hostap EAP-SIM problem with cisco1240AG

jan terje tønnessen jt_toenn
Tue Oct 2 01:00:41 PDT 2007


Hi !

I am trying to replace freeradius with hostapd for an EAP-SIM session (and later EAP-AKA).   The authentication is OK when using freeradius, but I don't get it to work with hostapd.

client: wpa_supplicant v0.4.9 and a SIM-card reader (pcscd) .  
AP: cisco 1240AG
auth server: hostapd-0.5.8 as eap/radius-server on a Fedora Core 6 machine

With hostapd I see that the first Access-Challenge message is dropped by the AP. I see that there are some differences when I compare with the  Access-Challenge which was sent when i used freeradius.

1) hostapd don't send reply-message within the Access-challenge even if I have "eap_message=hello" in hostapd.conf

2) freeradius uses "AT_AULLAUTH_ID_REQ" while hostapd uses "AT_PERMANENT_ID_REQ" (which should be OK I guess).

3) Message-Authenticator. -Can I verify that is is correct in any way ?


## Log and configuration

[root at longrow hostapd-0.5.8]# /usr/local/src/hostapd-0.5.8/hostapd -ddt /usr/loc
al/src/hostapd-0.5.8/hostapd.conf
Configuration file: /usr/local/src/hostapd-0.5.8/hostapd.conf
BSS count 1, BSSID mask ff:ff:ff:ff:ff:ff (0 bits)
RATE[0] rate=10 flags=0x152
Could not set passive scanning: Unknown error 4294967295
1191309066.866152: Flushing old station entries
1191309066.866175: Deauthenticate all stations
1191309066.866186: test_driver_set_privacy(ifname= enabled=0)
1191309066.866199: test_driver_set_encryption(iface= alg=none idx=0 txkey=1)
1191309066.866213: test_driver_set_encryption(iface= alg=none idx=1 txkey=0)
1191309066.866225: test_driver_set_encryption(iface= alg=none idx=2 txkey=0)
1191309066.866237: test_driver_set_encryption(iface= alg=none idx=3 txkey=0)
Using interface  with hwaddr 02:13:85:56:01:90 and ssid 'test'
1191309066.866279: test_driver_set_ssid(ifname=)
1191309066.866290: test_driver_set_ssid: SSID - hexdump_ascii(len=4):
     74 65 73 74                                       test
1191309066.866355: : Setup of interface done.
1191309102.867683: RADIUS SRV: Received 146 bytes from 192.168.100.21:1645
1191309102.867727: RADIUS SRV: Received data - hexdump(len=146): 01 b7 00 92 0f
eb 79 90 8e ac f7 d0 69 be 7d 5b 5d cf e3 04 01 11 32 34 30 39 38 31 31 31 30 30
 31 35 32 32 30 0c 06 00 00 05 78 1e 10 30 30 31 39 2e 61 39 66 64 2e 34 39 64 3
0 1f 10 30 30 31 37 2e 39 61 62 61 2e 36 32 33 34 06 06 00 00 00 01 50 12 c5 21
af cb ae 53 b5 ff eb d6 27 1a ed 28 ca 1f 4f 16 02 02 00 14 01 32 34 30 39 38 31
 31 31 30 30 31 35 32 32 30 3d 06 00 00 00 13 05 06 00 00 2e a4 57 07 31 31 39 3
4 30 04 06 c0 a8 64 15
RADIUS message: code=1 (Access-Request) identifier=183 length=146
   Attribute 1 (User-Name) length=17
      Value: '240981110015220'
   Attribute 12 (Framed-MTU) length=6
      Value: 1400
   Attribute 30 (Called-Station-Id) length=16
      Value: '0019.a9fd.49d0'
   Attribute 31 (Calling-Station-Id) length=16
      Value: '0017.9aba.6234'
   Attribute 6 (?Unknown?) length=6
   Attribute 80 (Message-Authenticator) length=18
      Value: c5 21 af cb ae 53 b5 ff eb d6 27 1a ed 28 ca 1f
   Attribute 79 (EAP-Message) length=22
      Value: 02 02 00 14 01 32 34 30 39 38 31 31 31 30 30 31 35 32 32 30
   Attribute 61 (NAS-Port-Type) length=6
      Value: 19
   Attribute 5 (NAS-Port) length=6
      Value: 11940
   Attribute 87 (?Unknown?) length=7
   Attribute 4 (NAS-IP-Address) length=6
      Value: 192.168.100.21
1191309102.868080: RADIUS SRV: Creating a new session
1191309102.868099: RADIUS SRV: User-Name - hexdump_ascii(len=15):
     32 34 30 39 38 31 31 31 30 30 31 35 32 32 30      240981110015220
1191309102.868136: RADIUS SRV: Matching user entry found
1191309102.868156: EAP: State machine created
1191309102.868169: RADIUS SRV: New session 0x0 initialized
1191309102.868184: RADIUS SRV: Received EAP data - hexdump(len=20): 02 02 00 14
01 32 34 30 39 38 31 31 31 30 30 31 35 32 32 30
1191309102.868211: EAP: EAP-Response received - hexdump(len=20): 02 02 00 14 01
32 34 30 39 38 31 31 31 30 30 31 35 32 32 30
1191309102.868241: EAP: EAP entering state INITIALIZE
1191309102.868255: EAP: parseEapResp: rxResp=1 respId=2 respMethod=1 respVendor=
0 respVendorMethod=0
1191309102.868270: EAP: EAP entering state PICK_UP_METHOD
1191309102.868284: EAP: EAP entering state METHOD_RESPONSE
1191309102.868298: EAP-Identity: Peer identity - hexdump_ascii(len=15):
     32 34 30 39 38 31 31 31 30 30 31 35 32 32 30      240981110015220
1191309102.868330: EAP: EAP entering state SELECT_ACTION
1191309102.868344: EAP: getDecision: another method available -> CONTINUE
1191309102.868358: EAP: EAP entering state PROPOSE_METHOD
1191309102.868370: EAP: getNextMethod: vendor 0 type 18
1191309102.868385: EAP: EAP entering state METHOD_REQUEST
1191309102.868396: EAP: building EAP-Request: Identifier 3
1191309102.868409: EAP-SIM: Generating Start
1191309102.868427:    AT_PERMANENT_ID_REQ
1191309102.868440:    AT_VERSION_LIST
1191309102.868458: EAP: EAP entering state SEND_REQUEST
1191309102.868470: EAP: eapReqData -> EAPOL - hexdump(len=20): 01 03 00 14 12 0a
 00 00 0a 01 00 00 0f 02 00 02 00 01 00 00
1191309102.868497: EAP: EAP entering state IDLE
1191309102.868509: RADIUS SRV: EAP data from the state machine - hexdump(len=20)
: 01 03 00 14 12 0a 00 00 0a 01 00 00 0f 02 00 02 00 01 00 00
1191309102.868553: RADIUS SRV: Reply to 192.168.100.21:1645
RADIUS message: code=11 (Access-Challenge) identifier=183 length=66
   Attribute 24 (State) length=6
      Value: 00 00 00 00
   Attribute 79 (EAP-Message) length=22
      Value: 01 03 00 14 12 0a 00 00 0a 01 00 00 0f 02 00 02 00 01 00 00
   Attribute 80 (Message-Authenticator) length=18
      Value: d9 b2 4b 55 13 14 79 e0 6a 13 b8 f7 07 c3 24 f8
1191309108.338010: RADIUS SRV: Received 146 bytes from 192.168.100.21:1645
1191309108.338355: RADIUS SRV: Received data - hexdump(len=146): 01 b7 00 92 0f
eb 79 90 8e ac f7 d0 69 be 7d 5b 5d cf e3 04 01 11 32 34 30 39 38 31 31 31 30 30
 31 35 32 32 30 0c 06 00 00 05 78 1e 10 30 30 31 39 2e 61 39 66 64 2e 34 39 64 3
0 1f 10 30 30 31 37 2e 39 61 62 61 2e 36 32 33 34 06 06 00 00 00 01 50 12 c5 21
af cb ae 53 b5 ff eb d6 27 1a ed 28 ca 1f 4f 16 02 02 00 14 01 32 34 30 39 38 31
 31 31 30 30 31 35 32 32 30 3d 06 00 00 00 13 05 06 00 00 2e a4 57 07 31 31 39 3
4 30 04 06 c0 a8 64 15
RADIUS message: code=1 (Access-Request) identifier=183 length=146
   Attribute 1 (User-Name) length=17
      Value: '240981110015220'
   Attribute 12 (Framed-MTU) length=6
      Value: 1400
   Attribute 30 (Called-Station-Id) length=16
      Value: '0019.a9fd.49d0'
   Attribute 31 (Calling-Station-Id) length=16
      Value: '0017.9aba.6234'
   Attribute 6 (?Unknown?) length=6
   Attribute 80 (Message-Authenticator) length=18
      Value: c5 21 af cb ae 53 b5 ff eb d6 27 1a ed 28 ca 1f
   Attribute 79 (EAP-Message) length=22
      Value: 02 02 00 14 01 32 34 30 39 38 31 31 31 30 30 31 35 32 32 30
   Attribute 61 (NAS-Port-Type) length=6
      Value: 19
   Attribute 5 (NAS-Port) length=6
      Value: 11940
   Attribute 87 (?Unknown?) length=7
   Attribute 4 (NAS-IP-Address) length=6
      Value: 192.168.100.21
1191309108.339027: RADIUS SRV: Creating a new session
1191309108.339038: RADIUS SRV: User-Name - hexdump_ascii(len=15):
     32 34 30 39 38 31 31 31 30 30 31 35 32 32 30      240981110015220
1191309108.339067: RADIUS SRV: Matching user entry found
1191309108.339082: EAP: State machine created
1191309108.339092: RADIUS SRV: New session 0x1 initialized
1191309108.339104: RADIUS SRV: Received EAP data - hexdump(len=20): 02 02 00 14
01 32 34 30 39 38 31 31 31 30 30 31 35 32 32 30
1191309108.339127: EAP: EAP-Response received - hexdump(len=20): 02 02 00 14 01
32 34 30 39 38 31 31 31 30 30 31 35 32 32 30
1191309108.339150: EAP: EAP entering state INITIALIZE
1191309108.339161: EAP: parseEapResp: rxResp=1 respId=2 respMethod=1 respVendor=
0 respVendorMethod=0
1191309108.339174: EAP: EAP entering state PICK_UP_METHOD
1191309108.339187: EAP: EAP entering state METHOD_RESPONSE
1191309108.339199: EAP-Identity: Peer identity - hexdump_ascii(len=15):
     32 34 30 39 38 31 31 31 30 30 31 35 32 32 30      240981110015220
1191309108.339227: EAP: EAP entering state SELECT_ACTION
1191309108.339239: EAP: getDecision: another method available -> CONTINUE
1191309108.339251: EAP: EAP entering state PROPOSE_METHOD
1191309108.339261: EAP: getNextMethod: vendor 0 type 18
1191309108.339273: EAP: EAP entering state METHOD_REQUEST
1191309108.339283: EAP: building EAP-Request: Identifier 3
1191309108.339293: EAP-SIM: Generating Start
1191309108.339306:    AT_PERMANENT_ID_REQ
1191309108.339317:    AT_VERSION_LIST
1191309108.339328: EAP: EAP entering state SEND_REQUEST
1191309108.339337: EAP: eapReqData -> EAPOL - hexdump(len=20): 01 03 00 14 12 0a
 00 00 0a 01 00 00 0f 02 00 02 00 01 00 00
1191309108.339365: EAP: EAP entering state IDLE
1191309108.339375: RADIUS SRV: EAP data from the state machine - hexdump(len=20)
: 01 03 00 14 12 0a 00 00 0a 01 00 00 0f 02 00 02 00 01 00 00
1191309108.339407: RADIUS SRV: Reply to 192.168.100.21:1645
RADIUS message: code=11 (Access-Challenge) identifier=183 length=66
   Attribute 24 (State) length=6
      Value: 00 00 00 01
   Attribute 79 (EAP-Message) length=22
      Value: 01 03 00 14 12 0a 00 00 0a 01 00 00 0f 02 00 02 00 01 00 00
   Attribute 80 (Message-Authenticator) length=18
      Value: 70 a2 dd ca e0 93 24 e4 3a e6 5a 54 e5 7a 4a cf
1191309113.576982: RADIUS SRV: Received 146 bytes from 192.168.100.21:1645
1191309113.577016: RADIUS SRV: Received data - hexdump(len=146): 01 b7 00 92 0f
eb 79 90 8e ac f7 d0 69 be 7d 5b 5d cf e3 04 01 11 32 34 30 39 38 31 31 31 30 30
 31 35 32 32 30 0c 06 00 00 05 78 1e 10 30 30 31 39 2e 61 39 66 64 2e 34 39 64 3
0 1f 10 30 30 31 37 2e 39 61 62 61 2e 36 32 33 34 06 06 00 00 00 01 50 12 c5 21
af cb ae 53 b5 ff eb d6 27 1a ed 28 ca 1f 4f 16 02 02 00 14 01 32 34 30 39 38 31
 31 31 30 30 31 35 32 32 30 3d 06 00 00 00 13 05 06 00 00 2e a4 57 07 31 31 39 3
4 30 04 06 c0 a8 64 15


[root at longrow hostapd-0.5.8]# cat .config | grep -v "^#" | uniq
CONFIG_DRIVER_TEST=y
CONFIG_IAPP=y
CONFIG_RSN_PREAUTH=y
CONFIG_PEERKEY=y
CONFIG_EAP=y
CONFIG_EAP_MD5=y
CONFIG_EAP_TLS=y
CONFIG_EAP_MSCHAPV2=y
CONFIG_EAP_PEAP=y
CONFIG_EAP_GTC=y
CONFIG_EAP_TTLS=y
CONFIG_EAP_SIM=y
CONFIG_EAP_AKA=y
CONFIG_PKCS12=y
CONFIG_RADIUS_SERVER=y
CONFIG_IPV6=y


[root at longrow hostapd-0.5.8]# cat hostapd.conf | grep -v "^#" | uniq
driver=test
logger_syslog=-1
logger_syslog_level=2
logger_stdout=-1
logger_stdout_level=2
debug=4
dump_file=/tmp/hostapd.dump
ssid=test
auth_algs=1
ignore_broadcast_ssid=0
ieee8021x=1
eap_message=hello
eapol_key_index_workaround=0
eap_reauth_period=3600
eap_server=1
eap_user_file=/usr/local/src/hostapd-0.5.8/hostapd.eap_user
eap_sim_db=/usr/local/src/hostapd-0.5.8/hostapd.sim_db
own_ip_addr=127.0.0.1
radius_server_clients=/usr/local/src/hostapd-0.5.8/hostapd.radius_clients
radius_server_auth_port=1812


[root at longrow hostapd-0.5.8]# cat hostapd.sim_db | grep -v "^#" | uniq
240993000003063:1D4DD94A14441487:0EC3CAC3:34000003287584378734296795826790
240993000003063:FFFB3415E0539600:30253A92:34000000723497894276897234672469
240993000003063:8BE76C91E94598A5:A591F351:34000000000000009809826509987134


[root at longrow hostapd-0.5.8]# cat hostapd.radius_clients | grep -v "^#" | uniq
0.0.0.0/0       SysVer




       
---------------------------------

Alt i ?n. F? Yahoo! Mail med adressekartotek, kalender og notisblokk.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/hostap/attachments/20071002/6c419334/attachment.htm 



More information about the Hostap mailing list