EAP-sim using freeradius

Discussion:

Alan DeKok

2015-08-12 07:19:52 UTC

On Aug 11, 2015, at 11:38 PM, Siddharth Katragadda via Freeradius-Users <freeradius-***@lists.freeradius.org> wrote:
> I had a question about EAP-SIM. We previously got EAP-SIM to work on the
> Free-radius version 2. But once we upgraded to 3.0, we saw the
> rlm_sim_files has been deprecated and now we need to use rlm_passwd.

Or anything else. The passwd module can read simple files, which is pretty much what sim_files did.

> 2. Changed passwd file under mods-enabled:
> passwd passwd {
> filename = /usr/local/etc/raddb/simtriplets.dat
> format = "*User-Name:User-Password"

That won't work. You need to make sure that the data file is formatted in a way the "passwd" module likes. Then, ensure that the "format" string for the passwd module reads the SIM triplets from the correct field.

Here, you've told it to "look up User-Name, and get the User-Password" from the file. That clearly isn't what you want.

So... read the passwd documentation, and fix the "format" line to have the names of the SIM triplet attributes.

Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.h

Alan DeKok

2015-08-14 09:08:53 UTC

Permalink

On Aug 12, 2015, at 9:25 PM, Siddharth Katragadda <***@google.com> wrote:
> format = "*IMSI:RAND:SRES:KC"

Those aren't RADIUS attribute names. Go read dictionary.freeradius.internal, and look for "EAP-SIM". There are a bunch of SIM related attributes.

Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.

Alan DeKok

2015-08-16 14:14:33 UTC

Permalink

On Aug 14, 2015, at 7:16 PM, Siddharth Katragadda <***@google.com> wrote:

> Hi Alan,
> After looking up the dictionary file for EAP-SIM attributes, I used the following settings:
>
> passwd file in mods-enabled:
> passwd passwd {
> filename = /usr/local/etc/raddb/simtriplets.dat
> format = "*EAP-Sim-IMSI:EAP-Sim-RAND1:EAP-Sim-SRES1:EAP-Sim-KC1:EAP-Sim-RAND2:EAP-Sim-SRES2:EAP-Sim-KC2:EAP-Sim-RAND2:EAP-Sim-SRES2:EAP-Sim-KC2"

That looks like it should work.

> I get this error when I run the test. I'm using a phone with a test SIM in it (IMSI: 1001010123456789):
> eap: Expiring EAP session with state 0x4e4609474d431cf0
> (37) eap: Finished EAP session with state 0x50b3a7b250b1a3eb

The debug output doesn't show it using the passwd module. Perhaps that's the problem.

Alan DeKok.

-
List info/subscribe/unsubscribe

Alan DeKok

2015-08-17 20:40:17 UTC

Permalink

On Aug 17, 2015, at 10:38 PM, Siddharth Katragadda <***@google.com> wrote:
> Any idea why the passwd module is not getting invoked. I did add "passwd" prior to the eap section in ..sites-enabled/default under authorize. Do I need to configure anything else for passwd module to get triggered.

Read the debug log. See what it does. It shouldn't be magic...

Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list

Alan DeKok

2015-08-17 21:22:23 UTC

Permalink

On Aug 17, 2015, at 11:06 PM, Siddharth Katragadda <***@google.com> wrote:
> In the debug log, under authorize, I see:
> [passwd] = not found

So.... the passwd module *is* being used, but it doesn't find any entry matching the key.

That's simple enough.

Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freer

Matthew Newton

2015-08-21 10:29:03 UTC

Permalink

On Thu, Aug 20, 2015 at 05:12:00PM -0700, Siddharth Katragadda via Freeradius-Users wrote:
> So far, most of the vendors we work with seem to be using
> rlm_sim_files on Freeradius 2.x

I don't do EAP-SIM, so these are only observations on things that
don't look quite right to me.

You've got

passwd passwd {
...
format = "*EAP-Sim-IMSI:EAP-Sim-RAND1:EAP-Sim-SRES1:EAP-Sim-KC1:EAP-Sim-RAND2:EAP-Sim-SRES2:EAP-Sim-KC2:EAP-Sim-RAND2:EAP-Sim-SRES2:EAP-Sim-KC2"
...
}

which has 10 fields, but your simtriplets file only has 4 fields.

The incoming request has

User-Name = "***@wlan.mnc001.mcc001.3gppnetwork.org"

but does not have an EAP-Sim-IMSI attribute (I'm not sure if this
should be encoded within the EAP-Message), which is why you're
getting [passwd] = notfound.

Does, for example,

format = "*User-Name:EAP-Sim-RAND1:EAP-Sim-SRES1:EAP-Sim-KC1"

work?

But, as I said - only things that look wrong to me, and I have no
knowledge of EAP-SIM at all. This might be the wrong thing to do.

Matthew

--
Matthew Newton, Ph.D. <***@le.ac.uk>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <***@le.ac.uk>
-
List info/subscribe/unsubscribe? See http://www.freeradius.o

Matthew Newton

2015-08-21 21:37:30 UTC

Permalink

This post might be inappropriate. Click to display it.

Matthew Newton

2015-08-25 22:57:10 UTC

Permalink

On Tue, Aug 25, 2015 at 03:14:01PM -0700, Siddharth Katragadda wrote:
> I tried adding this line as you suggested:
>
> if ("%{escape:%{control:EAP-Sim-Rand1}}" == "h") {
> EXPAND %{escape:%{control:EAP-Sim-Rand1}}
> }
>
> I get this error:
> /usr/local/etc/raddb/sites-enabled/default[351]: Parse error after
> "control:EAP-Sim-Rand1": unexpected token "}"
>
> Not sure if I messed up the syntax somewhere.

That's not what I suggested you added - that should be noop in
there.

> Also this the version of Freeradius we're using:
> radiusd: FreeRADIUS Version 3.0.9, for host x86_64-unknown-linux-gnu, built
> on Aug 7 2015 at 16:25:45

> Could you please let me know if it;'s an issue with the version of radius
> we have.

I tested with 3.0.x HEAD. You could always try that, but it's
pretty close to 3.0.9.

Matthew

> On Fri, Aug 21, 2015 at 2:37 PM, Matthew Newton <***@leicester.ac.uk>
> wrote:
>
> > You could try adding something like this after your call to passwd
> > to force a debug expansion and see what the value has actually
> > been set to
> >
> >
> > if ("%{escape:%{control:EAP-Sim-Rand1}}" == "h") {
> > noop
> > }
> >

--
Matthew Newton, Ph.D. <***@le.ac.uk>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <***@le.ac.uk>
-
List info/subscribe/unsubscribe? See http://w

Matthew Newton

2015-08-25 23:41:40 UTC

Permalink

On Tue, Aug 25, 2015 at 04:26:38PM -0700, Siddharth Katragadda wrote:
> With the noop change, I get:
>
> 145) [passwd] = ok
> (145) if ("%{escape:%{control:EAP-Sim-Rand1}}"=="h"){
> (145) EXPAND %{escape:%{control:EAP-Sim-Rand1}}
> (145) -->

So it expanded to nothing.

> (145) if ("%{escape:%{control:EAP-Sim-Rand1}}"=="h") -> FALSE
> (145) eap: Peer sent EAP Response (code 2) ID 2 length 6
>
> Does this mean passwd is not saving the values properly after reading them
> from simtriplets.dat?

Or you're reading the wrong file, or something else simple like
that. There's been no significant code changes in rlm_passwd
between 3.0.9 and HEAD, so if it works here then you must have
something wrong in your config. And I used the config you posted
verbatim, so it's probably something very obscure, or more likely
blindingly simple.

Start with a completely clean install. Just set up rlm_passwd to
read the file, no need for eap or anything else like that. Send in
a request, and see if it gets EAP-Sim-Rand1 as expected with the
above expansion. That's what I had here. If so then you've got
something wrong in your config, so start diffing to work out what.

If the simple config doesn't work as expected, post the *whole*
debug output to the list, rather than small bits of it, which
leaves everyone guessing and is incredibly annoying.

Matthew

--
Matthew Newton, Ph.D. <***@le.ac.uk>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <***@le.ac.uk>
-
List info/subscribe/unsubscribe? See http://www.

Zubair Ayub

2018-11-19 12:20:46 UTC

Permalink

What the hell is wrong with you guys?

Regards
ZUBAIR AYUB
Thanks

________________________________
From: Freeradius-Users <freeradius-users-bounces+zubairayub=***@lists.freeradius.org> on behalf of Song Zou via Freeradius-Users <freeradius-***@lists.freeradius.org>
Sent: Monday, November 19, 2018 5:18:31 PM
To: Song Zou via Freeradius-Users
Cc: Song Zou
Subject: Re: Re: Re: EAP-sim using freeradius

please don’t send email

On Nov 19, 2018, at 20:16, Song Zou via Freeradius-Users <freeradius-***@lists.freeradius.org> wrote:

> please don’t send email
>
> On Aug 26, 2015, at 06:14, Siddharth Katragadda via Freeradius-Users <freeradius-***@lists.freeradius.org> wrote:
>
> Hi Matthew,
>
> I tried adding this line as you suggested:
>
> if ("%{escape:%{control:EAP-Sim-Rand1}}" == "h") {
> EXPAND %{escape:%{control:EAP-Sim-Rand1}}
> }
>
> I get this error:
> /usr/local/etc/raddb/sites-enabled/default[351]: Parse error after
> "control:EAP-Sim-Rand1": unexpected token "}"
>
> Not sure if I messed up the syntax somewhere.
>
> Also this the version of Freeradius we're using:
> radiusd: FreeRADIUS Version 3.0.9, for host x86_64-unknown-linux-gnu, built
> on Aug 7 2015 at 16:25:45
>
> Could you please let me know if it;'s an issue with the version of radius
> we have.
> Thanks
> Sid
>
>
> On Fri, Aug 21, 2015 at 2:37 PM, Matthew Newton <***@leicester.ac.uk>
> wrote:
>
> On Fri, Aug 21, 2015 at 10:15:16AM -0700, Siddharth Katragadda wrote:
> but I still get the eap_sim: ERROR: EAP-SIM-RAND1 not found
> Although the passwd file now says: [passwd] = ok
>
> So it looks like passwd file was able to find the User-Name in
> simtriplets.dat, so it should have extracted the EAP-SIM-RAND1 etc from
> it
> right?
>
> No idea: when I drop your simtriplets file and passwd config into
> a clean 3.0.x HEAD build here, then use radtest (so no eap) I get:
>
> ...
> (0) suffix: Checking for suffix after "@"
> (0) suffix: Looking up realm "wlan.mnc001.mcc001.3gppnetwork.org" for
> User-Name = "***@wlan.mnc001.mcc001.3gppnetwork.org"
> (0) suffix: No such realm "wlan.mnc001.mcc001.3gppnetwork.org"
> (0) [suffix] = noop
> (0) passwd: Added EAP-SIM-RAND1: '2ADE1426F93045258CCD7B9CF739CD51' to
> config
> (0) passwd: Added EAP-SIM-SRES1: 'CA1a6a73' to config
> (0) passwd: Added EAP-SIM-KC1: '44163dcd3063ee06' to config
> (0) passwd: Added EAP-SIM-RAND2: 'A7DB577E986F41e999981FE01E8E9351' to
> config
> (0) passwd: Added EAP-SIM-SRES2: '9E0ec181' to config
> (0) passwd: Added EAP-SIM-KC2: '2B3182377B3d2e05' to config
> (0) passwd: Added EAP-SIM-RAND3: '92F13B6BB93641b0914DD3D6DAAFB78C' to
> config
> (0) passwd: Added EAP-SIM-SRES3: '9Ca5541a' to config
> (0) passwd: Added EAP-SIM-KC3: '767e395d867fa4b0' to config
> (0) [passwd] = ok
> (0) eap: No EAP-Message, not doing EAP
> (0) [eap] = noop
> ...
>
> That looks good enough to me - and checking the code, eap_sim just looks
> for
> eap-sim-rand1 in the control attributes.
>
> You've trimmed the debug output, so I've no idea what version you are
> using to
> test against.
>
> You could try adding something like this after your call to passwd
> to force a debug expansion and see what the value has actually
> been set to
>
>
> if ("%{escape:%{control:EAP-Sim-Rand1}}" == "h") {
> noop
> }
>
> e.g.
>
> (0) if ("%{escape:%{control:EAP-Sim-Rand1}}" == "h") {
> (0) EXPAND %{escape:%{control:EAP-Sim-Rand1}}
> (0) -->
> 0x3241444531343236463933303435323538434344374239434637333943443531
> (0) if ("%{escape:%{control:EAP-Sim-Rand1}}" == "h") -> FALSE
>
> If you get
>
> -->
>
> instead, then EAP-Sim-Rand1 wasn't set properly for some reason.
>
> Btw, I did have 10 fields in the simtriplets.dat (delimited by colon).
> Why
> did you find only 4??
>
> Failing eyesight, dementia, or the fact that in your first e-mail there
> were
> only four fields in that file.
>
> Matthew
>
>
> --
> Matthew Newton, Ph.D. <***@le.ac.uk>
>
> Systems Specialist, Infrastructure Services,
> I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
>
> For IT help contact helpdesk extn. 2253, <***@le.ac.uk>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See

Alan DeKok

2015-08-21 11:00:16 UTC

Permalink

On Aug 20, 2015, at 8:12 PM, Siddharth Katragadda <***@google.com> wrote:
> Could you please confirm if anyone has gotten EAP-SIM to work with rlm_passwd??

rlm_passwd doesn't care about EAP-SIM, PAP, CHAP, or EAP-TTLS. It works on attributes. If it doesn't work, you probably have a configuration error. See Matthew's post.

> So far, most of the vendors we work with seem to be using rlm_sim_files on Freeradius 2.x

That's fine for them.

Alan DeKok.

-
List info/subscribe/unsubscribe? See

Alan Buxey

2018-11-19 18:50:55 UTC

Permalink

Hi

please don’t send email
>

There's got to be some new internet meme coming from this one ;)

alan

>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org