Hi Alex,
I've not used eap-sim, but I would think that you don't really need the Ki value (if
my understanding of the documentation is right).
The reason that I say this is that you need to specify the RAND value for the SIM and
store the RAND and responses in the users file/database (interrogate the SIM with the
RAND to determine the Kc and SRES). As being as you specify fixed RAND values, the Kc
and SRES responses will be fixed too.
rlm_eap doc file says ...
The attributes are:
EAP-Sim-Rand1 16 bytes
EAP-Sim-SRES1 4 bytes
EAP-Sim-KC1 8 bytes
EAP-Sim-Rand2 16 bytes
EAP-Sim-SRES2 4 bytes
EAP-Sim-KC2 8 bytes
EAP-Sim-Rand3 16 bytes
EAP-Sim-SRES3 4 bytes
EAP-Sim-KC3 8 bytes
So, every time we send Rand1 to the SIM, we know that we will always get SRES1 back
and the SIM will always cipher with KC1 ... does this make sense?
Now, if eap really used a random RAND value, then you would need the Ki and the code
to run the RAND against the Ki to produce the Kc and SRES for the Radius server to
use. In this instance, you'd be better off trying to write a module to interface to an
HLR and let that do the work for you.
Hope this helps,
Mark
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Alex Wang
Sent: 26 April 2004 11:00
To: freeradius mailling-list
Subject: how to set the ki in eap-sim server?
hi guys, I have tried the snapshot to support the eap-sim, and understood what I
should config roughly.
But I have a question about how the eap-sim(radius) server authenticate the user.
In the "tests", I can set the value of Kc, SRES, and RAND.
But in the real environment, the key(Kc), SRES are derived from RAND and Ki,
and I can't find where the Ki should be configed in radius server.
Does the radius can be a eap-sim authenticator? or it have to collocate with another
server(DB or HLR)?
Does anyone have this aspect of experience? please give me some advice~
thanks a lot!
alex
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
