[strongSwan] strongSwan EAP-AKA support with FreeRADIUS
Nan Luo
harvana2000 at yahoo.com
Thu Apr 28 22:29:52 CEST 2011
Hi,
I am testing EAP-AKA with strongSwan as the client and FreeRADIUS as the authentication server against a Security Gateway. The SeGW here runs in the pass-through (relaying) mode for all EAP signaling. The EAP-AKA failed because strongSwan sends AKA_AUTHENTICATION_REJECT. I know I have to somehow supply strongSwan with the quintuplets hard-coded in FreeRADIUS, but don't know how. Can someone shed some lights? what I am missing here? Thanks very much in advance
[etc]# ipsec up eap_aka
initiating IKE_SA eap_aka[1] to 192.168.18.102
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 192.168.18.202[500] to 192.168.18.102[500]
received packet: from 192.168.18.102[500] to 192.168.18.202[500]
parsed IKE_SA_INIT response 0 [ N(COOKIE) ]
initiating IKE_SA eap_aka[1] to 192.168.18.102
generating IKE_SA_INIT request 0 [ N(COOKIE) SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 192.168.18.202[500] to 192.168.18.102[500]
received packet: from 192.168.18.102[500] to 192.168.18.202[500]
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
establishing CHILD_SA eap_aka
generating IKE_AUTH request 1 [ IDi CERTREQ IDr CP(ADDR) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(EAP_ONLY) ]
sending packet: from 192.168.18.202[4500] to 192.168.18.102[4500]
received packet: from 192.168.18.102[4500] to 192.168.18.202[4500]
parsed IKE_AUTH response 1 [ IDr AUTH EAP/REQ/ID ]
authentication of '192.168.18.102' with pre-shared key successful
server requested EAP_IDENTITY, sending '1234567'
generating IKE_AUTH request 2 [ EAP/RES/ID ]
sending packet: from 192.168.18.202[4500] to 192.168.18.102[4500]
received packet: from 192.168.18.102[4500] to 192.168.18.202[4500]
parsed IKE_AUTH response 2 [ EAP/REQ/AKA ]
server requested EAP_AKA authentication
received MAC does not match XMAC
tried 2 SIM cards, but none has quintuplets for '1234567'
no USIM found with quintuplets for '1234567', sending AKA_AUTHENTICATION_REJECT
generating IKE_AUTH request 3 [ EAP/RES/AKA ]
sending packet: from 192.168.18.202[4500] to 192.168.18.102[4500]
received packet: from 192.168.18.102[4500] to 192.168.18.202[4500]
parsed IKE_AUTH response 3 [ EAP/FAIL ]
received EAP_FAILURE, EAP authentication failed
------------------------------------------------------------
I am running strongSwan 4.5.0 with the following configuration:
strongswan.conf:
# strongswan.conf - strongSwan configuration file
multiple_authentication = yes
charon {
load = curl aes des sha1 sha2 md5 md4 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-raw fips-prf eap-identity eap-aka eap-aka-3gpp2
}
ipsec.conf:
conn eap_aka
left=192.168.18.202
leftsourceip=%config
leftfirewall=no
leftauth=eap
eap_identity=1234567
leftsubnet=192.168.0.0/16
right=192.168.18.102
rightid=192.168.18.102
rightsubnet=172.16.0.0/16
rightauth=psk
auto=add
esp=3des-aes-sha1-md5-modp1024
ike=3des-aes-sha1-md5-modp1024
pfs=yes
ipsec.secrets:
# PSK
: PSK ipsecsecrets
# CERT
: RSA n.key
# EAP
: EAP ipsecsecrets
My FreeRADIUS has the quintuplet as following:"1234567" Cleartext-Password := ipsecsecrets EAP-Sim-AUTN = 0x30000000000000000000000000000000, EAP-Aka-IK = 0x33333333333333333333333333333333, EAP-Aka-CK = 0x34343434343434343434343434343434, EAP-Sim-RES = 0x35353535353535353535353535353535, EAP-Sim-RAND = 0x30000000000000000000000000000000
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110428/a289634a/attachment.html>
More information about the Users
mailing list