[strongSwan] Milenage implementation and EAP-AKA reauthentication in strongswan 4.3.6
Martin Willi
martin at strongswan.org
Wed Aug 18 14:49:02 CEST 2010
Hi Dennis,
> It seems that the milenage implementations in hostapd and in charon
> are different
The eap-aka plugin for charon supports different backends. The software
implementation plugin (eap-aka-3gpp2) we ship with strongSwan implements
the algorithm specified by 3GPP2, S.S0055. I think this algorithm is
different from what the 3GPP defines with Milenage.
> The question is that there's no OP or OPc value in charon
In S.S0055, there are no OP/OPc values. The 3GPP2 standard knows the
Authentication Management Field (AMF), and the Family Key (FMK). They
probably serve a similar purpose, but the algorithm is different.
> I see the eap-simaka-reauth plugin, and it seems this plugin could do
> the work of eap-aka reauthentication.
Yes. The eap-simaka-reauth/pseudonym plugins provide storage of
pseudonym/reauthentication identities and keying material. But they
provide in-memory storage only.
> But at each time the permenant identity is sent to radius server, even
> after a first full authentication and the reauth identity is stored on
> peer (according to the log messages on peer).
The EAP peer stores a reauth identity only if your RADIUS server sends a
reauth identity. Further, the server must request a reauth identity with
the AT_ANY_ID_REQ.
Are you sure hostapd supports AKA reauthentication?
Best regards
Martin
More information about the Users
mailing list