[strongSwan] EAP-SIM Identity Request/Response

Tue May 24 21:59:21 CEST 2011

Hello,

the EAP Identity exchange is optional with strongSwan.

These EAP-SIM scenarios don't use EAP Identity:

http://www.strongswan.org/uml/testresults45/ikev2/rw-eap-sim-rsa

http://www.strongswan.org/uml/testresults45/ikev2/rw-eap-sim-radius/

whereas this scenario does:

http://www.strongswan.org/uml/testresults45/ikev2/rw-eap-sim-id-radius/

If a RADIUS server or a strongSwan gateway with eap_identity=%any
requests EAP Identity then the client must define

  eap_identity=<my EAP identity>

otherwise EAP identity is just omitted.

Regards

Andreas

On 05/24/2011 09:38 PM, Nan Luo wrote:
> Hi, Martin, Hi, Andreas, Hi, all
> 
> I am testing EAP-SIM with strongSwan as the client against a Security
> Gateway. I wonder if strongSwan supports the EAP-SIM authentication
> mechanism defined in 3GPP TS43.318V7.5.0. The difference between this
> EAP-SIM scheme and a standard one defined in RFC4186 is that this scheme
> omits the EAP-Identity Request/Response exchange at the beginning of the
> authentication procedure. The EAP-Identity is included in the IDi sent
> from the client to the SeGW in the first IKE-AUTH message. So the first
> EAP payload the client receives is a EAP-Request/SIM/Start (instead of
> EAP-Request/Identity in the standard case). 
> 
> Can you please tell me if the above EAP-SIM scheme is supported by
> strongSwan? If it is, is there any special configuration involved? If
> it's not supported, do you think how complicated the changes would be to
> support it? Can you kindly point to me to the files that would
> be involved if I want to implement this support? Thanks very much
>   
> 
> RFC 4186 EAP-SIM:
> 
> strongSwan (client)                        SeGW (Authenticator)
> 
> |                                     EAP-Request/Identity |
> |<---------------------------------------------------------|
> |                                                          |
> | EAP-Response/Identity                                    |
> |--------------------------------------------------------->|
> |                                                          |
> |                  EAP-Request/SIM/Start (AT_VERSION_LIST) |
> |<---------------------------------------------------------|
> |                                                          |
> | EAP-Response/SIM/Start (AT_NONCE_MT, AT_SELECTED_VERSION)|
> |--------------------------------------------------------->|
> |                                                          |
> |           EAP-Request/SIM/Challenge (AT_RAND, AT_MAC)    |
> |<---------------------------------------------------------|
> |Peer runs GSM algorithms, verifies                        |                        |AT_MAC and derives session keys                           |                        |+-------------------------------------------------------+ |
> | EAP-Response/SIM/Challenge (AT_MAC)                      |
> |--------------------------------------------------------->|
> |                                                          |
> |                                             EAP-Success  |
> |<---------------------------------------------------------|

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==