EAP-SIM is an Extensible Authentication Protocol (EAP) [RFC3748] mechanism for authentication and session key distribution using the Global System for Mobile communications (GSM) Subscriber Identity Module (SIM). [Hence the name !] .
As you all know EAP is an authentication framework which supports multiple authentication methods.
EAP typically runs directly over data link layers such as Point-to-Point Protocol (PPP) or IEEE 802 .
GSM cellular networks use a subscriber identity module (SIM) card to carry out user authentication..
EAP-SIM uses a SIM authentication algorithm between the client and an Authentication, Authorization and Accounting (AAA) server providing mutual authentication between the client and the network.
In EAP-SIM the communication between the SIM card and the Authentication Centre (AuC) replaces the need for a pre-established password between the client and the AAA server.
Note - GSM is a second generation mobile network standard.
Second generation mobile networks and third generation mobile networks use different authentication and key agreement mechanisms.
EAP-AKA specifies an EAP method that is based on the Authentication and Key Agreement (AKA) mechanism used in 3rd generation mobile networks Universal Mobile Telecommunications System (UMTS) and CDMA2000.
Advantages of EAP - AKA
The use of the AKA also as a secure PPP authentication method in devices that already contain an identity module.
The use of the 3rd generation mobile network authentication infrastructure in the context of wireless LANs
Relying on AKA and the existing infrastructure in a seamless way with any other technology that can use EAP.
To run an EAP-SIM/AKA authentication, a client as wpa_supplicant, which has access to a (U)SIM, is needed.
The WLAN access point on the network has to support EAP (which is often transcribed as WPA(2)-RADIUS or WPA(2)-ENTERPRISE).
The WLAN AP/Controller has to have access to a RADIUS server, which handles the authentication and session key generation.
The RADIUS server in a productive environment needs for EAP-SIM/AKA access to the home location register (HLR) of the MNO where the (U)SIMs are registered .
This is explained in the diagram below
EAP SIM is based on the authentication and encryption algorithms stored on the Global System for Mobile Communications (GSM) SIM.
Its based on a challenge-response mechanism and employs a shared secret key, Ki, which is stored on the SIM and otherwise known only to the GSM operator's Authentication Center (AuC).
When a GSM SIM is given a 128-bit random number (RAND) as a challenge, it calculates a 32-bit response (SRES) and a 64-bit encryption key (Kc)
EAP SIM also enhances the basic GSM authentication mechanism by providing for mutual authentication between the client and the AAA server
Secure keyed hashing algorithm, HMAC-SHA1 (one way hashing) .
Sample call flow - EAP SIM
Call flows are exactly same as EAP-SIM with the type AKA. The USIM security algorithms are used in this case.
GSM - Global System for Mobile communications.
IMS - International Mobile Subscriber Identifier, used in GSM to identify subscribers.
MAC - Message Authentication Code .
HLR - Home Location Register .
NAI - Network Access Identifier .
RAND is a 128-bit random challenge issued from the base station to the mobile.
SRES - The authentication result parameter in GSM, corresponds to the RES parameter in 3G AKA, 32 bits.
USIM - UMTS Subscriber Identity Module. USIM is an application that is resident on devices such as smart cards distributed by UMTS operators.
Hi all,When I "apply" the AP 803's web setting the web page will occur error 404.The version of AP 803 is 15.3(3)JKI have been try to use the Browser:Chrome、Edge、Firefox , and also try the older version of the browserStill doesn't work!!How do I fix ...
wlc 5502 version is 188.8.131.52i have a ssid use by macos device,and disable loadbalance and 802.11rthe ssid use 802.1x authentication with windows 2012r2 nps service(radius)but apple device untimely disconnect,windows device is no problemi open a ssid...
Hi, I would like to setup a Palo Alto firewall between cisco WLC and APs to control some traffic. Anyone can share some idea for this? or send link in order to know what I need to pay attention to? Thank you very much.
If you are using UNII-2 Ext channels, is there a way to get DFS notices in the WLC log? I thought they showed up there by default, but I just found DFS pauses in the logs on several APs, and there was nothing in the WLC log about it. I've logg...
I have configured a Hotspot portal and auth policies on ISE. A new client is successfully redirected to the portal and added to the GuestEndpoints group after accepting the policy. However, the client stays in Webauth Pending state on the 9800 WLC.After d...