wpa_supplicant: problems with EAP-SIM

Jouni Malinen jkmaline at cc.hut.fi
Fri Feb 3 21:29:10 EST 2006


On Wed, Feb 01, 2006 at 05:25:50PM +0000, Pete Young wrote:

> ... USIM APDUs, which confused the SIM somewhat. This is a test SIM
> with the PIN disabled, I'm not sure if there is anything else
> unusual about it. It does still authenticate to the same radius
> server using xsupplicant.

wpa_supplicant tries first to use the card as a USIM and then falls back
to SIM. I haven't seen SIM cards that get too confused about this, but
then again, I haven't tested with very large set. It should be
relatively simple change to modify scard_init() call in events.c to use
SCARD_GSM_SIM_ONLY instead of SCARD_TRY_BOTH when the used network is
configured to accept EAP-SIM, but not EAP-AKA.

Which SIM card is this? Do you know whether they would be easily
available from somewhere to allow me to test it?

> I've  modified the source of pcsc_funcs.c to ensure that
> GSM APDUs (with 'A0' prefix) are sent to the card, I'm now getting
> authentication failures due to

Changing scard_init() call would be better way of doing this since
pcsc_funcs.c should already support GSM SIM only mode.

> EAP-SIM: Challenge message used invalid AT_MAC

Hmm.. Do you know which RADIUS server is used here?

If this is a test SIM and you don't mind sending its PIN code in debug
log, it would be a bit easier for me to go through a debug log generated
with -K on the command line (i.e., include key material and other
possibly private data from the configuration). In addition, it would be
very helpful, if you could send similar debug log from xsupplicant
showing a successful authentication. If you can capture the EAPOL
packets (e.g., with tcpdump or Ethereal) for these test runs, that would
also be of great help in understanding what is happening here.

-- 
Jouni Malinen                                            PGP id EFC895FA



More information about the HostAP mailing list