Switch between EAP AKA and SIM on EAP-Failure

Jouni Malinen j at w1.fi
Sat Mar 19 08:05:06 EDT 2011


On Fri, Mar 18, 2011 at 10:55:17PM +0530, Praveen Sunagar wrote:
> My requirement is to initially start with EAP-AKA. If it is supported
> by the RADIUS server then the authentication will go through.
> But if RADIUS server only supports EAP-SIM then I send NAK(AKA) for
> which RADIUS server will reply with EAP-Failure as the method is not
> available at its end.

EAP-AKA and EAP-SIM have a known (and unique among eachother) prefix in
the identity, and as such, I would assume this would be done using
completely separate authentication attempts.

> So I want to know what is the best way to switch to EAP-SIM from
> EAP-Failure after trying a peer AKA method selection.
> Is there an easy way to do so without needing user to try again
> changing  "eap=SIM" ?
> Or do we need to move from FAILURE state machine to INITIALIZE state
> machine ? If so, whats the change that is needed.

How frequently do you expect to do this? I would assume this is not very
frequent operation and as such, I would learn this on the first
connection with a new SSID and then use the learned information on any
future connection. I don't see much need in optimizing this in this type
of use and as such, the safest option would be to try a completely
separate connection (disassociate and re-associate in case of 802.11)
with the new configuration.

-- 
Jouni Malinen                                            PGP id EFC895FA


More information about the HostAP mailing list