[strongSwan] Milenage implementation and EAP-AKA reauthentication in strongswan 4.3.6
dennis dang
dennis.dang1130 at gmail.com
Thu Aug 19 11:24:45 CEST 2010
Hi Martin,
Thanks for the message.
On Wed, Aug 18, 2010 at 8:49 PM, Martin Willi <martin at strongswan.org> wrote:
> Hi Dennis,
>
> > It seems that the milenage implementations in hostapd and in charon
> > are different
>
> The eap-aka plugin for charon supports different backends. The software
> implementation plugin (eap-aka-3gpp2) we ship with strongSwan implements
> the algorithm specified by 3GPP2, S.S0055. I think this algorithm is
> different from what the 3GPP defines with Milenage.
>
> > The question is that there's no OP or OPc value in charon
>
> In S.S0055, there are no OP/OPc values. The 3GPP2 standard knows the
> Authentication Management Field (AMF), and the Family Key (FMK). They
> probably serve a similar purpose, but the algorithm is different.
>
> OK, so I have to change at least one of the implementations, say the one of
hostapd, to make the authentication work.
> > I see the eap-simaka-reauth plugin, and it seems this plugin could do
> > the work of eap-aka reauthentication.
>
> Yes. The eap-simaka-reauth/pseudonym plugins provide storage of
> pseudonym/reauthentication identities and keying material. But they
> provide in-memory storage only.
>
> > But at each time the permenant identity is sent to radius server, even
> > after a first full authentication and the reauth identity is stored on
> > peer (according to the log messages on peer).
>
> The EAP peer stores a reauth identity only if your RADIUS server sends a
> reauth identity. Further, the server must request a reauth identity with
> the AT_ANY_ID_REQ.
>
Ok, I see.
It seems at each authentication(after the first one) when hostapd receives
an EAP message, it can always parse the permanent identity, then it uses
full authentication. I guess I should look into the code to see what
happens.
>
> Are you sure hostapd supports AKA reauthentication?
>
I looked some code in hostapd and it seems hostapd could process eap-aka
reauthentication, however I'm not sure about this..
Thanks & Regards,
Dennis
> Best regards
> Martin
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20100819/d8f66bec/attachment.html>
More information about the Users
mailing list