[strongSwan] Milenage implementation and EAP-AKA reauthentication in strongswan 4.3.6

Martin Willi martin at strongswan.org
Wed Aug 18 14:49:02 CEST 2010

Hi Dennis,

> It seems that the milenage implementations in hostapd and in charon
> are different

The eap-aka plugin for charon supports different backends. The software
implementation plugin (eap-aka-3gpp2) we ship with strongSwan implements
the algorithm specified by 3GPP2, S.S0055. I think this algorithm is
different from what the 3GPP defines with Milenage.

> The question is that there's no OP or OPc value in charon

In S.S0055, there are no OP/OPc values. The 3GPP2 standard knows the
Authentication Management Field (AMF), and the Family Key (FMK). They
probably serve a similar purpose, but the algorithm is different.

> I see the eap-simaka-reauth plugin, and it seems this plugin could do
> the work of eap-aka reauthentication.

Yes. The eap-simaka-reauth/pseudonym plugins provide storage of
pseudonym/reauthentication identities and keying material. But they
provide in-memory storage only.

> But at each time the permenant identity is sent to radius server, even
> after a first full authentication and the reauth identity is stored on
> peer (according to the log messages on peer).

The EAP peer stores a reauth identity only if your RADIUS server sends a
reauth identity. Further, the server must request a reauth identity with

Are you sure hostapd supports AKA reauthentication?

Best regards

More information about the Users mailing list