoma
}
--></style></head>
<body class='hmmessage'><div dir='ltr'>
Hi guys,<br><div><br>> > no idea, can you provide an example program (e.g. pySIM based) that illustrates<br>> > the issue?<br><br> <br>> I happen to notice all your "bad" RAND values contains lowercase HEX<br>> characters while your "good" ones only contains uppercase HEX<br>> characters. I dont know if that matters in your application.<br>> <br>> But only accepting weak keyes is not logical.<br><br><br><br>Here the logging information from the Freeradius Server. The Client tries to authenticate using eap-sim.<br>In the first case, i used strong RAND values. You can see that the client didn't reply to the last eap-request<br>(containing the three RANDs) from Server and the authentication process broke up.<br>In the second case i used weak RAND and the authentication succeeded.<br>In both cases i used a Nokia E52 and a Laptop with a sysmocom sim card.<br><br>All RAND values included in the eap request/sim/challenge message contain lowercase HEX characters.<br><br><u>1st case</u> )<br><br>Ready to process requests.<br><font style="" color="#FF0000"><br></font><font style="" color="#FF0000">rad_recv: Access-Request packet from host 192.168.10.212 port 38803, id=29, length=238</font><br> Service-Type = Framed-User<br> Framed-MTU = 1400<br> User-Name = "1901700000000654"<br> NAS-Port-Id = "ap_hotspot"<br> NAS-Port-Type = Wireless-802.11<br> Acct-Session-Id = "8220000e"<br> Acct-Multi-Session-Id = "00-0C-42-64-41-9D-A8-7E-33-3E-9C-5B-82-20-00-00-00-00-00-0E"<br> Calling-Station-Id = "A8-7E-33-3E-9C-5B"<br> Called-Station-Id = "00-0C-42-64-41-9D:YANN"<br> EAP-Message = 0x020100150131393031373030303030303030363534<br> Message-Authenticator = 0xcf4e5f6429686cc260b16bd23d82489f<br> NAS-Identifier = "MT_Yann"<br> NAS-IP-Address = 192.168.10.212<br># Executing section authorize from file /etc/freeradius/sites-enabled/default<br>+- entering group authorize {...}<br>rlm_sim_files: authorized user/imsi 1901700000000654 <br>rlm_sim_files: Adding EAP-Type: eap-sim<br>++[sim_files] returns ok<br>++[preprocess] returns ok<br>++[chap] returns noop<br>++[mschap] returns noop<br>++[digest] returns noop<br>[suffix] No '@' in User-Name = "1901700000000654", looking up realm NULL<br>[suffix] No such realm "NULL"<br>++[suffix] returns noop<br>[eap] EAP packet type response id 1 length 21<br>[eap] No EAP Start, assuming it's an on-going EAP conversation<br>++[eap] returns updated<br>++[files] returns noop<br>++[expiration] returns noop<br>++[logintime] returns noop<br>[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.<br>++[pap] returns noop<br>Found Auth-Type = EAP<br># Executing group from file /etc/freeradius/sites-enabled/default<br>+- entering group authenticate {...}<br>[eap] EAP Identity<br>[eap] processing type sim<br>[eap] Underlying EAP-Type set EAP ID to 108<br>++[eap] returns handled<br><br><font style="" color="#FF0000">Sending Access-Challenge of id 29 to 192.168.10.212 port 38803</font><br> EAP-Message = 0x016c0014120a00000f0200020001000011010100<br> Message-Authenticator = 0x00000000000000000000000000000000<br> State = 0x870e2a6987623891aa6e49c2b1bcc9b6<br>Finished request 0.<br>Going to the next request<br>Waking up in 4.9 seconds.<br><br><font style="" color="#FF0000">rad_recv: Access-Request packet from host 192.168.10.212 port 50478, id=30, length=287</font><br> EAP-Message = 0x026c0034120a000007050000c27cfb1cfa7a257c9c89796e49bca230100100010e05001031393031373030303030303030363534<br> Message-Authenticator = 0xc691af8b618d9da88f9e289557530f6f<br> NAS-Identifier = "MT_Yann"<br> NAS-IP-Address = 192.168.10.212<br># Executing section authorize from file /etc/freeradius/sites-enabled/default<br>+- entering group authorize {...}<br>rlm_sim_files: authorized user/imsi 1901700000000654 <br>rlm_sim_files: Adding EAP-Type: eap-sim<br>++[sim_files] returns ok<br>++[preprocess] returns ok<br>++[chap] returns noop<br>++[mschap] returns noop<br>++[digest] returns noop<br>[suffix] No '@' in User-Name = "1901700000000654", looking up realm NULL<br>[suffix] No such realm "NULL"<br>++[suffix] returns noop<br>[eap] EAP packet type response id 108 length 52<br>[eap] No EAP Start, assuming it's an on-going EAP conversation<br>++[eap] returns updated<br>++[files] returns noop<br>++[expiration] returns noop<br>++[logintime] returns noop<br>[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.<br>++[pap] returns noop<br>Found Auth-Type = EAP<br># Executing group from file /etc/freeradius/sites-enabled/default<br>+- entering group authenticate {...}<br>[eap] Request found, released from the list<br>[eap] EAP/sim<br>[eap] processing type sim<br><br>[eap] Underlying EAP-Type set EAP ID to 109<br>++[eap] returns handled<br><font style="" color="#FF0000">Sending Access-Challenge of id 30 to 192.168.10.212 port 50478</font><br> EAP-Message = 0x016d0050120b0000010d00000<font style="" color="#C00000">123456789abcdef0123456789abcdef</font><font style="" color="#00B050">0123456789abcdef0123456789abcde0</font><font style="" color="#F79646">0123456789abcdef0123456789abcd18</font>0b0500000bffb0f7777b066616d98519e625a531<br> Message-Authenticator = 0x00000000000000000000000000000000<br> State = 0x870e2a6986633891aa6e49c2b1bcc9b6<br>Finished request 1.<br><font style="" color="#FF0000">Going to the next request</font><font style="" color="#FF0000"><br></font><font style="" color="#FF0000">Waking up in 4.9 seconds.</font><font style="" color="#FF0000"><br></font><font style="" color="#FF0000">Cleaning up request 0 ID 29 with timestamp +17</font><font style="" color="#FF0000"><br></font><font style="" color="#FF0000">Cleaning up request 1 ID 30 with timestamp +17</font><br>Ready to process requests.<br><br><br><u>2nd case</u> )<br><br>Ready to process requests.<br>rad_recv: Access-Request packet from host 192.168.10.212 port 38045, id=42, length=238<br> Service-Type = Framed-User<br> Framed-MTU = 1400<br> User-Name = "1901700000000654"<br> NAS-Port-Id = "ap_hotspot"<br> NAS-Port-Type = Wireless-802.11<br> Acct-Session-Id = "82e0000a"<br> Acct-Multi-Session-Id = "00-0C-42-64-41-9D-00-24-D7-0A-B1-2C-82-E0-00-00-00-00-00-0A"<br> Calling-Station-Id = "00-24-D7-0A-B1-2C"<br> Called-Station-Id = "00-0C-42-64-41-9D:YANN"<br> EAP-Message = 0x020100150131393031373030303030303030363534<br> Message-Authenticator = 0x6c5f2905cc845f4adc2990825cc65dc8<br> NAS-Identifier = "MT_Yann"<br> NAS-IP-Address = 192.168.10.212<br>(0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default<br>(0) group authorize {<br>(0) - entering group authorize {...}<br>(0) [preprocess] = ok<br>(0) [chap] = noop<br>(0) [auth_log] = ok<br>(0) [mschap] = noop<br>(0) [digest] = noop<br>(0) suffix : No '@' in User-Name = "1901700000000654", looking up realm NULL<br>(0) suffix : No such realm "NULL"<br>(0) [suffix] = noop<br>rlm_sim_files: authorized user/imsi 1901700000000654 <br>rlm_sim_files: Adding EAP-Type: eap-sim<br>(0) [sim_files] = ok<br>(0) eap : EAP packet type response id 1 length 21<br>(0) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize<br>(0) [eap] = ok<br>(0) Found Auth-Type = EAP<br>(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default<br>(0) group authenticate {<br>(0) - entering group authenticate {...}<br>(0) eap : EAP Identity<br>(0) eap : processing type sim<br>(0) eap : Underlying EAP-Type set EAP ID to 206<br>(0) [eap] = handled<br>Sending Access-Challenge of id 42 to 192.168.10.212 port 38045<br> EAP-Message = 0x01ce0014120a00000f0200020001000011010100<br> Message-Authenticator = 0x00000000000000000000000000000000<br> State = 0x27d04fcb271e5dceaedc556ddb0c5d7f<br>(0) Finished request 0.<br>Waking up in 0.3 seconds.<br>rad_recv: Access-Request packet from host 192.168.10.212 port 32878, id=43, length=287<br><br> EAP-Message = 0x02ce0034120a000007050000d28837f3ec25745202083c21313d8d29100100010e05001031393031373030303030303030363534<br> Message-Authenticator = 0x5dbd2219a029f2421a86fca4c24974b5<br> NAS-Identifier = "MT_Yann"<br> NAS-IP-Address = 192.168.10.212<br>(1) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default<br>(1) group authorize {<br>(1) - entering group authorize {...}<br>(1) [preprocess] = ok<br>(1) [chap] = noop<br>(1) [auth_log] = ok<br>(1) [mschap] = noop<br>(1) [digest] = noop<br>(1) suffix : No '@' in User-Name = "1901700000000654", looking up realm NULL<br>(1) suffix : No such realm "NULL"<br>(1) [suffix] = noop<br>rlm_sim_files: authorized user/imsi 1901700000000654 <br>rlm_sim_files: Adding EAP-Type: eap-sim<br>(1) [sim_files] = ok<br>(1) eap : EAP packet type response id 206 length 52<br>(1) eap : No EAP Start, assuming it's an on-going EAP conversation<br>(1) [eap] = updated<br>(1) [files] = noop<br>(1) [expiration] = noop<br>(1) [logintime] = noop<br>(1) pap : WARNING! No "known good" password found for the user. Authentication may fail because of this.<br>(1) [pap] = noop<br>(1) Found Auth-Type = EAP<br>(1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default<br>(1) group authenticate {<br>(1) - entering group authenticate {...}<br>(1) eap : Request found, released from the list<br>(1) eap : EAP/sim<br>(1) eap : processing type sim<br>eap: EAP-Sim length = 20<br>eap: ID_Len = 4<br>eap: EAP-SIm length chosen = 32 <br>eap: EAP-Sim length = 4<br>eap: ID_Len = 4<br>eap: EAP-SIm length chosen = 32 <br>eap: EAP-Sim length = 20<br>eap: ID_Len = 16<br>eap: EAP-SIm length chosen = 32 <br>(1) eap : Underlying EAP-Type set EAP ID to 207<br>(1) [eap] = handled<br>Sending Access-Challenge of id 43 to 192.168.10.212 port 32878<br> EAP-Message = 0x01cf0050120b0000010d<font style="" color="#C00000"><font style="" color="#000000">0000</font>00000000000000000000000000000000<font style="" color="#00B050">0</font></font><font style="" color="#00B050">f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f</font><font style="" color="#F79646">f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0</font>0b050000c13e9c1dcc448cf3e4028e30d28e43c4<br> Message-Authenticator = 0x00000000000000000000000000000000<br> State = 0x27d04fcb261f5dceaedc556ddb0c5d7f<br>(1) Finished request 1.<br>Waking up in 0.2 seconds.<br>Waking up in 4.5 seconds.<br><br>rad_recv: Access-Request packet from host 192.168.10.212 port 37021, id=44, length=263<br> EAP-Message = 0x02cf001c120b00000b050000eeaec0aaf45ca982cb310428eb838a8e<br> Message-Authenticator = 0x3ca71ae6141b80753b4ccb402cc71e5f<br> NAS-Identifier = "MT_Yann"<br> NAS-IP-Address = 192.168.10.212<br>(2) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default<br>(2) group authorize {<br>(2) - entering group authorize {...}<br>(2) [preprocess] = ok<br>(2) [chap] = noop<br>(2) [auth_log] = ok<br>(2) [mschap] = noop<br>(2) [digest] = noop<br>(2) suffix : No '@' in User-Name = "1901700000000654", looking up realm NULL<br>(2) suffix : No such realm "NULL"<br>(2) [suffix] = noop<br>rlm_sim_files: authorized user/imsi 1901700000000654 <br>rlm_sim_files: Adding EAP-Type: eap-sim<br>(2) [sim_files] = ok<br>(2) eap : EAP packet type response id 207 length 28<br>(2) eap : No EAP Start, assuming it's an on-going EAP conversation<br>(2) [eap] = updated<br>(2) [files] = noop<br>(2) [expiration] = noop<br>(2) [logintime] = noop<br>(2) pap : WARNING! No "known good" password found for the user. Authentication may fail because of this.<br>(2) [pap] = noop<br>(2) Found Auth-Type = EAP<br>(2) # Executing group from file /usr/local/etc/raddb/sites-enabled/default<br>(2) group authenticate {<br>(2) - entering group authenticate {...}<br>(2) eap : Request found, released from the list<br>(2) eap : EAP/sim<br>(2) eap : processing type sim<br>eap: EAP-Sim length = 20<br>eap: ID_Len = -1219474647<br>eap: EAP-SIm length chosen = 32 <br>MAC check succeed <br>(2) eap : Underlying EAP-Type set EAP ID to 208<br>(2) eap : Freeing handler<br>(2) [eap] = ok<br>(2) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default<br>(2) group post-auth {<br>(2) - entering group post-auth {...}<br>(2) [exec] = noop<br><font style="" color="#FF0000">Sending Access-Accept of id 44 to 192.168.10.212 port 37021</font><br> MS-MPPE-Recv-Key = 0x9aca37a3e1743dc8c4326d6ed4e3f7e5f4178abc80cb953e6686ef57ba470624<br> MS-MPPE-Send-Key = 0x1b94a8624cea0d23c245b15cc227428d05202328550aa5413296d9de1039337c<br> EAP-Message = 0x03d00004<br> Message-Authenticator = 0x00000000000000000000000000000000<br> User-Name = "1901700000000654"<br><br></div> </div></body>
</html>