[strongSwan] eap-aka with hostapd

Manish Minz manishminz77 at yahoo.com
Thu Feb 23 09:45:00 CET 2012 


--- On Wed, 2/22/12, Martin Willi <martin at strongswan.org> wrote:


From: Martin Willi <martin at strongswan.org>
Subject: Re: [strongSwan] eap-aka with hostapd
To: "Manish Minz" <manishminz77 at yahoo.com>
Cc: users at lists.strongswan.org
Date: Wednesday, February 22, 2012, 8:17 AM


Hi,

> i am using strongswan with hostapd as a AAA server

How does your setup exactly look like? Are you using a strongSwan client
with the eap-aka plugin against a strongSwan server with eap-radius and
a hostapd backend?

> but stuck at the point "received mac does not match xmac"

Our eap-aka plugin handles the protocol part of AKA only, it requires
quintuples from another backend. You could use our eap-aka-3gpp2 plugin
that calculates quintuplets based on secret K according to 3GPP2 specs.
I'm not sure what standard is implemented in hostapd, but probably it is
3GPP, not 3GPP2.

We have another backend, eap-simaka-sql, that reads quintuplets directly
from an SQL database. Of course you can write your own backend (or ask
us to do it) by implementing the interface in libsimaka/simaka_card.h.

> also what will be the configuration of files to specify IMSI and other
> parameters.

The IMSI or NAI is usually exchanged in a preceding EAP-Identity
exchange, you can configure it with eap_identity=... on the client. On
the server, you'll have to request the EAP-Identity by specifying
eap_identity=%identity. And make sure to have the eap-identity plugin
built and loaded.

Regards
Martin


 
 
 
 
 
>we have two different machine moon and carol, moon has hostapd(AAA server) as well as strongswan installed ,carol only installed with strongswan. we are trying to do eap-aka-radius  with hostapd as AAA server ,in moon we have set rightauth=eap-radius.
 
>we does not want to use eap-simaka-plugin,so how to get rid of this "received mac does not match xmac."?
 
 
regards,
manish
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120223/e0b47611/attachment.html>

More information about the Users mailing list