EAP-AKA' authentication fail with invalid AT_MAC from UE/STA

SumitakeKino · May 16, 2024, 11:26am

Hello all,

I am working to build a minimal system for 802.1X authentication with Wi-Fi AP and free5GC AUSF as self-study.
System architecture is almost the same concept as NSWO (3GPP Release 17) except using not SWa(diameter) but Radius.

But, EAP-AKA’ authentication fail with invalid AT_MAC from UE/STA.
In this case, UE/STA send Access-Request/EAP-Response/Client-Error after receiving Access-Challenge/EAP-Request/AKA-Challenge with EAP payload(actually 5gAuthData).
In detail, Client-Error has AT_CLIENT_ERROR_CODE : Unable to process packet.

So, I got Android device log by ADB tool when this case happend.
It seems that AKA authentication is success but message authentication code check is failure.

05-11 15:47:00.266  2585  2585 I wpa_supplicant: wlan0: CTRL-EVENT-EAP-STARTED EAP authentication started
05-11 15:47:00.266  2585  2585 W wpa_supplicant: EAP: buildIdentity: identity configuration was not available
05-11 15:47:00.266  2585  2585 I wpa_supplicant: wlan0: CTRL-REQ-IDENTITY-0:Identity needed for SSID GL-AR750-978-5G
05-11 15:47:00.269  1849  2491 I WifiClientModeImpl[19119:wlan0]: Update current security type to 3
05-11 15:47:00.272  1849  2491 I WifiClientModeImpl[19119:wlan0]: SUP_REQUEST_IDENTITY: identityPair=[6999002****, <NONE>]
05-11 15:47:00.274  2585  2585 I wpa_supplicant: wlan0: CTRL-EVENT-EAP-STARTED EAP authentication started
05-11 15:47:00.287  2585  2585 I wpa_supplicant: wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=50
05-11 15:47:00.287  2585  2585 I wpa_supplicant: wlan0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 50 (AKA') selected
05-11 15:47:00.291  1849  2491 D WifiClientModeImpl[19119:wlan0]: Received SUP_REQUEST_SIM_AUTH
05-11 15:47:00.291  1849  2491 D WifiClientModeImpl[19119:wlan0]: id matches targetWifiConfiguration
05-11 15:47:00.293  3058  3530 E PhoneSubInfoController: getIccSimChallengeResponse() found app a0000000871002f999ff9989 specified type -- 2
05-11 15:47:00.296  3058  3530 D RILJ    : [0714]> SIM_AUTHENTICATION [PHONE0]
05-11 15:47:00.358  3058  3275 D RILJ    : [0714]< SIM_AUTHENTICATION IccIoResult sw1:0x90 sw2:0x0 Payload: ******* [PHONE0]
05-11 15:47:00.359  3058  3058 D SIMRecords: [SIMRecords-0] EVENT_AKA_AUTHENTICATE_DONE
05-11 15:47:00.361  1849  2491 V WifiCarrierInfoManager: successful 3G authentication 
05-11 15:47:00.364  2585  2585 W wpa_supplicant: EAP-AKA: Challenge message used invalid AT_MAC

As a reference, the node that mediate between Wi-Fi AP and free5GC does not change EAP payload and treats transparently.
Therefore, AT_RAND/AT_AUTN/AT_KDF/AT_KDF_INPUT/AT_MAC are from free5GC AUSF at all.
In my assumption, success of AKA authentication means correct AT_RAND/AT_AUTN/AT_KDF/AT_KDF_INPUT, but wrong AT_MAC.

[Informative]
My lab system is below.

[UE/STA]–(802.1X)–[Wi-Fi AP]–(Radius)–[Rad-5GC GW]–(SBI N12 API)–[free5GC]

UE/STA:
Pixel 4a(5G) — Android 14 (UP1A.231105.001.B2)
Wi-Fi AP:
GL-AR750 — OpenWrt 22.03.4
Rad-5GC GW:
Radius-N12 API Mediator like NSWOF
free5GC:
v3.4.1 on VM (ubuntu server 22.04.3 LTS)

SumitakeKino · May 17, 2024, 11:56am

Sorry, this issue was solved by myself.

In IK’/CK’ derivation for EAP-AKA’, free5GC use “5G:mncXXX.mccXXX.3gppnetwork.org” as network name but UE/STA probably uses “WLAN”.
So, wpa_supplicant in UE/STA judge “invalid AT_MAC” as result.
I think that It is correct both… RFC 5448 in side of UE/STA, and 3GPP TS 33.501 in side of free5GC.

In NSWO(Non-Seamless WLAN Offload) in 3GPP Release 17, it seems that both entity use “5G:NSWO” as network name.
I wish that free5GC supports NSWO in future (and also NSWO compliant UE/STA)…