[strongSwan] eap-aka with hostapd

Martin Willi martin at strongswan.org
Wed Feb 22 09:17:18 CET 2012


Hi,

> i am using strongswan with hostapd as a AAA server

How does your setup exactly look like? Are you using a strongSwan client
with the eap-aka plugin against a strongSwan server with eap-radius and
a hostapd backend?

> but stuck at the point "received mac does not match xmac"

Our eap-aka plugin handles the protocol part of AKA only, it requires
quintuples from another backend. You could use our eap-aka-3gpp2 plugin
that calculates quintuplets based on secret K according to 3GPP2 specs.
I'm not sure what standard is implemented in hostapd, but probably it is
3GPP, not 3GPP2.

We have another backend, eap-simaka-sql, that reads quintuplets directly
from an SQL database. Of course you can write your own backend (or ask
us to do it) by implementing the interface in libsimaka/simaka_card.h.

> also what will be the configuration of files to specify IMSI and other
> parameters.

The IMSI or NAI is usually exchanged in a preceding EAP-Identity
exchange, you can configure it with eap_identity=... on the client. On
the server, you'll have to request the EAP-Identity by specifying
eap_identity=%identity. And make sure to have the eap-identity plugin
built and loaded.

Regards
Martin





More information about the Users mailing list