<div dir="ltr">Dear All,<br><br>I am trying to test the IKEv2 daemon from IKEv2
project with EAP authentication methods. This daemon uses a wpa
supplicant compiled as a library, i.e., there is a Makefile that the
developper of ikev2 provides . This makefile must be used to compile
the libsupplicant library from wpasupplicant-0.4.x. Then this library
is used during the configuration and compilation of ikev2. <br>
I attach that Makefile at the end of my email. I know that this is an
old version of wpa supplicant, but their makefile works only with this
version (wpasupplicant-0.4.10)<br><br><br>Their
daemon is said to support EAP methods. And this is true, I tried out
many EAP methods on the top of IKEv2, like EAP-MD5, EAP-TLS,
EAP-TTLS/MD5, EAP-PEAv0/MSCHAPv2, together with freeradius. In every
case I need to give an eap.conf file on the user side, that is exactly
the same as in the case of using wpasuplicant for 802.11i, just using
less fields.<br>
E.g my eap.conf for eap-md5 looks like the following:<br>network={<br> key_mgmt=IEEE8021X<br> eap=MD5<br> identity="<a href="mailto:initiator@example.org" target="_blank">initiator@example.org</a>"<br>
password="leonardo"<br>
eapol_flags=0<br>}<br><br><br>I
also managed to run successfully EAP-SIM with the test RAND, Kc, and
SRES values, i.e., I saw the hardcoded triplets in eap_sim.c, and
after configuring those one on freeradius side, the authentication ran
successfully. The hardcoded values can be seen in the eap_sim_gsm_auth
function of eap-sim.c:<br>
<br><br>static int eap_sim_gsm_auth(struct eap_sm *sm, struct eap_sim_data *data)<br>{<br> wpa_printf(MSG_DEBUG, "EAP-SIM: GSM authentication algorithm");<br>#ifdef PCSC_FUNCS<br> if (scard_gsm_auth(sm->scard_ctx, data->rand[0],<br>
data->sres[0], data->kc[0]) ||<br> scard_gsm_auth(sm->scard_ctx, data->rand[1],<br> data->sres[1], data->kc[1]) ||<br> (data->num_chal > 2 &&<br>
scard_gsm_auth(sm->scard_ctx, data->rand[2],<br> data->sres[2], data->kc[2]))) {<br> wpa_printf(MSG_DEBUG, "EAP-SIM: GSM SIM authentication could "<br>
"not be completed");<br> return -1;<br> }<br><br><br>#else /* PCSC_FUNCS */<br> /* These hardcoded Kc and SRES values are used for testing. RAND to<br> * KC/SREC mapping is very bogus as far as real authentication is<br>
* concerned, but it is quite useful for cases where the AS is rotating<br> * the order of pre-configured values. */<br> {<br> int i;<br> for (i = 0; i < data->num_chal; i++) {<br>
if (data->rand[i][0] == 0xaa) {<br> <div dir="ltr"> memcpy(data->kc[i],<br> "\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7",<br>
KC_LEN);<br>
memcpy(data->sres[i], "\xd1\xd2\xd3\xd4",<br> SRES_LEN);<br> } else if (data->rand[i][0] == 0xbb) {<br> memcpy(data->kc[i],<br>
"\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7",<br> KC_LEN);<br> memcpy(data->sres[i], "\xe1\xe2\xe3\xe4",<br>
SRES_LEN);<br> } else {<br> memcpy(data->kc[i],<br> "\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7",<br>
KC_LEN);<br> memcpy(data->sres[i], "\xf1\xf2\xf3\xf4",<br> SRES_LEN);<br> }<br>
}<br> }<br>#endif /* PCSC_FUNCS */<br> return 0;<br>}<br><br><br>My eap.conf file in this case is the following:<br>network={<br> identity="<a href="mailto:1216702011992055@example.org" target="_blank">1216702011992055@example.org</a>" //I have added this user on freeradius side with the hardcoded triplets.<br>
key_mgmt=WPA-EAP<br> eap=SIM<br> pin="1253"<br> pcsc=""<br>}<br><br><br>Now comes the part I don't know:<br><br>I
bought an omnikey cardman 3121 reader that supports PC/SC, and I have
two GSM test sim cards, which support COMP 128 V1, COMP 128 V2 gsm
authentication.<br>
<br>I installed pcsc-lite on my ubuntu, and when I insert a card in the reader, I can see in /var/log/messages<br>Oct 8 16:58:36 anemone-mnn2 pcscd: Card ATR: 3B 3B 94 00 6A 38 20 00 00 17 80 33 33 90 00<br>I concluded, that pcsc sees the card.<br>
<br>Now, if I change the triplet from the hardcoded one to
non-hardcoded one on radius side, e.g. I modify the first byte of RAND
values to not to be the expected one, then I would like to see, that
the supplicant looks into my simcard, and calls the rungsm algorithm,
and gets back diffrent Kc and RES values<br>
<br>However this does not happen, and I don't know where is the
problem. How to test easily, that the supplicant library can see my SIM
card, and call the run gsm algorithm?<br><br>I attach a logfile of the supplicant library:<br> I did not set Identity="..." in eap.conf<br><br>1st case: Identity not configured:<br>eap.conf of the supplicant is:<br>
network={<br> #identity="<a href="mailto:1001011111111111@example.org" target="_blank">1001011111111111@example.org</a>"<br> key_mgmt=WPA-EAP<br>
eap=SIM<br> pin="1111"<br> pcsc=""<br>}<br><br>1223377938.860 supplicant INFO - CTRL-EVENT-EAP-METHOD EAP method 18 (SIM) selected<br>1223377938.860 supplicant TRACE - get_bool: 321: called get_bool for variable EAPOL_eapRestart (0)<br>
1223377938.860 supplicant TRACE - get_bool: 346: called get_bool for variable EAPOL_portEnabled (1)<br>1223377938.860 supplicant DEBUG - EAP: EAP entering state METHOD<br>1223377938.860 supplicant DEBUG - Entering get_eapReqData: 497<br>
1223377938.860 supplicant DEBUG - Leaving get_eapReqData: 501<br>1223377938.860 supplicant DEBUG - Entering get_config: 301<br>1223377938.860 supplicant DEBUG - _wpa_hexdump: 92: EAP-SIM: EAP data - hexdump(len=20):<br>
1223377938.860 supplicant DEBUG - Dumping buffer at 0x80bdcc9 size 20<br>
1223377938.860 supplicant DEBUG - 01 12 00 14 12 0A 00 00 0F 02 00 02 00 01 00 00<br>1223377938.860 supplicant DEBUG - 11 01 01 00<br>1223377938.860 supplicant INFO - EAP-SIM: Identity not configured<br>1223377938.860 supplicant INFO - CTRL-REQ-IDENTITY-0:Identity needed for SSID<br>
1223377938.860 supplicant DEBUG - EAP: method process -> ignore=TRUE methodState=INIT decision=FAIL<br>1223377938.860 supplicant TRACE - get_bool: 321: called get_bool for variable EAPOL_eapRestart (0)<br>1223377938.860 supplicant TRACE - get_bool: 346: called get_bool for variable EAPOL_portEnabled (1)<br>
1223377938.860 supplicant DEBUG - EAP: EAP entering state DISCARD<br>1223377938.860 supplicant TRACE - set_bool: 407: called set_bool for variable EAPOL_eapReq (0)<br>1223377938.860 supplicant TRACE - set_bool: 401: called set_bool for variable EAPOL_eapNoResp (1)<br>
1223377938.860 supplicant TRACE - get_bool: 321: called get_bool for variable EAPOL_eapRestart (0)<br>1223377938.860 supplicant TRACE - get_bool: 346: called get_bool for variable EAPOL_portEnabled (1)<br>1223377938.860 supplicant DEBUG - EAP: EAP entering state IDLE<br>
<br><br>I think that it fails because it can not get the IMSI from the sim card. This should possibly answer my problem.<br>1223377938.860 supplicant INFO - EAP-SIM: Identity not configured<br>
1223377938.860 supplicant INFO - CTRL-REQ-IDENTITY-0:Identity needed for SSID<br>
1223377938.860 supplicant DEBUG - EAP: method process -> ignore=TRUE methodState=INIT decision=FAIL<br><br>Could you help me to find the solution to use the SIM card for authentication?<br><br>This is the Makefile used to compile libsupplicant library from wpasupplicant-0.4.10<br>
<br># Name of final library<br>LIBNAME=libsupplicant.so<br><br># Major and minor versions of library<br>MJVER=1<br>MINVER=0<br>
<br># CPP, C and linker flags<br>CPPFLAGS=-I../hostapd<br>CFLAGS=-ggdb -fPIC -c -Wall<br>LDFLAGS=-ggdb -shared -Wl,-soname,$(LIBNAME).$(<div dir="ltr">MJVER)<br><br># Destination directories for installation<br>DSTLIBDIR=/usr/local/lib<br>
DSTINCDIR=/usr/local/include/wpa<br><br># Include files to install<br>INCLUDES=common.h eap.h crypto.h wpa_supplicant.h defs.h eap_defs.h config.h config_ssid.h<br><br># Object files to put into library<br>OBJS=md5.o
eap.o crypto.o eap_tls.o eap_tls_common.o tls_openssl.o config.o
config_file.o base64.o eap_tlv.o sha1.o rc4.o aes_wrap.o<br>
<br># Defines<br><br># If I'm taking generic EAP, why should I define this?<br>CPPFLAGS += -DIEEE8021X_EAPOL<br><br># Also, why would use define<br>CPPFLAGS += -DEAP_TLS_FUNCS<br><br># Also, why would use define<br># This was added here so that macros wpa_msg at al. are properly<br>
# defined!<br>#CPPFLAGS += -DCONFIG_NO_STDOUT_DEBUG<br><br># EAP Methods that should be included in libraries...<br>CPPFLAGS += -DEAP_TLS<br><br>CPPFLAGS += -DEAP_TTLS<br>OBJS += eap_ttls.o ms_funcs.o<br><br>CPPFLAGS += -DEAP_PEAP<br>
OBJS += eap_peap.o<br><br>CPPFLAGS += -DEAP_PSK<br>OBJS += eap_psk.o eap_psk_common.o<br><br>CPPFLAGS += -DEAP_SIM<br>OBJS += eap_sim.o eap_sim_common.o<br><br>CPPFLAGS += -DEAP_MD5<br>OBJS += eap_md5.o<br><br># Targets<br>
<br>all: $(LIBNAME)<br><br>$(LIBNAME): $(OBJS)<br> gcc -o $(LIBNAME).$(MJVER).$(MINVER) $(OBJS) $(LDFLAGS)<br><br>%.o: %.c<br> gcc $(CPPFLAGS) $(CFLAGS) -o $*.o $*.c<br><br>install:<br> mkdir -p $(DSTINCDIR)<br>
cp $(LIBNAME).$(MJVER).$(MINVER) $(DSTLIBDIR)/<br> cp $(INCLUDES) $(DSTINCDIR)<br>
( cd $(DSTLIBDIR) && rm -f $(LIBNAME).$(MJVER) && ln -s
$(LIBNAME).$(MJVER).$(MINVER) $(LIBNAME).$(MJVER) )<br>
( cd $(DSTLIBDIR) && rm -f $(LIBNAME) && ln -s $(LIBNAME).$(MJVER).$(MINVER) $(LIBNAME) )<br><br>clean:<br> rm -f $(OBJS) $(LIBNAME).$(MJVER).$(MINVER)</div><br><br>BR,<br>Zoltan Faigl<br>Mobile Innovation Center, Hungary<br>
</div></div>