Hi, Martin, Hi, Andreas, Hi, all
I am testing EAP-SIM with strongSwan as the client against a Security Gateway.
I wonder if strongSwan supports the EAP-SIM authentication mechanism defined in
3GPP TS43.318V7.5.0. The difference between this EAP-SIM scheme and a standard
one defined in RFC4186 is that this scheme omits the EAP-Identity
Request/Response exchange at the beginning of the authentication procedure. The
EAP-Identity is included in the IDi sent from the client to the SeGW in the
first IKE-AUTH message. So the first EAP payload the client receives is a
EAP-Request/SIM/Start (instead of EAP-Request/Identity in the standard case).
Can you please tell me if the above EAP-SIM scheme is supported by strongSwan?
If it is, is there any special configuration involved? If it's not supported,
do you think how complicated the changes would be to support it? Can you kindly
point to me to the files that would be involved if I want to implement this
support? Thanks very much
RFC 4186 EAP-SIM:strongSwan (client) SeGW
(Authenticator)| EAP-Request/Identity |
|<---------------------------------------------------------|
| |
| EAP-Response/Identity |
|--------------------------------------------------------->|
| |
| EAP-Request/SIM/Start (AT_VERSION_LIST) |
|<---------------------------------------------------------|
| |
| EAP-Response/SIM/Start (AT_NONCE_MT, AT_SELECTED_VERSION)|
|--------------------------------------------------------->|
| |
| EAP-Request/SIM/Challenge (AT_RAND, AT_MAC) |
|<---------------------------------------------------------|
|Peer runs GSM algorithms, verifies |
|AT_MAC and derives session keys |
|+-------------------------------------------------------+ |
| EAP-Response/SIM/Challenge (AT_MAC) |
|--------------------------------------------------------->|
| |
| EAP-Success |
|<---------------------------------------------------------|
_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
