request for a simple set of instructions for EAP-SIM

Alan DeKok aland at deployingradius.com
Wed Feb 3 05:15:59 CET 2016


On Feb 2, 2016, at 9:22 PM, Michael Martinez <mwtzzz at gmail.com> wrote:
> 
> Ok, I'm reading the RFC/memo thingy (from 2006) on EAP-SIM. One of the
> first thing that catches my eye is the following statement:

  You shouldn't have to read all of the RFC... but you should know something about how the SIM calculations are done.  The example file I pointed you to had SIM data for a user.

> The RADIUS server in a productive environment needs for EAP-SIM/AKA
> access to the home location register (HLR) of the MNO where the
> (U)SIMs are registered.
> For testing a file with precreated values for authentication is sufficient.
> 
> HLR of the MNO. Does this mean that freeradius needs access to a mobile
> network operator's database?

  No.

  The SIM module requires the SIM triplets.  These are the SIM credentials used to authenticate the user.

> How easy/likely is this? does anyone actually
> bother to do this in their production environment? It seems there is a hack
> for testing purposes only, I'm assuming this means somehow extracting the
> relevant information from the device itself and then hardcoding this in to
> a config file, which would be impractical if we're managing any more than a
> handful of devices.

  You don't extra the information from the device.  You track the SIMs which you provision.  Then, you use that information to authenticate the user.

  You can't just authenticate random SIMs.  You have to know the credentials which were provisioned for that SIM.

  This is the same as any other authentication method.  e.g. you can't just authenticate random users.  You typically have to know the Cleartext-Password for the user, or the users certificate, or something similar.

  Alan DeKok.




More information about the Freeradius-Users mailing list