diff mbox

Add some documentation relating to EAP-AKA.

Message ID 1388794216-20665-1-git-send-email-greearb@candelatech.com
State Changes Requested
Headers show

Commit Message

Ben Greear Jan. 4, 2014, 12:10 a.m. UTC
From: Ben Greear <greearb@candelatech.com>

Signed-hostapd: Ben Greear <greearb@candelatech.com>
---
 wpa_supplicant/defconfig           |    2 +-
 wpa_supplicant/wpa_supplicant.conf |    4 ++++
 2 files changed, 5 insertions(+), 1 deletions(-)

Comments

Jouni Malinen Jan. 7, 2014, 1:28 p.m. UTC | #1
On Fri, Jan 03, 2014 at 04:10:16PM -0800, greearb@candelatech.com wrote:
> diff --git a/wpa_supplicant/defconfig b/wpa_supplicant/defconfig
> -# gnutls = GnuTLS
> +# gnutls = GnuTLS (Missing some features needed by EAP-AKA with USIM, at least)

This is not exactly complete and I would much rather make this work with
EAP-SIM and EAP-AKA or make the build fail than expect people to notice
and understand this note in defconfig.

> diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf
> @@ -658,6 +658,8 @@ fast_reauth=1
>  # identity: Identity string for EAP
>  #	This field is also used to configure user NAI for
>  #	EAP-PSK/PAX/SAKE/GPSK.
> +#       For EAP-AKA, it is  1 | IMSI
> +#       For EAP-SIM, it is  0 | IMSI

That is not correct. EAP-SIM does normally (but not always!) use 1 as
the prefix and EAP-AKA uses 0 (again, not always). Anyway, these would
not normally be configured by users since the identity is generated
automatically based on IMSI read from SIM/USIM. In other words, these
prefixes are reversed and only used in some test scenarios with
simulated SIM/USIM and as such, I don't think it is appropriate to
document these in this style. Furthermore, this is not really even
complete since the realm part is not included. I would be fine listing
the examples for software simulated version if they are marked as such
(and well, obviously, if they are correct).

>  # anonymous_identity: Anonymous identity string for EAP (to be used as the
>  #	unencrypted identity with EAP types that support different tunnelled
>  #	identity, e.g., EAP-TTLS). This field can also be used with
> @@ -671,6 +673,8 @@ fast_reauth=1
>  #	PSK) is also configured using this field. For EAP-GPSK, this is a
>  #	variable length PSK. ext:<name of external password field> format can
>  #	be used to indicate that the password is stored in external storage.
> +#       For EAP-AKA, the syntax is K:OPc:SQN
> +#       For EAP-SIM, the syntax is K:OPc

Again, this is very much for special corner cases. This would never be
used in normal EAP-SIM/AKA cases.
Ben Greear Jan. 7, 2014, 6:23 p.m. UTC | #2
On 01/07/2014 05:28 AM, Jouni Malinen wrote:
> On Fri, Jan 03, 2014 at 04:10:16PM -0800, greearb@candelatech.com wrote:
>> diff --git a/wpa_supplicant/defconfig b/wpa_supplicant/defconfig
>> -# gnutls = GnuTLS
>> +# gnutls = GnuTLS (Missing some features needed by EAP-AKA with USIM, at least)
> 
> This is not exactly complete and I would much rather make this work with
> EAP-SIM and EAP-AKA or make the build fail than expect people to notice
> and understand this note in defconfig.
> 
>> diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf
>> @@ -658,6 +658,8 @@ fast_reauth=1
>>  # identity: Identity string for EAP
>>  #	This field is also used to configure user NAI for
>>  #	EAP-PSK/PAX/SAKE/GPSK.
>> +#       For EAP-AKA, it is  1 | IMSI
>> +#       For EAP-SIM, it is  0 | IMSI
> 
> That is not correct. EAP-SIM does normally (but not always!) use 1 as
> the prefix and EAP-AKA uses 0 (again, not always). Anyway, these would
> not normally be configured by users since the identity is generated
> automatically based on IMSI read from SIM/USIM. In other words, these
> prefixes are reversed and only used in some test scenarios with
> simulated SIM/USIM and as such, I don't think it is appropriate to
> document these in this style. Furthermore, this is not really even
> complete since the realm part is not included. I would be fine listing
> the examples for software simulated version if they are marked as such
> (and well, obviously, if they are correct).
> 
>>  # anonymous_identity: Anonymous identity string for EAP (to be used as the
>>  #	unencrypted identity with EAP types that support different tunnelled
>>  #	identity, e.g., EAP-TTLS). This field can also be used with
>> @@ -671,6 +673,8 @@ fast_reauth=1
>>  #	PSK) is also configured using this field. For EAP-GPSK, this is a
>>  #	variable length PSK. ext:<name of external password field> format can
>>  #	be used to indicate that the password is stored in external storage.
>> +#       For EAP-AKA, the syntax is K:OPc:SQN
>> +#       For EAP-SIM, the syntax is K:OPc
> 
> Again, this is very much for special corner cases. This would never be
> used in normal EAP-SIM/AKA cases.

I did screw up the 1 vs 0 for AKA and SIM.  I'll clean this up and
repost for consideration, even if just to help the next person who
searches the web.

The best info I could find previously was this link, and it
is missing some details as well:

http://comments.gmane.org/gmane.linux.drivers.hostap/24684

Thanks,
Ben
diff mbox

Patch

diff --git a/wpa_supplicant/defconfig b/wpa_supplicant/defconfig
index 8c79eb6..0d2556d 100644
--- a/wpa_supplicant/defconfig
+++ b/wpa_supplicant/defconfig
@@ -331,7 +331,7 @@  CONFIG_PEERKEY=y
 
 # Select TLS implementation
 # openssl = OpenSSL (default)
-# gnutls = GnuTLS
+# gnutls = GnuTLS (Missing some features needed by EAP-AKA with USIM, at least)
 # internal = Internal TLSv1 implementation (experimental)
 # none = Empty template
 #CONFIG_TLS=openssl
diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf
index c555ca6..0ea8fd0 100644
--- a/wpa_supplicant/wpa_supplicant.conf
+++ b/wpa_supplicant/wpa_supplicant.conf
@@ -658,6 +658,8 @@  fast_reauth=1
 # identity: Identity string for EAP
 #	This field is also used to configure user NAI for
 #	EAP-PSK/PAX/SAKE/GPSK.
+#       For EAP-AKA, it is  1 | IMSI
+#       For EAP-SIM, it is  0 | IMSI
 # anonymous_identity: Anonymous identity string for EAP (to be used as the
 #	unencrypted identity with EAP types that support different tunnelled
 #	identity, e.g., EAP-TTLS). This field can also be used with
@@ -671,6 +673,8 @@  fast_reauth=1
 #	PSK) is also configured using this field. For EAP-GPSK, this is a
 #	variable length PSK. ext:<name of external password field> format can
 #	be used to indicate that the password is stored in external storage.
+#       For EAP-AKA, the syntax is K:OPc:SQN
+#       For EAP-SIM, the syntax is K:OPc
 # ca_cert: File path to CA certificate file (PEM/DER). This file can have one
 #	or more trusted CA certificates. If ca_cert and ca_path are not
 #	included, server certificate will not be verified. This is insecure and