Radiator SIM Support revision history 

Revision 2.9 (2024-01-08)

Add support for MAP updateLocation, cancelLocation, Diameter Cx and 3GPP TS 33.402 TMSI generation

  • Fix incorrect error level names in log messages.
  • Add support for Diameter Cx interface for AuthBy AKAWX and AuthBy SIMWX. Cx is now supported as a value for Interface configuration parameter. New configuration parameters CxRealm and CxServerName set the values for User-Name, Public-Identity and Server-Name attributes in requests sent over Cx interface. See configuration samples eap_aka_wx.cfg and eap_sim_wx.cfg in goodies.
  • Update configuration samples in goodies. Add Protocol configuration parameter to choose between TCP and SCTP for Diameter. Include license information by default for easier evaluation. Enhance SQL query parameter handling for 3GPP AAA Server.
  • Implement MAP cancelLocation operation. The message is acknowledged and the IMSI in question is logged. No other action is currently taken.
  • Implement MAP UpdateLocation operation. New MAP configuration parameter UpdateLocationOperation sets the operation to use with the MAP instance. Defaults to UpdateGprsLocation.
  • Correct UpdateGprsLocation related parameters to match the documented names.
  • Support temporary identity generation based on 3GPP TS 33.402 Section 14. TMSI (pseudonym) and fast re-authentication identities can now be generated from the IMSI. See goodies file temporary-identity.cfg for a configuration sample.

Revision 2.8 (2023-02-28)

Add support for MAP location update, other significant updates

  • Trigger immediate EAP-Failure when insufficient number of SIM triplets are received from an authentication server (HLR/AuC, etc.) instead of forcing the client to fail first. This should never happen with correctly configured authentication servers.
  • Clarify SIGTRAN configuration samples that OrigPointCode and DestPointCode must be in decimal format, instead of other formats, such as 3-8-3 bit ITU format.
  • Ensure that authorisation after a plain EAP-SIM/AKA/AKA’ authentication triggers a state change. Otherwise duplicate messages may trigger unneeded authorisation requests when authorisation, for example gprsLocationUpdate, takes a long time. This only affects configurations where authorisation with an external source is enabled and duplicate and timeout timers are not correctly configured.
  • Add PLMNDatabaseSQL for mapping IMSIs to Global Title values and other PLMN specific parameters. PLMN SQL database is configured with a PLMNDatabaseSQL clause. New MAP and PeerSP level configuration parameter PLMNDatabase sets the Identifier that is used to find the correct PLMN database clause. Database lookup is done before calling PeerGlobalTitleHook. This hook now receives the GT, if any is found, as its second argument. This allows the hook to log, override, or take other action, based on the DB mapped global title. Add configuration sample plmndb.cfg in goodies with SQL schemas and sample data.
  • Ensure that IMSI is always available when SCCP layer needs to figure out peer’s Global Title based on IMSI in multihoming scenarios. Add sgsn-Capability to UpdateGprsLocationArg so that the response from HLR/AuC contains more detailed profile information.
  • 3GPP AAA Server now supports configuration with multiple parallel workers that use the same Diameter identity. This configuration works in conjunction with Radiator Service Provider Module (foremerly named Carrier Module) hashbalance support. Requires Service Provider Module release 1.8. Configuration sample is in goodies file 3gpp-aaa-server-hashbalance.cfg.
  • Add support for IMSI Privacy Protection certificate revocation and expiration notifications. Update imsicrypt.cfg configuration sample in goodies.
  • Improve handling of multiple MAP insertUserData invocations. Add a new configuration flag parameter UpdateLocation for all AuthBy SIM and AuthBy AKA modules to enable MAP or Diameter location update. Subscriber data returned with location update is made available for AuthorisedHook. Update MAP configuration samples for EAP-SIM and EAP-AKA in goodies to show how to access subscriber data from AuthorisedHook and how to update authentication result and reason.
  • Add support for MAP updateGprsLocation and insertSubscriberData operations.
  • Re-arrange SIGTRAN stack upper layers to better support additional MAP dialogues.

Revision 2.7 (2021-11-18)

  • Enhance handling and logging of unexpected SIGTRAN SCCP messages types.
  • Enhance and correct SIGTRAN SCCP Unitdata service (UDTS) message handling and logging.
  • ServerWXMAP 3GPPCardDatabaseFilename now supports special formatting characters.
  • AuthBy SIMWX and other EAP-SIM AuthBys no longer require a SQL DB configuration to store TMSI and fast re-authentication information. This is mainly useful for test configurations.
  • Removed obsolete SIM triplet caching from EAP-SIM. The related configuration parameters no longer have any affect.
  • Emergency services enabled configuration did not work with Redis based 3GPP AAA Session database.
  • Successfully test IMSI encryption with Android device that implements Wireless Broadband Alliance technical specification name ‘IMSI Privacy Protection for Wi-Fi’. No changes were needed to Radiator implementation.
  • Updated 3GPP AAA Server to allow anonymous identity as User-Name when IMSI privacy is enabled and ePDG does not understand permanent user identity as User-Name. This requires an update to 3GPP AAA Server SQL session database schema. Added an option to control which identity value is used with User-Name.
  • Redis based 3GPP AAA Server session database no longer uses IMSI as part of key. Only Session-Id is used similar to SQL and internal session database.
  • Affected Point Code M3UA TLV is now correctly parsed and logged.
  • When M3UA SSNM Destination State Audit (DAUD) message is received, it’s no longer ignored but a response Destination Available (DAVA) message is sent.
  • Updated configuration samples in goodies to work better with systemd based installations.
  • Fixed S6b authorisation check for emergency services. This was broken by the recently added APN match check.
  • Enhanced stream connection error handling in SIGTRANConnection module. Carrier Module 1.7 and Radiator 4.26 or later is now strongly recommended.

Revision 2.6 (2021-02-02)

  • Invalid APN formats are now rejected early.
  • Included APN match in S6b authorisation checks.
  • Fixed a crash in 3GPP AAA Server triggered by retransmitted messages.
  • Updated identity handling with IMSI encryption based on observed client behaviour.
  • RAT-Type for SWx requests is now set to the value received over SWm defaulting to VIRTUAL. Previously WLAN was always used by 3GPP AAA Server.
  • 3GPP-Charging-Characteristics is now copied to SWm answers when available. Subscription-Id was not added to SWm AAA messages after the user profile was updated by HSS with Push-Profile Request.
  • AAA-Failure-Indication is now sent over SWx to HSS. Previously the VSA was ignored when received from an ePDG.
  • Terminal-Information is now added to SWx requests as required by 29.273 version 13 and later.
  • Enhanced 3GPP AAA Server support to cover 29.273 version 15.4.0. The main behaviour change is S6b triggered PGW registration which is no longer done as often. This was clarified in 29.273 13.4.0 correction CP-160220 CR 0457.
  • Emergency services for authenticated users are now supported by 3GPP AAA Server. Support for emergency services needs to be enabled with a new configuration flag parameter EmergencyServices. When EmergencyServices parameter is set and SQL is used for a session database, one new column and SQL query modifications are needed.
  • Updated 3GPPP AAA Server SWm, SWx and S6b dictionaries for 29.273 version 15.4.0.
  • Crypt::Rijndael is no longer required when Radius::UtilXS release 2.2 or later and Radiator 4.25 or later is installed.
  • 3GPP AAA Server SQL and Redis based session backends no longer trigger unnecessary lookups and SWx deregistration updates when session termination requests are received over SWm or S6b. This can reduce Diameter traffic significantly with certain configurations where lots of clients are not allowed to connect and gateway devices send STRs for these attempts.
  • Removed warnings logged to STDERR by 3GPP AAA Server when processing certain request types. These warnings were harmless but cause unnecessary log entries.
  • 3GPP AAA Server now supports stripping MAC address from NAI format usernames. A new optional configuration parameter StripMACFromUserName controls how this is done.
  • A number of code clean up and maintenance changes were done based on Perl::Critic and other tools.
  • Requires Radiator 4.24 or later and Carrier Module 1.6 or later with 3GPP AAA Server. Radiator 4.24 and later are recommended with plain EAP-SIM, EAP-AKA and EAP-AKA’.

 

Revision 2.5 (2020-02-19)

  • SIM and AKA both now use Digest::SHA to implement hmac_sha1. Digest::HMAC is no longer a prerequesite module.
  • SIM, AKA, AKA’ and 3GPP AAA Server authentication now supports functionality specified in 3GPP document S3-170116. This is known as: ‘Permanent Identity encryption’, or ‘IMSI encryption’ or ‘Privacy Protection for EAP-AKA’. See configuration sample imsicrypt.cfg in goodies directory. Requires Radius::UtilXS 2.0 or later and Radiator 4.24 or later.
  • SWm RAR from 3GPP AAA Server was using wrong Auth-Application-Id.
  • 3GPP AAA Server now supports Diameter RealmTable instance added in Radiator 4.24. This allows dynamic Diameter request routing and forwarding instead of requiring static routing to reach ePDG, PGW and HSS. See 3gpp-aaa-server.cfg in goodies for an updated configuration sample. Also requires Radiator Carrier Module 1.6.
  • Radiator Radius::UtilXS now implements SHA1 transformation that was previously only available in Digest::SHA1. Digest::SHA1 is no longer needed when Radius::UtilXS is installed. Radius::UtilXS is available from Radiator downloads.
  • 3GPP AAA Server now implements TS 29.273 version 13.4.0 behaviour where HSS result DIAMETER_ERROR_RAT_TYPE_NOT_ALLOWED for a SWm originated request is passed through instead of mapped to DIAMETER_UNABLE_TO_COMPLY. Older specification default behaviour was found to cause too frequent reauthentication attempts.
  • Updated AuthAKA.pm and AuthSIM.pm to better support asynchronous authentication.
  • Added two new AuthBys. AuthBy AKAREST and AuthBy SIMREST support asynchronous authentication of EAP-AKA, EAP-AKA’ and EAP-SIM by fetching authentication vectors over a REST API. Sample configuration are in goodies directory. Requires HTTPClient module added in Radiator 4.24.

Revision 2.4 (2019-01-22) 

  • 3GPPAutHSS now supports Peer-Auth-Application-Id as DiaPeerDef selector. Requires Carrier module 1.5 or later and Radiator 4.20 or later.
  • Added configuration parameter HSSRealm to 3GPPAuthHSS. This value for this parameter is typically the realm where HSS resides. If not set, messages’ realm is set from DestinationRealm parameter of DiaPeerDef used to forwarding messages to the HSS. Defaults to not set.
  • Subscription-Id AVP is now added to SWm DEA messages to relay MSISDN to ePDG.
  • Updated EAP-SIM, EAP-AKA and EAP-AKA’ permanent, pseudonym (TMSI) and fast re-authentication identity leading characters to match RFC 4186, 4187 and 5448, and 3GPP TS 23.003 suggestions and requirements. Because of historical reasons, EAP-SIM fast re-authentication and EAP-AKA TMSI leading characters were swapped. EAP-AKA’ non-permanent identifiers are now fully separate from the respective EAP-AKA identifiers.
  • Removed obsolete configuration parameters TestNoMAP and GetReauthQueryEAP. Support for TestClient and TestVectorFile were removed from AuthAKA.pm and related files because they are obsolete. Use AuthAKATEST or ServerWXMAP based configurations for testing.
  • A number of code clean up and maintenance changes were done based on Perl::Critic and other tools.
  • SCTP multihoming is now supported. Requires Radiator 4.22 and Radiator Radius::UtilXS package.   

 

Revision 2.3 (2018-01-29) 

  • MAP and PeerSP clauses now support a new configuration flag parameter TriggerFailure. When set, timed out requests, TCAP Abort primitive, MAP errors and broken messages trigger a failure indication to upper layers, such as EAP-AKA, when the received message can be mapped to a sent message. TriggerFailure defaults to not set allowing upper layers to time out. Errors are always logged
  • TCAP Abort messages are now logged with warning level and with more information about the abort cause.
  • TCAP ABRT-apdu had incorrect tag value in ASN definition.
  • Fixed a memory leak with MAP timeouts and enhanced timeout logging.
  • MAP and PeerSP clauses now support a new configuration flag parameter SPGroup. MAP replies are accepted from SPs that are part of the same group. By default SPGroup is not set and reply must come from the SP that the request was originally sent to.
  • Updated diapwtst-3gpp to set P (proxiable) flag to a number of requests that were missing it.
  • diapwtst-3gpp now uses its own configuration file for options and attributes.
  • Updated SIGTRAN peer communication state handling to be more clearly configurable to SGP-ASP and IPSP-IPSP type of communication. Updated SEModeWaitNotify flag parameter behaviour to control how communication works. When enabled, selects SGP-ASP communication type.
  • Implemented T(Ack) for SIGTRAN. This timer controls how long replies to ASP Up and ASP Active are waited for. If the timer expires, peering starts with ASP Up. If an error is received while the peering is not up, this timer also controls when the wait until peering is retried with ASP Up. Configurable with paramter AckTimer.
  • Fixed SIGTRAN socket binding failure when local IP address and port were bound and Radiator was reloaded.
  • Updated log levels and added tracing identifier to multiple log calls in 3GPP AAA Server related modules.
  • T(Ack) was not always cancelled during peering causing spurious warning in log.
  • See Revision 2.2 below for Radiator version and other prerequisites. Version 1.4 of Radiator Carrier module is recommended.
Revision 2.2 (2017-06-21)
  • Added support in 3GPP AAA Server SWm interface for EIR checks as defined by Release 14. SWm EIR support is optional and requires Terminal-Information AVP from ePDG.
  • When HSS indicates to S6b based authorisation that the user is already served by a different 3GPP AAA Server, a correct redirect is returned to S6b instead of an error. Unknown user and other errors received over SWx are now correctly handled and returned over S6b.
  • Updated diapwtst-3gpp with a command line option to not include MIP6-Agent-Info in S6b requests.
  • Session start time is now part of 3GPP AAA Session description. Updated 3GPP AAA Server example configuration to use a special for start time when adding a new session to SQL based session database.
  • Gossip based 3GPP AAA Session database does not set expiry time for profiles or sessions anymore. The entries need to be removed by 3GPP AAA Server or a separate process that cleans up sessions that are too old to be valid.
  • Gossip based 3GPP AAA Session database now supports closing sessions by setting a stop timestamp without removing them. This allows for separate processing of closed sessions.
  • Improved 3GPP AAA Gossip session database behaviour when sessions are unexpectedly not found.
  • Fixed SIGTRAN SCCP interoperability problem where SCCP parameter ordering was treated as fixed.
  • See Revision 2.1 below for Radiator version and other prerequisites.
Revision 2.1 (2017-05-02)
  • Fixed a crash in 3GPP AAA Server caused by a missing grouped value for Failed-AVP
  • If 3GPP AAA Server receives an RTR from HSS for an IMSI for which it has no registered profile, Experimental-Result-Code with value DIAMETER_ERROR_USER_UNKNOWN is returned. Previously DIAMETER_SUCCESS was returned in this case.
  • Rejected EAP authentication attempts more often include EAP Failure with RADIUS or Diameter reject.
  • Badly formatted user identities are now rejected earlier and logged with improved detail by 3GPP AAA Server.
  • When EAP fails over SWm, the rejects now have EAP Failure set for more cases even when received EAP message was badly broken
  • Improved logging and handling of SIM, AKA and AKA’ EAP messages. Corrupt messages are now rejected earlier and logged more clearly.
  • Version dependency: LocalAddress and LocalPort were removed from SIM module. These parameters are now part of Radiator Stream class. No configuration changes are needed but these parameter now require Radiator 4.17 or later.
  • Convert::ASN1 0.26 or later is required for SIGTRAN. The version requirement is now forced when trying to load MAP and TCAP ASN1 definitions.
  • Improved handling of SIGTRAN M3UA SSNM messages. Received DUNA and DAVA messages are now logged at info level.
  • Added support for M3UA Heartbeat ASPSM messages. Radiator will always respond to Heartbeat messages and can optionally send Heartbeat messages.
  • Fixed a potential crash with SIGTRAN when peer is unexpectedly disconnected
  • Fixed a crash in 3GPP AAA Server, removed warnings and improved debug logging
  • Compatibility fixes for Perl 5.8
  • Improvements to 3GPP AAA Server and stand alone authenticators. EAP Failure is now returned more often with rejected messages. Improved logging for unexpected messages and other errors.
  • Fixed a memory leak in 3GPP AAA Server EAP context handling
  • Added checks for short EAP identity similar to checks other Radiator EAP methods have
  • Added createOPC.pl in goodies for creating OPc from Ki and OP. The output value can be inserted in simcards.dat file
  • Fixed a slowly growing memory leak in 3GPP AAA Server
  • Log tracing ids are supported for Diameter messages
  • Requires Radiator 4.16 or later and Radiator Carrier module. 3GPP AAA Server functionality requires Radiator 4.17 and Radiator Carrier module. See the notes above for any exceptions.
Revision 2.0 (2016-06-16)
  • Added Radiator SIM module reference manual in doc directory
  • Added Radiator 3GPP AAA Server module files in Radiator SIM Support distribution
  • See 3gpp-aaa-server.cfg in goodies directory for a configuration sample
  • Added Radiator 3GPP AAA Server reference manual in doc directory
  • Requires Radiator 4.14 or later and Radiator Carrier module for 3GPP AAA Server functionality
Revision 1.47 (2016-05-16)
  • Removed unneeded column TMSI from SIMUSER table in eap-sim-mysql.sql. Clarified some of the comments in eap-sim-mysql.sql
    Updated all configuration samples to use radius_sim database.
  • AuthAKA now deletes the re-authentication context only when MaxReauthentications limit is reached. The call is now done correctly with re-authentication id instead of IMSI.
    Updated the DeleteReauthQuery in AKA sample configuration files to use SQL delete instead of update.
  • Removed obsolete files from goodies. Removed obsolete AuthSIMOPERATOR.pm
  • Updated the sample configuration files in goodies to work without SQL database by default. UseTMSI and UseReauthentiation is now disabled in the configuration samples. SQL is still needed when UseTMSI or UseReauthentication is enabled
  • Unified and improved error checks, error handling and logging in AuthBy SIM and AuthBy AKA. Error messages are now more clear about failure reasons.
  • Auth SIMSQL and AKASQL now call finish for the SQL handle only when there were results
  • Requires Radiator 4.14 or later
Revision 1.46 (2016-03-16)
  • EAP-Request/AKA-Identity can now be skipped if the application that uses AKA, for example Diameter SWm, wishes to do so.
  • Logging enhancements. The current request object is now passed to more log() calls.
  • Corrected Visted-Network-Identifier flags to M in the SWx dictionary
  • Requires Radiator 4.14 or later
Revision 1.45 (2016-02-24)
  • LocalAddress and LocalPort are now available for configuring SIGTRAN PeerSP clauses. These allow binding the SIGTRAN connections to explicit source IP address and port.
  • Significant updates to the SWx dictionary. Added SIP-Number-Auth-Items in the Wx dictionary
  • Added new configuration parameters SCTPPeer and PeerGlobalTitleHook for SIGTRAN support.
    PeerGlobalTitleHook can be used to derive peer’s GT, for example, from IMSI. SCTPPeer allows defining multiple SCTP peer addresses the PeerSP should try when initiating a connection to the peer.
    Added goodies/sigtran-peer-gt-hook.pl for PeerGlobalTitleHook example.
  • Added examples of SCTPPeer, LocalAddress and LocalPort in eap_aka_map.cfg and eap_sim_map.cfg in goodies.
  • Some errors in authentication that possibly caused the client to time out are now more clearly rejected.
  • Updated the README file to include SIGTRAN and the current prerequisites
  • Requires Radiator 4.14 or later
Revision 1.44 (2015-04-10)
  • Added support for EAP-SIM and EAP-AKA authentication with MAP M3UA/SIGTRAN
  • Warnings about EAP SIM and AKA Success notification are now suppressed. Notifications with code “Success” are normal and expected when Radiator has been configured with UseResultInd flag parameter
  • Updated the MySQL schema eap-sim-mysql.sql in goodies. Changes make the SQL tables easier to use with other SQL servers. The char() types were changed to varchar(). Updated the configuration examples to use radius_sim as the database name
  • Updated AuthAKATEST to support the current 3GPPAuthcentre API
  • Requires Radiator 4.14
Revision 1.43 (2014-08-15)
  • Added support in AuthBy SIMWX for converting AKA quintets to GSM triplets. Radiator can now support EAP-SIM when the HSS supports only Diameter SWx. AKA quintets received over Diamter Wx can also be converted. The conversion function is the 3GPP TS 55.205 SRES Derivation Function #1 and its use is enabled with ConvertAKAVectors configuration parameter flag.
  • Added confguration parameters LocalAddress and LocalPort for setting the local IP address and port for TCP and SCTP. These parameters are available for AuthBy SIMWX and AuthBy AKAWX.
  • Tested EAP-SIM with Nokia Windows Phone 8.1 update developer preview
  • Requires Radiator 4.13
Revision 1.42 (2014-04-16)
  • Added dictionaries for Wx and SWx. The Wx and SWx attribute names now match the names 3GPP specifications use
  • ServerWXMAP now advertises Vendor-Auth-Application-Ids Wx and SWx
  • Tested EAP-SIM with Nokia Windows Phone 8.1 developer preview
  • Requires Radiator 4.13
Revision 1.41 (2014-03-24)
  • EAP-SIM, EAP-AKA and EAP-AKA’ no longer use EAP-Response/Identity for establishing the peer identity. Identity is always requested with AT_IDENTITY when EAP authentication starts.
  • Improved how EAP-SIM, EAP-AKA and EAP-AKA’ request the peer identity when the identity provided by the peer was not recognised by Radiator.
  • Fast Re-Authentication MaxReauthentications parameter now correctly works with EAP-AKA and EAP-AKA’.
  • ReauthenticationRealm parameter now supports %0 which is replaced with the SIM or AKA identity realm part. Special % formats based on the current request $p are also supported.
  • 3GPPAuthCentre now supports variable IND length for the AKA authentication vectors. Configurable via ServerWXMAP parameter IndLength which defaults to 5. SQN is incremented using 3GPP TS 33.102 Annex C.3.2 profile 2.
  • 3GPPAuthCentre now sets the AMF separation bit only when quints are requested over Diameter SWx. The AMF bit is never cleared. This partly reverts the change in 1.40.
  • 3GPPAuthCentre now increments SQN only once for each request
  • ServerWXMAP does not send any Auth- or Acct-Application-Id attributes by default. Supported-Vendor-Id 10415 (3GPP) is advertised by default.
  • Improved logging in 3GPPAuthCentre
  • Corrected some log messages in AuthAKAWX.pm
  • Clarified the configuration examples eap_sim_wx.cfg eap_aka_wx.cfg, eap_aka_prime_wx.cfg and wxmap.cfg in goodies.
  • Tested EAP-AKA with Android 4.1 and 4.2, IOS 7.1, Nokia Symbian S60 v3.0 and v3.1.
  • Tested EAP-SIM with the above and Nokia Windows Phone 8 and Nokia Symbian S80 v2.0.
  • Requires Radiator 4.12 or 4.12.1
Revision 1.40 (2014-03-07)
  • Fixed a bug in AKA and AKA’ attribute parsing exposed by Apple IOS.
  • EAP-SIM now logs a warning if the number of returned triplets does not match the requested number. This can happen if HLR/Auc or HSS configuration is incorrect.
  • Auth AKAWX now transforms CK and IK to CK’ and IK’ when quints were fetched over Diameter Wx. No transformation is done or required when Diameter SWx is used.
  • ServerWXMAP now mandates the presence of ANID attribute when Diameter SWx is used.
  • 3GPP Authentication Centre now sets the AMF separation bit and returns CK’ and IK’ when quints are requested for AKA’. The AMF separation bit is otherwise cleared when quints are returned.
  • ServerWXMAP requests CK’ and IK’ from the 3GPP Authentication Centre when MAR was received over Diameter SWx.
  • Added ReauthenticationRealm example in eap_aka_wx.cfg and eap_aka_prime_wx.cfg in goodies directory.
  • Added MaxReauthentications example in eap_sim_wx.cfg.
Revision 1.39 (2013-12-17)
  • Improved Destination-Host and Destination-Realm handling.
  • OriginHost, OriginRealm, DestinationHost and DestinationRealm configuration options now support special characters.
Revision 1.38 (2013-12-11)
  • WxClient and AuthAKAWX were updated to work with Diameter SWx specification 3GPP TS 29.273. WxClient should now comply with all SWx versions and Wx versions 6.4.0 and later, 7, 8, 9, 10 and 11.
  • AuthAKAWX supports new configuration parameter Interface for choosing Wx or SWx.
  • AKAPrimeNetworkName configuration parameter now defaults to ‘WLAN’.
  • ServerWXMAP was updated to work with both Wx and SWx.
  • Requires Radiator 4.12 or later.
  • Updated white paper for SWx interface.
Revision 1.37 (2013-09-30)
  • WxClient was tested and updated to work with HSS supporting 3GPP specification 29.234 version 7.7.0 Release 7. WxClient should now comply with versions 6.4.0 and later, 7, 8, 9, 10 and 11.
  • Requires Radiator 4.12 or later.
  • Updated white paper to cover different scenarios for communicating with 4G/LTE HSS services, 3G/2G HLR/AuC services and MAP gateways.
  • Updated white paper to cover accounting and billing over Diameter.
Revision 1.36 (2013-04-26)
  • AuthBy AKA and AKA-PRIME ReauthenticationRealm was missing from the list of configurable parameters.
  • AuthBy AKA and AKA-PRIME now support AuthorisedHook configuration parameter.
  • Updated example SIM config files to reflect the fact that some smartphones require NumTriplets to be 3.
  • Added some notes to README about acquiring and configuring eapol_test.
Revision 1.35 (2012-10-23)
  • Added support for Ulticom DSC Diameter-MAP gateway (http://www.ulticom.com/products-dsc/), and support for using it with EAP-SIM, EAP-AKA and EAP-AKA-PRIME. Can now authenticate both SIM and AKA to any operator’s HLR and AuC via SS7 or Sigtran. See Ulticom for product detials and pricing.
  • Requires Radiator 4.10 plus latest patches or later.
  • Updated white paper.
  • Added Wx Diameter MAP gateway simulator and sample configuration file, which can be used for testing SIM and AKA. Can also be used to authenticate privately issued SIM and uSIM cards for SIM and AKA.
  • Added example WPA Supplicant eapol_test configuration files that can be used to test WPA Supplicant against Radiator and the Wx Diameter MAP gateway simulator.
  • Reinstated use of Digest::SHA1 in FIPS.pm. Now need both Digest::SHA and Digest::SHA1 installed.
  • Updated AKA and AKA-PRIME support in AuthBy AKATEST to the test card database has jsut the IMSO and not the 0 or 6 prefix.
  • Some minor changes to the internal API for AuthBy AKA.
  • Added support for 2G GSM triplets to 3GPPAuthCentre. Can now generate both SIM triplets and AKA quints from Milenage card details in the card database file.
  • Changed the name of the sample aka_db card data file to simcards.dat.
  • Deleted support for Cisco and SGSA MAP gateways, which have been discontinued by their vendors.
Revision 1.34 (2012-06-15)
  • Removed use of Digest::SHA1, replaced with Digest::SHA,which is now included with all perls. Digest::SHA is now an absolute prerequisite.
  • Updated sgsasim.pl and sgsatest.pl to use Getopt::Long
  • Fixed a problem in sgsatest.pl that could cause a crash with “Can’t call method “format_ctime” on unblessed reference…”
Revision 1.33 (2012-06-01)
  • Updated gettriplets to use Getopt::Long.
  • Added support for UseReauthentication to enable fast reauthentication in EAP-AKA and EAP-AKA-PRIME.
  • Added support for UseTMSI to enable fast pseudonyms in EAP-AKA and EAP-AKA-PRIME.
Revision 1.32 (2011-09-12)
  • Added support for AKA-PRIME as per RFC 5448. Requires Radiator 4.8 and latest patches or later. Added new sample eap_aka_prime_test.cfg
Revision 1.31 (2011-06-08)
  • Added missing finish() calls to AuthBy SIMSQL.
  • TestClient option in AuthBy SIM now delivers 3 triplets as required by newer eapol_test.
  • Fixed potential memory leaks in AuthBy SIM when UseReauthentication was not in use.
  • Fixed a problem where EAP-AKA authentication could fail if an EAP Response/Identitiy is not received as the first request in a conversation.
Revision 1.30 (2009-10-27)
  • AuthBy SIM AuthorisedHook now passes $result and $reason, allowing the hook to change the result of the authentication. REquested by Sam Lin.
Revision 1.29 (2009-08-25)
  • AuthBy SIMSQL and subclasses now supports bind parameters for the SQL queries SaveTripletsQuery, SaveTMSIQuery, SaveReauthQuery, UpdateReauthQuery and DeleteReauthQuery using SaveTripletsQueryParam, SaveTMSIQueryParam, SaveReauthQueryParam, UpdateReauthQueryParam and DeleteReauthQueryParam respectively.
Revision 1.28 (2009-08-21)
  • AuthBy SIMSQL and subclasses now supports bind parameters for the SQL queries GetTripletsQuery, GetTMSIQuery and GetReauthQuery, using GetTripletsQueryParam, GetTMSIQueryParam and GetReauthQueryParam respectively.
Revision 1.27 (2009-08-20)
  • Fixed a crash in goodies/sgsasim.pl.
  • AuthBy SIMSGSA now supports ConnectOnDemand. Caution: this flag will cause connect() to block until it either succeeds or fails. This can hae an impact on performance if there are network problems between Radiator and hte SGSA server. Caution: Requires Radiator 4.4 and patch set 1.1086 or later.
  • AuthBy SIM and subclasses now support special characters in NumTriplets and ReauthenticationRealm. Requested by Sam Lin.
  • AuthBy SIMSGSA now support special characters in SGSN and SGSNAddress. Requested by Sam Lin.
Revision 1.26 (2009-08-07)
  • Fixed a problem with EAP-SIM where some SIM clients that append a realm to a pseudonym would not be authenticatied correctly when attempting to authenticate with the pseudonym. Reported by CHIROSSEL, Olivier.
Revision 1.25 (2009-07-27)
  • Fixed a problem with compatibility with some EAP-SIM and EAP-AKA clients when protected success indications are used.
Revision 1.24 (2009-06-29)
  • AuthBy SIM and subclasses is now compliant with RFC4186. Support for optional protected success indications as per RFC4186 added for both authentication and reauthentication.
  • AuthBy AKA and subclasses is now compliant with RFC4187 (reauthentication is not yet supported). Support for optional protected success indications as per RFC4187 added for authentication.
  • Improved and extended AT_MAC checking for AuthBy SIM as per RFC4186.
  • Improved and extended AT_MAC checking for AuthBy AKA as per RFC4187.
  • Testing against wpa_supplicant 0.6.9 (Caution: there is a bug in protected AKA in wpa_supplicant 0.6.9 that prevents protected results working correctly. A patch to fix this has been submitted to the author of wpa_supplicant.).
Revision 1.23 (2008-11-26)
  • Improvements to AuthBy AKATEST. The USIM card database now contains the OPc and AMF fields for each card, rather than them being configured for all cards in the AuthBy AKATEST clause. This permits easier testing against multiple cards with different Operator Codes. The format of the aka_db file is ow the same as that used in hlr_auc_gw.milenage_db in hostapd.
Revision 1.22 (2008-11-11)
  • In Auth AKATEST, can now specify the USIM Operator Code in its encrypted form (this is sometimes the case with some USIM test cards) by setting the 3GPPOperatorCodeEncrypted flag.
Revision 1.21 (2008-11-07)
  • Fixed a problem with AKA when the AKA identity had a trailing @xxxx decoration, resulting in incorrect master key. Reported by Jouni Malinen.
Revision 1.20 (2008-10-22)
  • AuthBy AKATEST now implements internal authentication of 3G USIM cards which use the Milenage algorithm, and for which you know the secret code.
  • Fixed a problem with encryption of Cisco ITP MAP data.
Revision 1.19 (2008-06-16)
  • Improvements to behaviour of mapUpdateLocation to be compatible with Cisco ITP support modules (available as separate download for qualified Cisco ITP customers).
Revision 1.18 (2008-01-15)
  • Updated to be compatible with Radiator 4.0. Requires Radiator 4.0 or later. Added documentation to ConfigKeywords, added activate() functions.
  • Fixed a error in computing the length of AT_RES when ResLengthInBytes is not set. Reported by Klaus Warnke.
Revision 1.17 (2006-12-04)
  • AuthBy AKA is now compliant with RFC 4187, but with an optional flag to comply with earlier draft RFC.
  • AuthBy AKA now implements Synchronisation-Failure correctly. Fixed problems with encoding of AT_AUTS, AT_RES. Sample implementation of operator-specific AuthBy AKATEST, which talks to a simple 3GPP Authentication Centre. Tested against Juniper Odyssey 4.52.0.2843 and wpa_supplicant 0.4.9.
Revision 1.16 (2006-05-15)
  • Fixed a problem in sgsasim.pl that could cause a crash with an undefined init_sock when used with recent versions of Radiator (due to changes in the Radius::Stream API). Reported by Manuel Kasper.
Revision 1.15 (2005-10-03)
  • Improved operation in the case where both UseReauthentication and UseTMSI are enabled and an unrecognised TMSI is offered by the client. Reported by Jan Zorz.
Revision 1.14 (2005-09-08)
  • Compatibility with Radiator 3.13 patch set of 2005-09-01.
Revision 1.13 (2005-08-12)
  • Testing with Funk Odyssey 4.01 client and EAP-SIM. OK.
  • Testing with Funk Odyssey 4.01 client and EAP-AKA. Not fully working.
  • Further work on EAP-AKA, against draft-arkko-pppext-eap-aka-15.txt, Funk Odyssey 4.01 client and EAP-AKA
  • AuthSIMSGSA.pm was accidentally left out of the distribution.
Revision 1.12 (2005-03-22)

Improved compatibility with AEGIS EAP-SIM client

  • Fixed a problem where an AT_IDENTITY in the Start might not be correctly interpreted if the EAP Identity did not match it. Reported by Dmitry Teleganov.
  • Cleaned up sim_get_reauth_context, removed sim_get_reauth_context_reauth_response. sim_get_reauth_context now returns the same args list as sim_get_reauth_context_reauth_response so the subclass can choose what to do. GetReauthQuery must now return REAUTH_ID fetched from databaseas second field and GetReauthQueryEAP is no longer required (goodies/eap_simoperator.cfg and goodies/eap_simsgsa.cfg updated to reflect this). This gives the subclass the opportunity to do wierd things with reauth_ids in the database.
  • All functions in AuthSIMSQL now get $p passed, so subclasses can customisations can use attributes from the current request.
  • Improved compatibility with Meetinghouse Haverinen 16 EAP-SIM client.
Revision 1.11 (2005-03-17)

Support for PT SGSA MAP Gateway

  • Testing on Windows. Made prebuilt Windows PPM binaries for Chipcard-PCSC and Crypt-Rijndael, available at http://www.open.com.au/radiator/free-downloads.
  • Fixed a problem in SimCard.pm that could cause a crash during card disconnection in gettriplets etc when running on Windows.
  • Initial versions of SGSA interface code, SGSA simulator and SGSA test client, for interoperation with Performance Technologies SGSA MAP gateway (www.pt.com)
  • Fixed a number of issues with Meetinghouse AEGIS EAP-SIM client. Reported by Dmitry Teleganov.
Revision 1.10 (2004-10-05)

Haverinen 13 compatibility

  • Extensive testing with XSupplicant and hostap, courtesy Jouni Malinen.
  • Fixed a problem introduced in 1.9 to do with decoding AT_SELECTED_VERSION. Reported by Jouni Malinen.
  • Fixed errors in documentation of the order of fields in the triplets file. Reported by Jouni Malinen.
  • Fixed some interop problems with AKA and xsupplicant. Patch provided by Jouni Malinen.
  • Added support for Client-Error as required by Haverinen 13.
  • Added support for Notification as required by Haverinen 13. SIM Notification is now sent for all error conditions when using SIM version 1. SIM Version 0 either REJECTs or IGNOREs, depending on the setting of NoSilientDeny.
  • Improved support for fast re-authentication after COUNTER_TOO_SMALL.
  • Added missing example GetReauthQueryEAP to sample eap_simoperator.cfg. Reported by Jouni Malinen.
  • Caution: Due to changes in the behaviour of MySQL 4, the suggested table structure for the example SIMOPERATOR has changed. MySQL 4 has changed the behaviour of the ‘replace’ query in a way that is incompatible with earlier versions. Previously ‘replace’ would not alter columns that were not explicitly mentioned in the query. This has resulted in the previous sample TMSI and Reauthentication ‘replace’ queries not working as required. The example table structure for SIMOPERATOR is now one table for pseudonyms and one for reauthentication data. See new example MySQL tables in goodies/eap-sim-mysql.sql
Revision 1.9 (2004-09-01)
  • Fixed a problem where EAP requests were not correctly ignored.
  • Fixed a problem in SIM and AKA attribute decoding where an empty variable length attribute could be unpacked incorrectly.
  • Fixes for compatibility with the xsupplicant AKA client, with much assistance from Chris Hessing. Partial Arkko version 12 compatibility.
Revision 1.8 (2004-03-27)
  • Fixed incorrect documentation of the order of KC, SRES, RAND in triplet usage. Reported by Neil Schonwald.
  • New Config parameter implemented NoSilentDeny – if set the Server sends REJECT instead of IGNORE. Contributed by Martin Noha.
  • MaxReauthentication implemented (configparameter works). Contributed by Martin Noha.
  • Error in request GPRS Update corrected. It was called during re-Authentication but not during full Authentication. Contributed by Martin Noha.
  • Improvements to AuthSIMOPERATOR, if the MAP gateways returns other than an Access-Accept, the clients request is rejected. Contributed by Martin Noha.
Revision 1.7 (2003-10-21)

Improved reauthentication support, Minor fixes

  • New attributes in dictionary.sim.
  • Removed debugging in reauthentication code.
  • Fixed some typos in AuthAKA.pm after initial testing by Chris Hessing.
  • Testing of reauthentication with several different clients by Noha.
Revision 1.6 (2003-10-03)

Improved reauthentication support, Minor fixes

  • EAP Request/SIM/Challenge contained incorrect attributes if reauthentication was enabled. AT_COUNTER and AT_NONCE were incorrectly included.
  • Fixed an error in the calculation of the length of AT_PADDING.
  • Fixed an error in README about how to test the MAP simulator with the example saved triplets. IMSI was wrong.
  • Fixed a problem where a client with no version number was accepted, even if the SupportVersions list did not include version 0.
  • Added ReauthenticationRealm to AuthBy SIM. ReauthenticationRealm will be appended to the reauthentication ID. It may be used to ensure Radius routing gets the reauthentication request back to this server. Defaults to empty string.
  • Improvements to Haverinen 11 reauthentication, including changes to API for sim_get_reauth_context, sim_save_reauth_context and sim_update_reauth_context, plus new columns in example SQL table for SIMOPERATOR.
  • TMSI and reauthenticaiotn IDs reduced to 16 hex characters due to problems in clients caused by ids with 32 hex characters.
  • AuthSIMOPERATOR and example mysql tables adjusted to store master key to enable calculation of new MPPE keys during reauthentication.
  • Fixed problem with MPPE keys during reauthentications.
  • Added DeleteReauthQuery and reauth context deletion code, to support incorrect counters etc.
  • Added some more attributes for GSM to dictionary.sim.
Revision 1.5 (2003-08-28)

Improvements to MAP gateway simulator

  • Fixed a problem where AT_ANY_ID_REQ was not correctly defined.
  • SIM card access rooutines moved to Radius/SimCard.pm for easy access and reuse
  • AuthBy SIM $context->{imsi} now has the leading 1 stripped from it, which is the real IMSI, as defined by the GSM operators.
  • AuthBy MAP gateway can now read saved triplets from a data file. New script goodies/getttriplets can read triplets from a SIM card and save them in such a triplets data file. This means that you can now test the EAP-SIM module without needing duplicate cards. You only need to save some triplets from any GSM SIM card to a data file, then the same card can be used in an EAP-SIM client. AuthBy MAP can still read from a locally connected SIM card if triplets are not found in the data file.
  • Added goodies/README file
Revision 1.4 (2003-08-21)

Minor fixes.

  • Added support for SupportVersions parameter, which allows you to control which client versions to support. Defaults to all the versions the software can support.
  • Fixed an error in the Actual Version List Length part of the AT_VERSION_LIST parameter.
  • Fix so that an identitiy that does not look like either an IMSI or TMSI will result in an AT_ANY_ID_REQ. By default, IMSIs are expected to be 16 digits, starting with a 1 with an optional realm.
Revision 1.3 (2003-08-08)

Beta testing, Haverinen 11 compliance, new features, performance improvements etc

  • Added GSM-TMSI to dictionary.sim
  • SIM and AKA both now use Digest::HMAC_SHA1 to implement hmac_sha1_128. New prerequesite is Digest-HMAC-1.01 (in order to get access to Digest::HMAC_SHA1). Results in performance improvement.
  • A number of subclassable functions in AuthSIM and AuthSIMOPERATOR had there names changed to prefix ‘sim_’, in order to allow future coexistence and compatibility with AKA.
  • The majority of the SIM identity response code was moved from EAP_18.pm to AuthSIM.pm for easier understanding and subclassing.
  • AT_VERSION of 1 is now taken to be Haverinen draft 11. Compatibility with latest Secartis client.
  • Multiple changes to AuthSIMOPERATOR and the names of the functions required to be overridden.
  • Added support for AT_CHECKCODE to EAP-SIM per Haverinen 11. Requires patches of 2003-08-06 or later for Radiator 3.6.
  • Added support for Reauthentication to EAP-SIM per Haverinen 11 (beta testing).
  • Added support for Pseudonyms to EAP-SIM per Haverinen 11 (beta testing).
  • Added new table SIMUSER to sampleSQL file
Revision 1.2 (2003-06-06)

External alpha testing

  • FIPS algorithm moved to separate file FIPS.pm for sharing
  • Added early version of EAP-AKA support for client development purposes, including goodies/eap_aka.cfg Radius/EAP_23.pm Radius/AuthAKA.pm
  • Added support for AuthorisedHook to AuthBy SIM. Useful for adding interesting things to the final Access-Accept, and other operator specific final cleanup things.
Revision 1.1 (2003-06-06)

External alpha testing

  • Top level operator specific module example renamed to AuthSIMOPERATOR.pm. Similar changes for eap_simoperator.cfg etc.
  • Added eap-sim-whitepaper.pdf, history.html etc.
  • Testing with Cisco ACU version 1.1 EAP-SIM on XP (requires Cisco patch from ftp://ftpeng.cisco.com/ftp/pwlan/eapsim/CiscoEapSimV5.zip, including end-to-end tsting with the MAP simulator and 2 identical GSM SIM cards.
  • AuthMAP.pm now uses latest version of pcsc-lite (1.1.1) and pcsc-perl (1.2.2). Caution: AuthMAP.pm is now incompatible with earlier versions of pcsc-perl.
Revision 1.0 (2003-01-23)
Initial version external evaluation