request for a simple set of instructions for EAP-SIM
I've looked around online, but a lot of documentation is outdated and other docs don't do a good job, so would someone provide a simple set of instructions for getting EAP-SIM to work, including: which flags (if any) freeradius-3.0.11 should be compiled with; what config files need to be edited, why and how; what need to be done on the wireless device, if anything; and how to test and basic gotchas that might be encountered. Would be greatly appreciated and would eliminate a lot of the confusion that arises when trying to find this information in scattered places online. Thanks! Michael Martinez http://www.michael--martinez.com/computers/ -- ---
On Jan 29, 2016, at 8:23 PM, Michael Martinez <mwtzzz@gmail.com> wrote:
I've looked around online, but a lot of documentation is outdated and other docs don't do a good job, so would someone provide a simple set of instructions for getting EAP-SIM to work, including: which flags (if any) freeradius-3.0.11 should be compiled with; what config files need to be edited, why and how; what need to be done on the wireless device, if anything; and how to test and basic gotchas that might be encountered.
The server should automatically build EAP-SIM. List "sim { }" in the radb/mods-available/eap configuration file. Then... there's EAP-SIM specific magic to set. :( For an example, see: https://github.com/FreeRADIUS/freeradius-server/blob/v3.1.x/src/tests/vector... Alan DeKok.
Where can I find an explanation of this users-example.txt file? I don't know what I'm looking at. What are these fields, where do they come from, which configuration file is this information supposed to reside in? On Sun, Jan 31, 2016 at 6:39 AM, Alan DeKok <aland@deployingradius.com> wrote:
On Jan 29, 2016, at 8:23 PM, Michael Martinez <mwtzzz@gmail.com> wrote:
I've looked around online, but a lot of documentation is outdated and
other
docs don't do a good job, so would someone provide a simple set of instructions for getting EAP-SIM to work, including: which flags (if any) freeradius-3.0.11 should be compiled with; what config files need to be edited, why and how; what need to be done on the wireless device, if anything; and how to test and basic gotchas that might be encountered.
The server should automatically build EAP-SIM. List "sim { }" in the radb/mods-available/eap configuration file.
Then... there's EAP-SIM specific magic to set. :( For an example, see:
https://github.com/FreeRADIUS/freeradius-server/blob/v3.1.x/src/tests/vector...
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- ---
On Feb 2, 2016, at 2:16 PM, Michael Martinez <mwtzzz@gmail.com> wrote:
Where can I find an explanation of this users-example.txt file? I don't know what I'm looking at. What are these fields, where do they come from, which configuration file is this information supposed to reside in?
It's an example of the "users" file. In v3, that's raddb/mods-config/files/authorize The contents are just attributes. The attributes are magic attributes needed by EAP-SIM. i.e. the SIM triplets. i.e. you'll need to understand the EAP-SIM protocol before being able to use the "sim" module. You can't just set a password, and have the server figure it out. Alan DeKok.
Ok, I'm reading the RFC/memo thingy (from 2006) on EAP-SIM. One of the first thing that catches my eye is the following statement: The RADIUS server in a productive environment needs for EAP-SIM/AKA access to the home location register (HLR) of the MNO where the (U)SIMs are registered. For testing a file with precreated values for authentication is sufficient. HLR of the MNO. Does this mean that freeradius needs access to a mobile network operator's database? How easy/likely is this? does anyone actually bother to do this in their production environment? It seems there is a hack for testing purposes only, I'm assuming this means somehow extracting the relevant information from the device itself and then hardcoding this in to a config file, which would be impractical if we're managing any more than a handful of devices. On Tue, Feb 2, 2016 at 11:59 AM, Alan DeKok <aland@deployingradius.com> wrote:
On Feb 2, 2016, at 2:16 PM, Michael Martinez <mwtzzz@gmail.com> wrote:
Where can I find an explanation of this users-example.txt file? I don't know what I'm looking at. What are these fields, where do they come from, which configuration file is this information supposed to reside in?
It's an example of the "users" file. In v3, that's raddb/mods-config/files/authorize
The contents are just attributes. The attributes are magic attributes needed by EAP-SIM. i.e. the SIM triplets.
i.e. you'll need to understand the EAP-SIM protocol before being able to use the "sim" module. You can't just set a password, and have the server figure it out.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- ---
On Feb 2, 2016, at 9:22 PM, Michael Martinez <mwtzzz@gmail.com> wrote:
Ok, I'm reading the RFC/memo thingy (from 2006) on EAP-SIM. One of the first thing that catches my eye is the following statement:
You shouldn't have to read all of the RFC... but you should know something about how the SIM calculations are done. The example file I pointed you to had SIM data for a user.
The RADIUS server in a productive environment needs for EAP-SIM/AKA access to the home location register (HLR) of the MNO where the (U)SIMs are registered. For testing a file with precreated values for authentication is sufficient.
HLR of the MNO. Does this mean that freeradius needs access to a mobile network operator's database?
No. The SIM module requires the SIM triplets. These are the SIM credentials used to authenticate the user.
How easy/likely is this? does anyone actually bother to do this in their production environment? It seems there is a hack for testing purposes only, I'm assuming this means somehow extracting the relevant information from the device itself and then hardcoding this in to a config file, which would be impractical if we're managing any more than a handful of devices.
You don't extra the information from the device. You track the SIMs which you provision. Then, you use that information to authenticate the user. You can't just authenticate random SIMs. You have to know the credentials which were provisioned for that SIM. This is the same as any other authentication method. e.g. you can't just authenticate random users. You typically have to know the Cleartext-Password for the user, or the users certificate, or something similar. Alan DeKok.
On Tue, Feb 2, 2016 at 8:15 PM, Alan DeKok <aland@deployingradius.com> wrote:
You don't extra the information from the device. You track the SIMs which you provision. Then, you use that information to authenticate the user.
You can't just authenticate random SIMs. You have to know the credentials which were provisioned for that SIM.
What is the procedure for getting these credentials? how do I go about doing that? -- ---
On 3 Feb 2016, at 20:02, Michael Martinez <mwtzzz@gmail.com> wrote:
On Tue, Feb 2, 2016 at 8:15 PM, Alan DeKok <aland@deployingradius.com> wrote:
You don't extra the information from the device. You track the SIMs which you provision. Then, you use that information to authenticate the user.
You can't just authenticate random SIMs. You have to know the credentials which were provisioned for that SIM.
What is the procedure for getting these credentials? how do I go about doing that?
You invent one. There is no standard RADIUS interface for the AuC (Authentication Centre) AFAIK. You can also generate your own triplets locally if the sim card uses Comp128 v1/v2/v3 algorithms for A3 and A8 and you have the Ki (the master key for the SIM card). If you're working for a telco and can get access to the specification for Comp128 v4 we could implement that too. That'd cover the most common SIM algorithms. SRAND is a random challenge sent to the SIM card, SRES and KC (the other components of the triplet) are the expected responses. The EAP-SIM RFC isn't that opaque, I read through it pretty recently along with the EAP-AKA and EAP-AKA' standards. The weirdest bit for me was all the identity privacy stuff. I actually disagree with Alan, you do need to read the entire EAP-SIM RFC to be able to use EAP-SIM. You should also read up on GSM authentication in general to give you some background. There's no standard way of hooking EAP-SIM up for wifi offload, so you really need to understand the moving parts to be able to integrate it successfully. Understand that no other project provides a free EAP-SIM implementation. Radiator even charges extra for the license. That's because it's only useful to a) telcos, b) students. If you're working for a) then consider buying support, or sponsoring development of the documentation around EAP-SIM. If you're b) RTFS/RTFC :). -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
I do appreciate the responses, but I still feel like I'm only getting bits and pieces of an understanding, rather than a full explanation. I still don't understand what information from the SIM card is needed and how to get it into radius for example. I'd like a ground-up explanation of what it is, how it works, what's expected, but not a dry theoretical one, rather a practical one from the perspective of someone who's actually gotten it to work. A little context: I'm doing some contracting for a university and have been asked to see if I can get EAP-SIM working with iPad clients. I don't know anything whatsoever about EAP-SIM. Some sort of basic, practical overview would be great, and a set of steps of what needs to be done to get it to work would be awesome. On Wed, Feb 3, 2016 at 6:58 PM, Arran Cudbard-Bell < a.cudbardb@freeradius.org> wrote:
On 3 Feb 2016, at 20:02, Michael Martinez <mwtzzz@gmail.com> wrote:
On Tue, Feb 2, 2016 at 8:15 PM, Alan DeKok <aland@deployingradius.com> wrote:
You don't extra the information from the device. You track the SIMs which you provision. Then, you use that information to authenticate the user.
You can't just authenticate random SIMs. You have to know the credentials which were provisioned for that SIM.
What is the procedure for getting these credentials? how do I go about doing that?
You invent one.
There is no standard RADIUS interface for the AuC (Authentication Centre) AFAIK.
You can also generate your own triplets locally if the sim card uses Comp128 v1/v2/v3 algorithms for A3 and A8 and you have the Ki (the master key for the SIM card). If you're working for a telco and can get access to the specification for Comp128 v4 we could implement that too. That'd cover the most common SIM algorithms.
SRAND is a random challenge sent to the SIM card, SRES and KC (the other components of the triplet) are the expected responses.
The EAP-SIM RFC isn't that opaque, I read through it pretty recently along with the EAP-AKA and EAP-AKA' standards. The weirdest bit for me was all the identity privacy stuff.
I actually disagree with Alan, you do need to read the entire EAP-SIM RFC to be able to use EAP-SIM. You should also read up on GSM authentication in general to give you some background.
There's no standard way of hooking EAP-SIM up for wifi offload, so you really need to understand the moving parts to be able to integrate it successfully.
Understand that no other project provides a free EAP-SIM implementation. Radiator even charges extra for the license. That's because it's only useful to a) telcos, b) students. If you're working for a) then consider buying support, or sponsoring development of the documentation around EAP-SIM. If you're b) RTFS/RTFC :).
-Arran
Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- ---
On Feb 3, 2016, at 11:06 PM, Michael Martinez <mwtzzz@gmail.com> wrote:
I do appreciate the responses, but I still feel like I'm only getting bits and pieces of an understanding, rather than a full explanation. I still don't understand what information from the SIM card is needed and how to get it into radius for example.
The example users file I pointed you to shows whats needed. What do the attributes *mean*? That's a question for EAP-SIM.
I'd like a ground-up explanation of what it is, how it works, what's expected, but not a dry theoretical one, rather a practical one from the perspective of someone who's actually gotten it to work.
Get the EAP-SIM credentials... and provision them as per the example users file.
A little context: I'm doing some contracting for a university and have been asked to see if I can get EAP-SIM working with iPad clients. I don't know anything whatsoever about EAP-SIM. Some sort of basic, practical overview would be great, and a set of steps of what needs to be done to get it to work would be awesome.
Perhaps our responses aren't clear. We've told you everything that needs to be configured on FreeRADIUS. We've told you that we don't know more information than that. We've told you that you need to get the SIM credentials from the same people who gave you the SIM cards. If you don't have the SIM credentials, you won't be able to authenticate users with EAP-SIM. Once you have the SIM credentials in some format, we can help you get it into FreeRADIUS. But... we've already told you how to do that. The disconnect here is that you keep asking the same questions over and over, hoping that the answers will change. They won't. We really don't know what the credentials are for EAP-SIM. You should know that. We don't set passwords for users. We don't create TLS client certificates for users. We don't create SIM credentials for a user. If you *have* credentials, we can help you configure FreeRADIUS to use those credentials. But as I've tried to make excruciatingly clear, YOU NEED TO KNOW THE CREDENTIALS FOR THE USER. Again, to repeat myself in the hope I'm getting across. You're telling us (effectively) that you have a Windows PC configured for EAP-TLS, with a client certificate, and you want to authenticate it via FreeRADIUS. But you don't know what the client certificate is. You don't know which CA issued the certificate. You don't have a copy of the CA certificate. You just want it to "work". Somehow. Via magic. And you keep asking, and asking, and asking, and asking us to tell you how to authenticate that user. We can't. It's impossible. YOU NEED TO KNOW THE CREDENTIALS FOR THE USER. Alan DeKok.
On Thu, Feb 4, 2016 at 4:58 AM, Arran Cudbard-Bell <a.cudbardb@freeradius.org> wrote:
Understand that no other project provides a free EAP-SIM implementation. Radiator even charges extra for the license. That's because it's only useful to a) telcos, b) students. If you're working for a) then consider buying support, or sponsoring development of the documentation around EAP-SIM. If you're b) RTFS/RTFC :).
hostapd includes a free EAP-SIM, EAP-AKA, and EAP-AKA' server implementation and an example program for implementing the HLR/AuC gateway with the example case using standard GSM-Milenage and Milenage algorithms that can be used for authentication with SIM and USIM cards (as long as the secret key is known).. That said, no such implementation is going to help with the use case that was described in this email thread. Being able to use EAP-SIM to authenticate some random mobile devices with their SIM/USIM cards from random operators is going to work without significant co-operation with all such operators.. So the practical answer to the question of how to get EAP-SIM working with iPad devices that have SIM/USIM from external providers is: That's not going to work. - Jouni
On Feb 3, 2016, at 8:02 PM, Michael Martinez <mwtzzz@gmail.com> wrote:
On Tue, Feb 2, 2016 at 8:15 PM, Alan DeKok <aland@deployingradius.com> wrote:
You can't just authenticate random SIMs. You have to know the credentials which were provisioned for that SIM.
What is the procedure for getting these credentials? how do I go about doing that?
To simplify what Arran said... you get the credentials via some method which doesn't involve FreeRADIUS. Where do you buy the SIM cards? You get the credentials from the same place. How else are you going to authenticate the SIM cards? We don't supply the passwords for your users. Similarly, we don't supply the SIM credentials. Alan DeKok.
participants (4)
-
Alan DeKok -
Arran Cudbard-Bell -
Jouni Malinen -
Michael Martinez