Hi Martin, Thanks for the message.
On Wed, Aug 18, 2010 at 8:49 PM, Martin Willi <[email protected]> wrote: > Hi Dennis, > > > It seems that the milenage implementations in hostapd and in charon > > are different > > The eap-aka plugin for charon supports different backends. The software > implementation plugin (eap-aka-3gpp2) we ship with strongSwan implements > the algorithm specified by 3GPP2, S.S0055. I think this algorithm is > different from what the 3GPP defines with Milenage. > > > The question is that there's no OP or OPc value in charon > > In S.S0055, there are no OP/OPc values. The 3GPP2 standard knows the > Authentication Management Field (AMF), and the Family Key (FMK). They > probably serve a similar purpose, but the algorithm is different. > > OK, so I have to change at least one of the implementations, say the one of hostapd, to make the authentication work. > > I see the eap-simaka-reauth plugin, and it seems this plugin could do > > the work of eap-aka reauthentication. > > Yes. The eap-simaka-reauth/pseudonym plugins provide storage of > pseudonym/reauthentication identities and keying material. But they > provide in-memory storage only. > > > But at each time the permenant identity is sent to radius server, even > > after a first full authentication and the reauth identity is stored on > > peer (according to the log messages on peer). > > The EAP peer stores a reauth identity only if your RADIUS server sends a > reauth identity. Further, the server must request a reauth identity with > the AT_ANY_ID_REQ. > Ok, I see. It seems at each authentication(after the first one) when hostapd receives an EAP message, it can always parse the permanent identity, then it uses full authentication. I guess I should look into the code to see what happens. > > Are you sure hostapd supports AKA reauthentication? > I looked some code in hostapd and it seems hostapd could process eap-aka reauthentication, however I'm not sure about this.. Thanks & Regards, Dennis > Best regards > Martin > > > _______________________________________________ > Users mailing list > [email protected] > https://lists.strongswan.org/mailman/listinfo/users >
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
