Hi guys,
> no idea, can you provide an example program (e.g.
pySIM based) that illustrates
> the issue?
I happen to notice all your "bad" RAND
values contains lowercase HEX
characters while your "good" ones only contains uppercase HEX
characters. I dont know if that matters in your application.
But only accepting weak keyes is not logical.
Here the logging information from the Freeradius Server. The Client tries to authenticate
using eap-sim.
In the first case, i used strong RAND values. You can see that the client didn't reply
to the last eap-request
(containing the three RANDs) from Server and the authentication process broke up.
In the second case i used weak RAND and the authentication succeeded.
In both cases i used a Nokia E52 and a Laptop with a sysmocom sim card.
All RAND values included in the eap request/sim/challenge message contain lowercase HEX
characters.
1st case )
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.10.212 port 38803, id=29, length=238
Service-Type = Framed-User
Framed-MTU = 1400
User-Name = "1901700000000654"
NAS-Port-Id = "ap_hotspot"
NAS-Port-Type = Wireless-802.11
Acct-Session-Id = "8220000e"
Acct-Multi-Session-Id =
"00-0C-42-64-41-9D-A8-7E-33-3E-9C-5B-82-20-00-00-00-00-00-0E"
Calling-Station-Id = "A8-7E-33-3E-9C-5B"
Called-Station-Id = "00-0C-42-64-41-9D:YANN"
EAP-Message = 0x020100150131393031373030303030303030363534
Message-Authenticator = 0xcf4e5f6429686cc260b16bd23d82489f
NAS-Identifier = "MT_Yann"
NAS-IP-Address = 192.168.10.212
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
rlm_sim_files: authorized user/imsi 1901700000000654
rlm_sim_files: Adding EAP-Type: eap-sim
++[sim_files] returns ok
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "1901700000000654", looking up realm
NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 21
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may
fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type sim
[eap] Underlying EAP-Type set EAP ID to 108
++[eap] returns handled
Sending Access-Challenge of id 29 to 192.168.10.212 port 38803
EAP-Message = 0x016c0014120a00000f0200020001000011010100
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x870e2a6987623891aa6e49c2b1bcc9b6
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.10.212 port 50478, id=30, length=287
EAP-Message =
0x026c0034120a000007050000c27cfb1cfa7a257c9c89796e49bca230100100010e05001031393031373030303030303030363534
Message-Authenticator = 0xc691af8b618d9da88f9e289557530f6f
NAS-Identifier = "MT_Yann"
NAS-IP-Address = 192.168.10.212
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
rlm_sim_files: authorized user/imsi 1901700000000654
rlm_sim_files: Adding EAP-Type: eap-sim
++[sim_files] returns ok
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "1901700000000654", looking up realm
NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 108 length 52
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may
fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/sim
[eap] processing type sim
[eap] Underlying EAP-Type set EAP ID to 109
++[eap] returns handled
Sending Access-Challenge of id 30 to 192.168.10.212 port 50478
EAP-Message =
0x016d0050120b0000010d00000123456789abcdef0123456789abcdef0123456789abcdef0123456789abcde00123456789abcdef0123456789abcd180b0500000bffb0f7777b066616d98519e625a531
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x870e2a6986633891aa6e49c2b1bcc9b6
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 29 with timestamp +17
Cleaning up request 1 ID 30 with timestamp +17
Ready to process requests.
2nd case )
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.10.212 port 38045, id=42, length=238
Service-Type = Framed-User
Framed-MTU = 1400
User-Name = "1901700000000654"
NAS-Port-Id = "ap_hotspot"
NAS-Port-Type = Wireless-802.11
Acct-Session-Id = "82e0000a"
Acct-Multi-Session-Id =
"00-0C-42-64-41-9D-00-24-D7-0A-B1-2C-82-E0-00-00-00-00-00-0A"
Calling-Station-Id = "00-24-D7-0A-B1-2C"
Called-Station-Id = "00-0C-42-64-41-9D:YANN"
EAP-Message = 0x020100150131393031373030303030303030363534
Message-Authenticator = 0x6c5f2905cc845f4adc2990825cc65dc8
NAS-Identifier = "MT_Yann"
NAS-IP-Address = 192.168.10.212
(0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(0) group authorize {
(0) - entering group authorize {...}
(0) [preprocess] = ok
(0) [chap] = noop
(0) [auth_log] = ok
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix : No '@' in User-Name = "1901700000000654", looking up realm
NULL
(0) suffix : No such realm "NULL"
(0) [suffix] = noop
rlm_sim_files: authorized user/imsi 1901700000000654
rlm_sim_files: Adding EAP-Type: eap-sim
(0) [sim_files] = ok
(0) eap : EAP packet type response id 1 length 21
(0) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of
authorize
(0) [eap] = ok
(0) Found Auth-Type = EAP
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0) group authenticate {
(0) - entering group authenticate {...}
(0) eap : EAP Identity
(0) eap : processing type sim
(0) eap : Underlying EAP-Type set EAP ID to 206
(0) [eap] = handled
Sending Access-Challenge of id 42 to 192.168.10.212 port 38045
EAP-Message = 0x01ce0014120a00000f0200020001000011010100
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x27d04fcb271e5dceaedc556ddb0c5d7f
(0) Finished request 0.
Waking up in 0.3 seconds.
rad_recv: Access-Request packet from host 192.168.10.212 port 32878, id=43, length=287
EAP-Message =
0x02ce0034120a000007050000d28837f3ec25745202083c21313d8d29100100010e05001031393031373030303030303030363534
Message-Authenticator = 0x5dbd2219a029f2421a86fca4c24974b5
NAS-Identifier = "MT_Yann"
NAS-IP-Address = 192.168.10.212
(1) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(1) group authorize {
(1) - entering group authorize {...}
(1) [preprocess] = ok
(1) [chap] = noop
(1) [auth_log] = ok
(1) [mschap] = noop
(1) [digest] = noop
(1) suffix : No '@' in User-Name = "1901700000000654", looking up realm
NULL
(1) suffix : No such realm "NULL"
(1) [suffix] = noop
rlm_sim_files: authorized user/imsi 1901700000000654
rlm_sim_files: Adding EAP-Type: eap-sim
(1) [sim_files] = ok
(1) eap : EAP packet type response id 206 length 52
(1) eap : No EAP Start, assuming it's an on-going EAP conversation
(1) [eap] = updated
(1) [files] = noop
(1) [expiration] = noop
(1) [logintime] = noop
(1) pap : WARNING! No "known good" password found for the user. Authentication
may fail because of this.
(1) [pap] = noop
(1) Found Auth-Type = EAP
(1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(1) group authenticate {
(1) - entering group authenticate {...}
(1) eap : Request found, released from the list
(1) eap : EAP/sim
(1) eap : processing type sim
eap: EAP-Sim length = 20
eap: ID_Len = 4
eap: EAP-SIm length chosen = 32
eap: EAP-Sim length = 4
eap: ID_Len = 4
eap: EAP-SIm length chosen = 32
eap: EAP-Sim length = 20
eap: ID_Len = 16
eap: EAP-SIm length chosen = 32
(1) eap : Underlying EAP-Type set EAP ID to 207
(1) [eap] = handled
Sending Access-Challenge of id 43 to 192.168.10.212 port 32878
EAP-Message =
0x01cf0050120b0000010d0000000000000000000000000000000000000f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0ff0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f00b050000c13e9c1dcc448cf3e4028e30d28e43c4
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x27d04fcb261f5dceaedc556ddb0c5d7f
(1) Finished request 1.
Waking up in 0.2 seconds.
Waking up in 4.5 seconds.
rad_recv: Access-Request packet from host 192.168.10.212 port 37021, id=44, length=263
EAP-Message = 0x02cf001c120b00000b050000eeaec0aaf45ca982cb310428eb838a8e
Message-Authenticator = 0x3ca71ae6141b80753b4ccb402cc71e5f
NAS-Identifier = "MT_Yann"
NAS-IP-Address = 192.168.10.212
(2) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(2) group authorize {
(2) - entering group authorize {...}
(2) [preprocess] = ok
(2) [chap] = noop
(2) [auth_log] = ok
(2) [mschap] = noop
(2) [digest] = noop
(2) suffix : No '@' in User-Name = "1901700000000654", looking up realm
NULL
(2) suffix : No such realm "NULL"
(2) [suffix] = noop
rlm_sim_files: authorized user/imsi 1901700000000654
rlm_sim_files: Adding EAP-Type: eap-sim
(2) [sim_files] = ok
(2) eap : EAP packet type response id 207 length 28
(2) eap : No EAP Start, assuming it's an on-going EAP conversation
(2) [eap] = updated
(2) [files] = noop
(2) [expiration] = noop
(2) [logintime] = noop
(2) pap : WARNING! No "known good" password found for the user. Authentication
may fail because of this.
(2) [pap] = noop
(2) Found Auth-Type = EAP
(2) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(2) group authenticate {
(2) - entering group authenticate {...}
(2) eap : Request found, released from the list
(2) eap : EAP/sim
(2) eap : processing type sim
eap: EAP-Sim length = 20
eap: ID_Len = -1219474647
eap: EAP-SIm length chosen = 32
MAC check succeed
(2) eap : Underlying EAP-Type set EAP ID to 208
(2) eap : Freeing handler
(2) [eap] = ok
(2) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default
(2) group post-auth {
(2) - entering group post-auth {...}
(2) [exec] = noop
Sending Access-Accept of id 44 to 192.168.10.212 port 37021
MS-MPPE-Recv-Key = 0x9aca37a3e1743dc8c4326d6ed4e3f7e5f4178abc80cb953e6686ef57ba470624
MS-MPPE-Send-Key = 0x1b94a8624cea0d23c245b15cc227428d05202328550aa5413296d9de1039337c
EAP-Message = 0x03d00004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "1901700000000654"