Thanks, Mark~ I understand what you say, and I will give it a try. But I still wonder what you say is the only way to apply eap-sim? Can't radius server be the eap-sim authentication server? I mean, in real case, freeradius can authenticate the users via pap, chap, eap-md5, and etc alone, and does it can also provide the eap-sim authentication service by itself?
Thanks for any suggestion~ alex ----- Original Message ----- 寄件者: "Pate Mark-marpate1" <[EMAIL PROTECTED]> 收件者: <[EMAIL PROTECTED]> 傳送日期: 2004年4月26日 下午 09:43 主旨: RE: how to set the ki in eap-sim server? Hi Alex, I've not used eap-sim, but I would think that you don't really need the Ki value (if my understanding of the documentation is right). The reason that I say this is that you need to specify the RAND value for the SIM and store the RAND and responses in the users file/database (interrogate the SIM with the RAND to determine the Kc and SRES). As being as you specify fixed RAND values, the Kc and SRES responses will be fixed too. rlm_eap doc file says ... The attributes are: EAP-Sim-Rand1 16 bytes EAP-Sim-SRES1 4 bytes EAP-Sim-KC1 8 bytes EAP-Sim-Rand2 16 bytes EAP-Sim-SRES2 4 bytes EAP-Sim-KC2 8 bytes EAP-Sim-Rand3 16 bytes EAP-Sim-SRES3 4 bytes EAP-Sim-KC3 8 bytes So, every time we send Rand1 to the SIM, we know that we will always get SRES1 back and the SIM will always cipher with KC1 ... does this make sense? Now, if eap really used a random RAND value, then you would need the Ki and the code to run the RAND against the Ki to produce the Kc and SRES for the Radius server to use. In this instance, you'd be better off trying to write a module to interface to an HLR and let that do the work for you. Hope this helps, Mark -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Alex Wang Sent: 26 April 2004 11:00 To: freeradius mailling-list Subject: how to set the ki in eap-sim server? hi guys, I have tried the snapshot to support the eap-sim, and understood what I should config roughly. But I have a question about how the eap-sim(radius) server authenticate the user. In the "tests", I can set the value of Kc, SRES, and RAND. But in the real environment, the key(Kc), SRES are derived from RAND and Ki, and I can't find where the Ki should be configed in radius server. Does the radius can be a eap-sim authenticator? or it have to collocate with another server(DB or HLR)? Does anyone have this aspect of experience? please give me some advice~ thanks a lot! alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
