Access-Reject - User not found during EAP-AKA
Jouni Malinen
j
Thu Jun 18 01:30:27 PDT 2015
On Wed, Jun 17, 2015 at 06:09:36PM -0700, Premraj Sundaram wrote:
> I am trying to perform EAP-AKA for the IMSI mentioned as an example along
> with hostapd install.
> Run ./hostapd hostapd.conf
> From Radius client, I try to sent the IMSI 232010000000000 for
> Access-Request.
> However, the response is always ACCESS-REJECT as hostapd is not able to
> find the user in its database.
Do you have the EAP-AKA prefixes configured in the EAP user file like
they are in the hostapd/hostapd.eap_user example?
# Default to EAP-SIM and EAP-AKA based on fixed identity prefixes
"0"* AKA,TTLS,TLS,PEAP,SIM
"1"* SIM,TTLS,TLS,PEAP,AKA
"2"* AKA,TTLS,TLS,PEAP,SIM
"3"* SIM,TTLS,TLS,PEAP,AKA
"4"* AKA,TTLS,TLS,PEAP,SIM
"5"* SIM,TTLS,TLS,PEAP,AKA
"6"* AKA'
"7"* AKA'
"8"* AKA'
> Attribute 31 (Calling-Station-Id) length=17
> Value: '232010000000000'
That looks a bit suspicious..
> EAP-Identity: Peer identity - hexdump_ascii(len=16):
> 30 32 33 32 30 31 30 30 30 30 30 30 30 30 30 30 0232010000000000
> RADIUS SRV: [0x2 127.0.0.1] EAP: EAP-Response/Identity '0232010000000000'
Why does the NAS (AP?) use different value in User-Name attribute (i.e.,
the first '0' is missing there)?
--
Jouni Malinen PGP id EFC895FA
More information about the Hostap
mailing list