On Mar 4, 2016, at 2:45 PM, Michael Martinez <mwtzzz@gmail.com> wrote:
On Fri, Mar 4, 2016 at 10:48 AM, Alan DeKok <aland@deployingradius.com> wrote:
Trying to authenticate third-party SIM cards is a hack. It will always be a hack. You MUST have the SIM keys in order to do proper, secure, authentication.
I understand and agree. Do you have any practical advice on how to get the SIM key? People who are implementing EAP-SIM/Freeradius in production environments, what are they doing to get them?
You don't necessarily have to own the SIM cards, but you do need to have a communication path with the entity that does, which means you probably need to be a Telco. I'd imagine in most environments there'd be a gateway device that bridges RADIUS to SS7, or at least exposes an API which allows the RADIUS server to retrieve GSM triplets from the user's HLR (Home Location Register). If you're doing this for a private organisation like a University, my advice would be don't. You should look at using EAP-TLS and certificates instead. EAP-SIM wasn't designed to be used in this way, using static GSM triplets is a hack that should only be used for testing. -Arran