[strongSwan] strongSwan EAP-AKA support with FreeRADIUS

Nan Luo harvana2000 at yahoo.com
Thu Apr 28 22:29:52 CEST 2011


Hi,

I am testing EAP-AKA with strongSwan as the client and FreeRADIUS as the authentication server against a Security Gateway. The SeGW here runs in the pass-through (relaying) mode for all EAP signaling. The EAP-AKA failed because strongSwan sends AKA_AUTHENTICATION_REJECT. I know I have to somehow supply strongSwan with the quintuplets hard-coded in FreeRADIUS, but don't know how. Can someone shed some lights? what I am missing here? Thanks very much in advance

[etc]# ipsec up eap_aka
initiating IKE_SA eap_aka[1] to 192.168.18.102
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 192.168.18.202[500] to 192.168.18.102[500]
received packet: from 192.168.18.102[500] to 192.168.18.202[500]
parsed IKE_SA_INIT response 0 [ N(COOKIE) ]
initiating IKE_SA eap_aka[1] to 192.168.18.102
generating IKE_SA_INIT request 0 [ N(COOKIE) SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 192.168.18.202[500] to 192.168.18.102[500]
received packet: from 192.168.18.102[500] to 192.168.18.202[500]
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
establishing CHILD_SA eap_aka
generating IKE_AUTH request 1 [ IDi CERTREQ IDr CP(ADDR) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(EAP_ONLY) ]
sending packet: from 192.168.18.202[4500] to 192.168.18.102[4500]
received packet: from 192.168.18.102[4500] to 192.168.18.202[4500]
parsed IKE_AUTH response 1 [ IDr AUTH EAP/REQ/ID ]
authentication of '192.168.18.102' with pre-shared key successful
server requested EAP_IDENTITY, sending '1234567'
generating IKE_AUTH request 2 [ EAP/RES/ID ]
sending packet: from 192.168.18.202[4500] to 192.168.18.102[4500]
received packet: from 192.168.18.102[4500] to 192.168.18.202[4500]
parsed IKE_AUTH response 2 [ EAP/REQ/AKA ]
server requested EAP_AKA authentication
received MAC does not match XMAC
tried 2 SIM cards, but none has quintuplets for '1234567'
no USIM found with quintuplets for '1234567', sending AKA_AUTHENTICATION_REJECT
generating IKE_AUTH request 3 [ EAP/RES/AKA ]
sending packet: from 192.168.18.202[4500] to 192.168.18.102[4500]
received packet: from 192.168.18.102[4500] to 192.168.18.202[4500]
parsed IKE_AUTH response 3 [ EAP/FAIL ]
received EAP_FAILURE, EAP authentication failed
------------------------------------------------------------

I am running strongSwan 4.5.0 with the following configuration:

strongswan.conf:
# strongswan.conf - strongSwan configuration file

multiple_authentication = yes

charon {
        load = curl aes des sha1 sha2 md5 md4 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-raw fips-prf eap-identity eap-aka eap-aka-3gpp2
}

ipsec.conf:

conn eap_aka
    left=192.168.18.202
    leftsourceip=%config
    leftfirewall=no
    leftauth=eap
    eap_identity=1234567
    leftsubnet=192.168.0.0/16
    right=192.168.18.102
    rightid=192.168.18.102
    rightsubnet=172.16.0.0/16
    rightauth=psk
    auto=add
    esp=3des-aes-sha1-md5-modp1024
    ike=3des-aes-sha1-md5-modp1024
    pfs=yes

ipsec.secrets:
# PSK
: PSK ipsecsecrets

# CERT
: RSA n.key

# EAP
: EAP ipsecsecrets

My FreeRADIUS has the quintuplet as following:"1234567"    Cleartext-Password := ipsecsecrets        EAP-Sim-AUTN  = 0x30000000000000000000000000000000,        EAP-Aka-IK   =  0x33333333333333333333333333333333,        EAP-Aka-CK   =  0x34343434343434343434343434343434,        EAP-Sim-RES   = 0x35353535353535353535353535353535,        EAP-Sim-RAND  = 0x30000000000000000000000000000000
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110428/a289634a/attachment.html>


More information about the Users mailing list