On 27.08.2013 10:57, ken.farrington wrote:
Many thanks indeed. Are you saying I can just take out sim_files from the authorise in the default file and it should work anyway? If so, fantastic :)
My raddb/sites-enabled/default: authorize { preprocess auth_log chap mschap suffix eap { ok = return } files pap } My raddb/users: 1250016490216808@wlan.mnc001.mcc250.3gppnetwork.org EAP-Sim-RAND1 = 0x09844aff4ccf66cdb95e59dba8ec291c, EAP-Sim-RAND2 = 0x100446e9e8f553a9d87d0444a44b6cf5, EAP-Sim-RAND3 = 0x753fdfc2d7e834002557a069462a1fa5, EAP-Sim-SRES1 = 0x5dc9a406, EAP-Sim-SRES2 = 0x3b3f8ea3, EAP-Sim-SRES3 = 0x85bb8aeb, EAP-Sim-KC1 = 0x75e85aff085e917b, EAP-Sim-KC2 = 0x3055d76de12f1772, EAP-Sim-KC3 = 0x81806503efeebec1 1250016490216808@wlan.mnc001.mcc250.3gppnetwork.org is a decorated permanent identity for IMSI 250016490216808. (EA-Sim-RAND1, EAP-Sim-SRES1, EAP-Sim-KC1) is an authentication vector (aka GSM triplet). rlm_eap_sim requires three GSM triplets to be available. You can extract IMSI and GSM triplets from the SIM card using smart card reader and agsm2 program (http://agsm.sourceforge.net). Note this will always use same GSM triplets for authentication and consequently same master session key (MSK) for encryption. You need to integrate with HLR to retrieve truly random GSM triplets. Usually this is done by some sort of RADIUS-to-MAP gateway, like Cisco ITP.