Hi Dennis, > It seems that the milenage implementations in hostapd and in charon > are different
The eap-aka plugin for charon supports different backends. The software implementation plugin (eap-aka-3gpp2) we ship with strongSwan implements the algorithm specified by 3GPP2, S.S0055. I think this algorithm is different from what the 3GPP defines with Milenage. > The question is that there's no OP or OPc value in charon In S.S0055, there are no OP/OPc values. The 3GPP2 standard knows the Authentication Management Field (AMF), and the Family Key (FMK). They probably serve a similar purpose, but the algorithm is different. > I see the eap-simaka-reauth plugin, and it seems this plugin could do > the work of eap-aka reauthentication. Yes. The eap-simaka-reauth/pseudonym plugins provide storage of pseudonym/reauthentication identities and keying material. But they provide in-memory storage only. > But at each time the permenant identity is sent to radius server, even > after a first full authentication and the reauth identity is stored on > peer (according to the log messages on peer). The EAP peer stores a reauth identity only if your RADIUS server sends a reauth identity. Further, the server must request a reauth identity with the AT_ANY_ID_REQ. Are you sure hostapd supports AKA reauthentication? Best regards Martin _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
