EAP-AKA set-up failure on 4.0 dev. stream

Arran Cudbard-Bell a.cudbardb at freeradius.org
Fri Apr 13 07:29:42 CEST 2018



> On Apr 13, 2018, at 8:37 AM, yukou katori <k10lie.gm at gmail.com> wrote:
> 
> I'm setting up EAP-AKA on 4.0 dev. stream, because I have to set up EAP-AKA.
> 
> I got the following error.
> 
> Radiusd -X
> 
> /// snip ///
> 
> Loaded module "rlm_eap_aka"
>      aka {
> /usr/local/etc/raddb/mods-enabled/eap[1190]: Configuration item
> "network_id" must have a value
> /usr/local/etc/raddb/mods-enabled/eap[1190]: Failed evaluating
> configuration for module "rlm_eap_aka"
> /usr/local/etc/raddb/mods-enabled/eap[15]: Failed evaluating configuration
> for module "rlm_eap"

The module code is written in such a way that it prefers AKA' over AKA.
The supplicant can still negotiate EAP-AKA, but the code will include
AT_BIDDING indicating that AKA' is supported and should be used.

network_id (now network_name to match RFC 5448) is a KDF input parameter
which binds EAP-AKA' authentication to a particular access network.

We could add manual KDF toggles like we have for TLS versions, and only
require network_name be set if an AKA' KDF (i.e. > 0) is allowed.

If someone wants to put together a patch for that then i'd be happy to
review it.

Detail of the network name format are in RFC5448 section 3.1

-Arran

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 874 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20180413/9f04ca6a/attachment-0001.sig>


More information about the Freeradius-Users mailing list