moving ahead with eap-sim under 3.0.11

Arran Cudbard-Bell a.cudbardb at freeradius.org
Fri Mar 4 20:56:36 CET 2016


> On Mar 4, 2016, at 2:45 PM, Michael Martinez <mwtzzz at gmail.com> wrote:
> 
> On Fri, Mar 4, 2016 at 10:48 AM, Alan DeKok <aland at deployingradius.com> wrote:
>>  Trying to authenticate third-party SIM cards is a hack.  It will always be a hack.  You MUST have the SIM keys in order to do proper, secure, authentication.
> 
> I understand and agree. Do you have any practical advice on how to get
> the SIM key? People who are implementing EAP-SIM/Freeradius in
> production environments, what are they doing to get them?

You don't necessarily have to own the SIM cards, but you do need to have a communication path with the entity that does, which means you probably need to be a Telco.

I'd imagine in most environments there'd be a gateway device that bridges RADIUS to SS7, or at least exposes an API which allows the RADIUS server to retrieve GSM triplets from the user's HLR (Home Location Register).

If you're doing this for a private organisation like a University, my advice would be don't.  You should look at using EAP-TLS and certificates instead.  EAP-SIM wasn't designed to be used in this way, using static GSM triplets is a hack that should only be used for testing.

-Arran
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20160304/27d5a469/attachment-0001.sig>


More information about the Freeradius-Users mailing list