I do appreciate the responses, but I still feel like I'm only getting bits and pieces of an understanding, rather than a full explanation. I still don't understand what information from the SIM card is needed and how to get it into radius for example. I'd like a ground-up explanation of what it is, how it works, what's expected, but not a dry theoretical one, rather a practical one from the perspective of someone who's actually gotten it to work. A little context: I'm doing some contracting for a university and have been asked to see if I can get EAP-SIM working with iPad clients. I don't know anything whatsoever about EAP-SIM. Some sort of basic, practical overview would be great, and a set of steps of what needs to be done to get it to work would be awesome. On Wed, Feb 3, 2016 at 6:58 PM, Arran Cudbard-Bell < a.cudbardb@freeradius.org> wrote:
On 3 Feb 2016, at 20:02, Michael Martinez <mwtzzz@gmail.com> wrote:
On Tue, Feb 2, 2016 at 8:15 PM, Alan DeKok <aland@deployingradius.com> wrote:
You don't extra the information from the device. You track the SIMs which you provision. Then, you use that information to authenticate the user.
You can't just authenticate random SIMs. You have to know the credentials which were provisioned for that SIM.
What is the procedure for getting these credentials? how do I go about doing that?
You invent one.
There is no standard RADIUS interface for the AuC (Authentication Centre) AFAIK.
You can also generate your own triplets locally if the sim card uses Comp128 v1/v2/v3 algorithms for A3 and A8 and you have the Ki (the master key for the SIM card). If you're working for a telco and can get access to the specification for Comp128 v4 we could implement that too. That'd cover the most common SIM algorithms.
SRAND is a random challenge sent to the SIM card, SRES and KC (the other components of the triplet) are the expected responses.
The EAP-SIM RFC isn't that opaque, I read through it pretty recently along with the EAP-AKA and EAP-AKA' standards. The weirdest bit for me was all the identity privacy stuff.
I actually disagree with Alan, you do need to read the entire EAP-SIM RFC to be able to use EAP-SIM. You should also read up on GSM authentication in general to give you some background.
There's no standard way of hooking EAP-SIM up for wifi offload, so you really need to understand the moving parts to be able to integrate it successfully.
Understand that no other project provides a free EAP-SIM implementation. Radiator even charges extra for the license. That's because it's only useful to a) telcos, b) students. If you're working for a) then consider buying support, or sponsoring development of the documentation around EAP-SIM. If you're b) RTFS/RTFC :).
-Arran
Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- ---