rlm_eap/types -- contains all the supported EAP-Types
rlm_eap/types/rlm_eap_md5 -- EAP-MD5 authentication.
rlm_eap/types/rlm_eap_tls -- EAP-TLS based authentication.
+ rlm_eap/types/rlm_eap_ttls -- TTLS based authentication.
+ rlm_eap/types/rlm_eap_peap -- Windows PEAP based authentication.
rlm_eap/types/rlm_eap_leap -- Cisco LEAP authentication.
+ rlm_eap/types/rlm_eap_sim -- EAP-SIM (GSM) based authentication
CONFIGURATION
to determine which EAP type to choose for authentication.
NOTE: EAP cannot authorize a user. It can only authenticate.
- Other Freeradius modules authorize the user and lets EAP to authenticate.
+ Other Freeradius modules authorize the user.
- NOTE: There can only be one instance of the EAP module.
+
+EAP SIM server
+
+ To configure EAP-SIM authentication, the following attributes must be
+ set in the server. This can be done in the users file, but in many cases
+ will be taken from a database server, via one of the SQL interface.
+
+ If one has SIM cards that one controls (i.e. whose share secret you know),
+ one should be able to write a module to generate these attributes
+ (the triplets) in the server.
+
+ If one has access to the SS7 based settlement network, then a module to
+ fetch appropriate triplets could be written. This module would act as
+ an authorization only module.
+
+ The attributes are:
+ EAP-Sim-Rand1 16 bytes
+ EAP-Sim-SRES1 4 bytes
+ EAP-Sim-KC1 8 bytes
+ EAP-Sim-Rand2 16 bytes
+ EAP-Sim-SRES2 4 bytes
+ EAP-Sim-KC2 8 bytes
+ EAP-Sim-Rand3 16 bytes
+ EAP-Sim-SRES3 4 bytes
+ EAP-Sim-KC3 8 bytes
+
+ EAP-SIM will send WEP attributes to the resquestor.
EAP CLIENTS
http://www.denobula.com/EAPTLS.pdf
+ 3. Freeradius has an "radeapclient" that can do EAP-MD5 (passwords),
+ as well as EAP-SIM. It is in modules/rlm_eap/radeapclient.
+
+TESTING
+
+ You will find several test cases in src/tests/ for the EAP-SIM code.
+
HOW DO I USE IT (FAQ/Examples)
# ldap gets the Configured password.
# eap sets the authenticate type as EAP
authorize {
+ ...
ldap
eap
+ ...
}
# eap authentication takes place.
authenticate {
+ ...
eap
+ ...
}
3. How can I Proxy EAP messages, with/without User-Name attribute
With the above configuration, RADIUS server immediately responds with
EAP-Identity request.
- NOTE: EAP doesnot check for any Identity or maintains any state in case
+ NOTE: EAP does not check for any Identity or maintains any state in case
of EAP-START. It blindly responds with EAP-Identity request.
Proxying is handled only after EAP-Identity response is received.
EAP, EAP-MD5, and Cisco LEAP do not require any additional packages.
Freeradius contains all the required packages.
- For EAP-TLS, OPENSSL, <http://www.openssl.org/>, is required to be installed.
+ For EAP-TLS, EAP-TTLS, and PEAP, OPENSSL, <http://www.openssl.org/>,
+ is required to be installed.
Any version from 0.9.7, should fairly work with this module.
+ EAP-SIM should not require any additional packages.
-CAVEATS
- It probably still has bugs. Most notably, there is a small memory
- leak somewhere in the eap_tls code. I suspect it's because of my
- misuse of OPENSSL libraries, but I have no proof yet.
IMPLEMENTATION (For Developers)
ACKNOWLEDGEMENTS
Primary author - Raghu <raghud@mail.com>
+ EAP-SIM - Michael Richardson <mcr@sandelman.ottawa.on.ca>
+ The development of the EAP/SIM support was funded by
+ Internet Foundation Austria (http://www.nic.at/ipa).
+
+