eap Mailing List: RE: EAP SIM and AKA identities.

[henry.haverinen (henry.haverinen]

 

Hi Suresh,

 

Please see inline.

 

 -----Original Message-----
From: eap-admin [at] frascone.com [mailto:eap-admin [at] frascone.com]On Behalf Of ext Suresh

 

Hell Henry,

Thanks for the mail. Just to consolidate my understanding, Identity exchanged in the EAP-Identity/Response, can be obfuscated, truncated, or decorated. This information can be used to select the method for authentication, and some routing information. So, if the Identity exchanged in the EAP-Identity/Response, has user name, which is prep ended with "0", then the authentication method to be selected can be AKA. If prep ended with "1", then the authentication method can be SIM. This is how, permanent user names if sent, the server has the clue to select the authentication methods. 
 

Right. The drafts recommend the server not to rely on the identity string sent in EAP-Identity/Response.

The leading digit may be used as an EAP method seletion hint during method negotiation, but there may

be other ways to select the EAP method, too.

 
Of course this has to be done, only during EAP-Identity/response phase, not during AT_IDENTITY, as in the latter case, method is already known.
Is my understanding correct?
 

 

Yes, you are right that the contents of the identity in AT_IDENTITY must not be used as any kind of

hint to select  the EAP method anymore. But if you compose the permanent user name from the IMSI

as specified in the drafts, then you must prepend the leading digit in all cases, even for AT_IDENTITY.

For simplicity, the drafts only specify one format for the permanent identity, and that format

is used always.

 

Best regards,

Henry