request for a simple set of instructions for EAP-SIM

Alan DeKok aland at
Thu Feb 4 05:33:51 CET 2016

On Feb 3, 2016, at 11:06 PM, Michael Martinez <mwtzzz at> wrote:
> I do appreciate the responses, but I still feel like I'm only getting bits
> and pieces of an understanding, rather than a full explanation. I still
> don't understand what information from the SIM card is needed and how to
> get it into radius for example.

  The example users file I pointed you to shows whats needed.

  What do the attributes *mean*?  That's a question for EAP-SIM.

> I'd like a ground-up explanation of what it
> is, how it works, what's expected, but not a dry theoretical one, rather a
> practical one from the perspective of someone who's actually gotten it to
> work.

  Get the EAP-SIM credentials... and provision them as per the example users file.

> A little context: I'm doing some contracting for a university and
> have been asked to see if I can get EAP-SIM working with iPad clients. I
> don't know anything whatsoever about EAP-SIM. Some sort of basic, practical
> overview would be great, and a set of steps of what needs to be done to get
> it to work would be awesome.

  Perhaps our responses aren't clear.  We've told you everything that needs to be configured on FreeRADIUS.  We've told you that we don't know more information than that.  We've told you that you need to get the SIM credentials from the same people who gave you the SIM cards.

  If you don't have the SIM credentials, you won't be able to authenticate users with EAP-SIM.

  Once you have the SIM credentials in some format, we can help you get it into FreeRADIUS.  But... we've already told you how to do that.

  The disconnect here is that you keep asking the same questions over and over, hoping that the answers will change.  They won't.  We really don't know what the credentials are for EAP-SIM.  You should know that.

  We don't set passwords for users.  We don't create TLS client certificates for users.  We don't create SIM credentials for a user.  If you *have* credentials, we can help you configure FreeRADIUS to use those credentials.

  But as I've tried to make excruciatingly clear, YOU NEED TO KNOW THE CREDENTIALS FOR THE USER.

  Again, to repeat myself in the hope I'm getting across. You're telling us (effectively) that you have a Windows PC configured for EAP-TLS, with a client certificate, and you want to authenticate it via FreeRADIUS.  But you don't know what the client certificate is.  You don't know which CA issued the certificate.  You don't have a copy of the CA certificate.  You just want it to "work".  Somehow.  Via magic.

  And you keep asking, and asking, and asking, and asking us to tell you how to authenticate that user.


  Alan DeKok.

More information about the Freeradius-Users mailing list