Hello all,
I am working to build a minimal system for 802.1X authentication with Wi-Fi AP and free5GC AUSF as self-study.
System architecture is almost the same concept as NSWO (3GPP Release 17) except using not SWa(diameter) but Radius.
But, EAP-AKA’ authentication fail with invalid AT_MAC from UE/STA.
In this case, UE/STA send Access-Request/EAP-Response/Client-Error after receiving Access-Challenge/EAP-Request/AKA-Challenge with EAP payload(actually 5gAuthData).
In detail, Client-Error has AT_CLIENT_ERROR_CODE : Unable to process packet.
So, I got Android device log by ADB tool when this case happend.
It seems that AKA authentication is success but message authentication code check is failure.
05-11 15:47:00.266 2585 2585 I wpa_supplicant: wlan0: CTRL-EVENT-EAP-STARTED EAP authentication started
05-11 15:47:00.266 2585 2585 W wpa_supplicant: EAP: buildIdentity: identity configuration was not available
05-11 15:47:00.266 2585 2585 I wpa_supplicant: wlan0: CTRL-REQ-IDENTITY-0:Identity needed for SSID GL-AR750-978-5G
05-11 15:47:00.269 1849 2491 I WifiClientModeImpl[19119:wlan0]: Update current security type to 3
05-11 15:47:00.272 1849 2491 I WifiClientModeImpl[19119:wlan0]: SUP_REQUEST_IDENTITY: identityPair=[6999002****, <NONE>]
05-11 15:47:00.274 2585 2585 I wpa_supplicant: wlan0: CTRL-EVENT-EAP-STARTED EAP authentication started
05-11 15:47:00.287 2585 2585 I wpa_supplicant: wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=50
05-11 15:47:00.287 2585 2585 I wpa_supplicant: wlan0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 50 (AKA') selected
05-11 15:47:00.291 1849 2491 D WifiClientModeImpl[19119:wlan0]: Received SUP_REQUEST_SIM_AUTH
05-11 15:47:00.291 1849 2491 D WifiClientModeImpl[19119:wlan0]: id matches targetWifiConfiguration
05-11 15:47:00.293 3058 3530 E PhoneSubInfoController: getIccSimChallengeResponse() found app a0000000871002f999ff9989 specified type -- 2
05-11 15:47:00.296 3058 3530 D RILJ : [0714]> SIM_AUTHENTICATION [PHONE0]
05-11 15:47:00.358 3058 3275 D RILJ : [0714]< SIM_AUTHENTICATION IccIoResult sw1:0x90 sw2:0x0 Payload: ******* [PHONE0]
05-11 15:47:00.359 3058 3058 D SIMRecords: [SIMRecords-0] EVENT_AKA_AUTHENTICATE_DONE
05-11 15:47:00.361 1849 2491 V WifiCarrierInfoManager: successful 3G authentication
05-11 15:47:00.364 2585 2585 W wpa_supplicant: EAP-AKA: Challenge message used invalid AT_MAC
As a reference, the node that mediate between Wi-Fi AP and free5GC does not change EAP payload and treats transparently.
Therefore, AT_RAND/AT_AUTN/AT_KDF/AT_KDF_INPUT/AT_MAC are from free5GC AUSF at all.
In my assumption, success of AKA authentication means correct AT_RAND/AT_AUTN/AT_KDF/AT_KDF_INPUT, but wrong AT_MAC.
[Informative]
My lab system is below.
[UE/STA]–(802.1X)–[Wi-Fi AP]–(Radius)–[Rad-5GC GW]–(SBI N12 API)–[free5GC]
UE/STA:
Pixel 4a(5G) — Android 14 (UP1A.231105.001.B2)
Wi-Fi AP:
GL-AR750 — OpenWrt 22.03.4
Rad-5GC GW:
Radius-N12 API Mediator like NSWOF
free5GC:
v3.4.1 on VM (ubuntu server 22.04.3 LTS)