Need help with EAP-AKA configuration

Alan DeKok aland at deployingradius.com
Wed Apr 26 18:33:21 UTC 2023 

On Apr 26, 2023, at 2:11 PM, Mrudul Dighe <mdighe at highway9networks.com> wrote:
> I am trying to configure EAP-AKA virtual-server in FreeRADIUS to perform authentication of multiple sim cards we own. We have followed the documentation and configured below in sites-enabled/eap-aka-sim and able to authenticate successful with EAPOL_TEST tool using same Ki and OPc:
> 
> <<<<<<<<<<<<<<<<<<<<<<<<<<<<
> 
> send Challenge-Request {
>                &control.SIM-Ki  := 0x465b5ce8b199b49faa5f0a2ee238a6bc
>                &control.SIM-Opc := 0xcd63cb71954a9f4e48a5994e37a02baf
>                &control.SIM-SQN := 3
> }

  Note those attributes go into the "control" list.

> May I know how to specify the list of imsi/Users and make it work instead of hardcoding like above?

  The server has many, many ways to select user information from a variety of sources.  LDAP, SQL, etc. are all supported.

> We tried adding following line in 'users' file in raddb/ folder and removed above hardcoding in Challenge-Response part of eap-aka-sim virtual-server configuration :
> 
> 315010000000002 at wlan.mnc010.mcc315.3gppnetwork.org      SIM-Ki  := 770db7f9275c47eb3d12b2024caa3548, SIM-Opc := 6245aedadf3ebbb82b0f62df52e0de12, SIM-SQN := 3"

  That's adding the SIM-Ki attributes to the reply.  See the documentation for the "users" file.

> But it's not working.
> 
> I have attached the radiusd Logs with the mail. Where I see following error -

  Read the debug output.  *All* of it.

  The "send Challenge-Request" section you posted above shows you adding the SM information there.

  You put the user information into the "files" module.

  The debug output shows that you're not running the "files" module in the "send Challenge-Request" section.

  So look up the user in the "send Challenge-Request" section, and then add the attributes there.

  if you use the "files" module, it will add attributes to the reply by default.  But that's fine, because you can copy them from the reply to the control list if necessary:

send Challenge-Request {
	files
	if (ok) {
		&control.SIM-Ki := &reply.SIM-Ki
		&control.SIM-OPc := &reply.SIM-Opc
		&control.SIM-SQN := &reply.SIM-SQN
	}
	...
}

  That should work, I think.  But I don't use EAP-AKA myself.

  Alan DeKok.

More information about the Freeradius-Users mailing list