HP-UX AAA Server A.08.02 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX AAA Server (RADIUS) Software

161

162

163

164

165

166

167

168

169

170

Benefits

EAP-SIM offers the following benefits:

• Offers more reliable security than the GSM mechanisms.

• Supports protection of the subscriber identity based on pseudonyms or temporary identifiers.

• Supports a fast re-authentication procedure.

Configuring EAP SIM

The configuration files must be edited manually, because EAP-SIM cannot be configured using the

HP-UX AAA Server Manager.

This section addresses the following topics:

• “EAP-SIM Client Configuration” (page 163)

• “EAP-SIM User Credential Lookup Configuration” (page 163)

• “EAP-SIM Realm-Based Configurations” (page 164)

• “Global EAP-SIM Configuration in aaa.config” (page 168)

NOTE: Subsequently, you must restart the RADIUS Server for the configurations to take effect.

EAP-SIM Client Configuration

You can configure the access point or the access device for the HP-UX AAA Server to use EAP-SIM,

using the HP-UX AAA Server Manager. For more information on how to configure, see Chapter 7

(page 69).

EAP-SIM User Credential Lookup Configuration

The HP-UX AAA Server on receiving a SIM request does a lookup of the unique identifiers' (real

username) credentials. The credentials can be the pre-shared subscriber key or the triplets from an

external storage (like AuC). The following information must be provided for the EAP-SIM module

to continue processing of the user request:

• User's Subscriber's key, Ki. For more information on these Attribute Value Pairs (AVPs), see

“Generating Authentication Vectors Using A3, A8, and AKA Algorithms” (page 193). The

server uses the following AVPs as input to generate authentication vectors:

◦ Subscriber's key is a string attribute that contains the binary encoded 128-bit user secret

key, Ki. The encoding must be in the network byte order (big-endian).

◦ A3 algorithm is a string attribute that indicates the name of the A3 algorithm to be applied

in GSM triplet generation. The value is case-sensitive.

◦ A8 algorithm is a string attribute that indicates the name of the A8 algorithm to be applied

in GSM triplet generation. Most lines in the configuration files are limited to 1023

characters. This value is case-sensitive.

• GSM triplets. A GSM triplet is a fixed length binary string (octets) attribute, which holds an

EAP-SIM authentication vector. The attribute value is a 224-bit (28 bytes) binary string. It is

partitioned as follows:

RAND= The first 128 bits (16 bytes) of value.

Kc= The next 64 bits (8 bytes) of value.

SRES= The last 32 bits (4 bytes) of value.

EAP-SIM 163