Cisco Community
English
Register
The War in Ukraine - Supporting customers, partners and communities. LEARN MORE
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel

EAP SIM and EAP - AKA

53632
Views
15
Helpful
2
Comments
Sharath Kattemane Prabhakar
Cisco Employee
‎02-12-2014 05:08 PM
edited on: ‎11-18-2020 ‎03:06 AM

 

Introduction

EAP-SIM is an Extensible Authentication Protocol (EAP) [RFC3748] mechanism for authentication and session key distribution using the Global System for Mobile communications (GSM) Subscriber Identity Module (SIM). [Hence the name !] .

EAP Authentication

As you all know EAP is an authentication framework which supports multiple authentication methods.

EAP typically runs directly over data link layers such as Point-to-Point Protocol (PPP) or IEEE 802 . 

GSM cellular networks use a subscriber identity module (SIM) card to  carry out user authentication..

EAP-SIM uses a SIM authentication algorithm between the client and an Authentication, Authorization and Accounting (AAA) server providing mutual authentication between the client and the network. 

In EAP-SIM the communication between the SIM card and the  Authentication Centre (AuC) replaces the need for a pre-established  password between the client and the AAA server.

Note - GSM is a second generation mobile network standard.

Second  generation mobile networks and third generation mobile networks use different authentication and key agreement mechanisms.                  

EAP-AKA specifies an EAP method that is based on the Authentication and  Key Agreement (AKA) mechanism used in 3rd generation mobile networks  Universal Mobile Telecommunications System (UMTS) and CDMA2000.

Advantages of EAP - AKA

  1. The use of the AKA also as a secure PPP authentication method in devices that already contain an identity module.
  2. The use of the 3rd generation mobile network authentication infrastructure in the context of wireless LANs
  3. Relying on AKA and the existing infrastructure in a seamless way with any other technology that can use EAP.

Requirements  

  • To run an EAP-SIM/AKA authentication, a client as wpa_supplicant, which has access to a (U)SIM, is needed.
  • The WLAN access point on the network has to support EAP (which is often transcribed as WPA(2)-RADIUS or WPA(2)-ENTERPRISE).
  • The WLAN AP/Controller has to have access to a RADIUS server, which handles the authentication and session key generation.
  • The RADIUS server in a productive environment needs for EAP-SIM/AKA access to the home location register (HLR) of the MNO where the (U)SIMs are registered .

Diagram

This is explained in the diagram below  

 

  • EAP SIM is based on the authentication and encryption algorithms stored on the Global System for Mobile Communications (GSM) SIM.
  • Its based on a challenge-response mechanism and employs a shared secret key, Ki, which is stored on the SIM and otherwise known only to the GSM operator's Authentication Center (AuC).
  • When a GSM SIM is given a 128-bit random number (RAND) as a challenge, it calculates a 32-bit response (SRES) and a 64-bit encryption key (Kc)
  • EAP SIM also enhances the basic GSM authentication mechanism by providing for mutual authentication between the client and the AAA server
  • Secure keyed hashing algorithm, HMAC-SHA1 (one way hashing) . 

Sample call flow  - EAP SIM

 

Call flows are exactly same as EAP-SIM with the type AKA. The USIM security algorithms are used in this case. 
 

Abbreviations

  • GSM - Global System for Mobile communications.
  • IMS - International Mobile Subscriber Identifier, used in GSM to identify subscribers.
  • MAC - Message Authentication Code .
  • HLR - Home Location Register .
  • NAI - Network Access Identifier .
  • RAND is a 128-bit random challenge issued from the base station to the mobile.
  • SRES - The authentication result parameter in GSM, corresponds to the RES parameter in 3G AKA, 32 bits.
  • USIM - UMTS Subscriber Identity Module.  USIM is an application that is resident on devices such as smart cards distributed by UMTS operators.

  

Comments
Akram Sheriff
Cisco Employee
Cisco Employee
‎03-12-2014 10:24 PM
‎03-12-2014 10:24 PM

 

Great Doc Sharath :) , I have couple of queries on  this  

1) Would it be Possible to have a Location based attribute to assign the VLAN/IP_Addr dynamically to the EAP-SIM User  similar to the Dynamic VLAN Assignment  from the Radius server in an Enterprise Environment ?

 

2)  In a Mobile roaming scenario, does the Point of attachment of the USIM Client change or  is it taken care by PMIPV6  ?

 

robertjustice
Beginner
Beginner
‎04-05-2018 05:39 PM
‎04-05-2018 05:39 PM

This is great. But can you tell me can the IR829 connect in WGB using EAP-SIM to a root AP/WLC?

 

or how do we get the LTE modem/router in the 829 to be supplicant to the AP for EAP-SIM?

 

thank you!

Latest Contents
WAP371 Wireless-AC/N Dual Radio Access Point with Single Poi...
Created by mdds on 05-23-2022 05:34 PM
0
0
0
0
We have been using this WAP since 2017.  Today I reset it back to its default settings.  The problem is that now I can't access it to configure its settings.  I don't see it on our home office network and don't know its IP address.  It... view more
CleanAir is showing disable on cisco 9130AXI.
Created by sandeepsingh3200 on 05-23-2022 02:33 PM
2
0
2
0
Clean Air is showing disable on Cisco 9130AXI AP when using it in a dual 5GHz on (SLOT ID 2). I was able to manually change it to enable but after sometime it will revert back to disable. I check the WLC and Cleanair is enable. This is only happening to t... view more
C9800 and Firebox
Created by zshowip on 05-23-2022 01:30 PM
0
0
0
0
Hi Chrome can access WLC9800 without any issue, Firefox cannot. Please see the below. It used to access it. Dont know what happen. The below info is different with what we saw before. In the past, when visiting 9800, we got a warning saying accessing woul... view more
WLC9800 Clients disconnect often and get wrong gateway and 1...
Created by mauricio2099 on 05-23-2022 12:48 PM
1
0
1
0
Hello Community. Users are suddenly disconnected from wireless. They stop reaching network services such as Internet and other network services. Windows wireless notification shows laptop is still connected to the SSID but "No Internet, secured". At ... view more
WLC 9800 per WLAN East-West ACLs
Created by lawrence.allhands on 05-23-2022 11:29 AM
2
0
2
0
Is it possible to apply an East-West ACL on clients joining a specific WLAN? If so, what is the best way to go about that? We have a few public WLANs that we would like to implement peer-to-peer ACLs on for protection/inoculation from potentially infected... view more
Ask a Question
Create
+ Discussion
+ Blog
+ Document
+ Video
+ Project Story
Find more resources
Discussions
Blogs
Events
Videos
Project Gallery
New Community Member Guide
Related support document topics
Recognize Your Peers
Spotlight Award Nomination
Content for Community-Ad