[EXTERNAL] Help in Configuring EAP-SIM

Arran Cudbard-Bell a.cudbardb at freeradius.org
Wed Feb 16 16:14:01 UTC 2022 

Hi Shane,

> Thanks for your response. For the purposes of testing, we have a sim client that will be using Comp128 versions 1 through 3, and we will want to test EAP-SIM with each of those algorithms. Regarding my original question, is there a misunderstanding on my part for how to set the SIM-Algo-Version on Freeradius?

No you're doing it correctly.

> It appears that explicitly setting it vs not makes a difference.

Well you're contradicting yourself here.  Previously you said setting it would cause authentication to fail...  Which it would.

Looking at your eapol test logs, eapol_test is using its internal milenage implementation not an external SIM card:

EAP-SIM: GSM authentication algorithm
EAP-SIM: Use internal GSM-Milenage implementation for authentication
EAP-SIM: RAND - hexdump(len=16): c6 fe 5b 5c 48 28 da 45 ef 30 9d 49 ad f4 94 4f
EAP-SIM: SRES - hexdump(len=4): ca 4f dd 0e
EAP-SIM: Kc - hexdump(len=8): 53 16 4c cf c9 a6 a3 4f
EAP-SIM: RAND - hexdump(len=16): fc d3 32 aa a9 0a 11 73 e7 6d 61 d1 d7 00 50 61
EAP-SIM: SRES - hexdump(len=4): 58 71 33 e8
EAP-SIM: Kc - hexdump(len=8): 37 ea fd eb 69 75 bc dc
EAP-SIM: RAND - hexdump(len=16): 19 a1 2a 54 b3 6c 79 ec b3 4b 2f 79 88 14 67 6f
EAP-SIM: SRES - hexdump(len=4): b4 8c e1 f7
EAP-SIM: Kc - hexdump(len=8): c8 74 d2 4c db 55 de 2f

So yes, setting FreeRADIUS to use Comp128v1 when eapol_test is using milenage would cause authentication to fail.  As I said previously, there's no negotiation of SIM algorithm, it's just stored against the IMSI in the HLR/AuC.  That's not what the version negotiation at the start of EAP-SIM is doing.  You need both sides to have been configured with the same algorithm.

If you want to use eapol_test with an external SIM you need to compile eapol_test with smartcard reader support.  There's examples on the internet of how to use a smartcard reader and SIM adaptor to do what you want.  If you don't have the hardware the guys over at osmocom used to (and likely still do) sell adaptor cards.

You could also submit patches for comp128v1/v2/v3 support  to hostapd if they've not added it yet.  The comp128v2/v3 algorithms were secret for a good number of years until someone decompiled a test utility and posted Python code online.  I took the Python and rewrote it in C, and that's what's currently in the FreeRADIUS repo.  Many projects do not have comp128v2/v3 support because the comp128v2/v3 algorithms were not available until relatively recently.  Those that do likely did their own conversion of the original Python script, or lifted it from our repo.

-Arran


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20220216/406a15bc/attachment.sig>

More information about the Freeradius-Users mailing list