Hello, the EAP Identity exchange is optional with strongSwan.
These EAP-SIM scenarios don't use EAP Identity: http://www.strongswan.org/uml/testresults45/ikev2/rw-eap-sim-rsa http://www.strongswan.org/uml/testresults45/ikev2/rw-eap-sim-radius/ whereas this scenario does: http://www.strongswan.org/uml/testresults45/ikev2/rw-eap-sim-id-radius/ If a RADIUS server or a strongSwan gateway with eap_identity=%any requests EAP Identity then the client must define eap_identity=<my EAP identity> otherwise EAP identity is just omitted. Regards Andreas On 05/24/2011 09:38 PM, Nan Luo wrote: > Hi, Martin, Hi, Andreas, Hi, all > > I am testing EAP-SIM with strongSwan as the client against a Security > Gateway. I wonder if strongSwan supports the EAP-SIM authentication > mechanism defined in 3GPP TS43.318V7.5.0. The difference between this > EAP-SIM scheme and a standard one defined in RFC4186 is that this scheme > omits the EAP-Identity Request/Response exchange at the beginning of the > authentication procedure. The EAP-Identity is included in the IDi sent > from the client to the SeGW in the first IKE-AUTH message. So the first > EAP payload the client receives is a EAP-Request/SIM/Start (instead of > EAP-Request/Identity in the standard case). > > Can you please tell me if the above EAP-SIM scheme is supported by > strongSwan? If it is, is there any special configuration involved? If > it's not supported, do you think how complicated the changes would be to > support it? Can you kindly point to me to the files that would > be involved if I want to implement this support? Thanks very much > > > RFC 4186 EAP-SIM: > > strongSwan (client) SeGW (Authenticator) > > | EAP-Request/Identity | > |<---------------------------------------------------------| > | | > | EAP-Response/Identity | > |--------------------------------------------------------->| > | | > | EAP-Request/SIM/Start (AT_VERSION_LIST) | > |<---------------------------------------------------------| > | | > | EAP-Response/SIM/Start (AT_NONCE_MT, AT_SELECTED_VERSION)| > |--------------------------------------------------------->| > | | > | EAP-Request/SIM/Challenge (AT_RAND, AT_MAC) | > |<---------------------------------------------------------| > |Peer runs GSM algorithms, verifies | > |AT_MAC and derives session keys | > |+-------------------------------------------------------+ | > | EAP-Response/SIM/Challenge (AT_MAC) | > |--------------------------------------------------------->| > | | > | EAP-Success | > |<---------------------------------------------------------| ====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
