This section describes the configuration parameters of an
<TemporaryIdentityAES> clause. This clause
provides support for creating pseudonym, also called Temporary Mobile
Subscriber Identity (TMSI), and re-authentication identity values, by
encrypting the IMSI together with a random string. See 3GPP TS 33.402
version 13.1.0, or later, Section 14 for the detailed algorithm. The
algorithm was originally published in 3GPP TS 33.234 up to version 13.0.0
after which it was moved to TS 33.402. When IMSI based temporary identity
generation is not enabled, random strings are used. This is the default
behaviour.
Note
Currently only TMSI generation is supported. SQL database is not
needed for storing TMSIs.
Both IMSI encryption, configured with
<IMSICrypt>,
and encrypted temporary identities can be enabled at the same time.
Temporary identities are supported by all EAP-SIM, EAP-AKA, EAP-AKA'
and 3GPP AAA Server configuration clauses. To enable temporary identities,
you need to modify Radiator configuration as follows:
- First define an
<TemporaryIdentityAES>
clause with an Identifier parameter.
- Then add
TemporaryIdentity configuration
parameter in AuthBy clauses.
For required software versions and modules, see
Section 2.1. Prerequisites. A brief configuration sample is
below and a full configuration example is in file
goodies/temporary-identity.cfg<TemporaryIdentityAES>
# Identifier is used by AKA and SIM clauses to refer to this
# clause for identity encryption and decryption.
Identifier temporary-id-aes
# Multiple keys can be configure at the same time.
# CurrentKey defines the key that is actively used for encryption.
CurrentKey 0
# Keys are numbered from 0 to 15. CurrentKey sets the key that is used for
# encryption. All configured keys are used decryption to allow key rollover.
Key 0, 30303030303030303030303030303030
# Key 1, %{GlobalVar:key1}
Key 15, 00112233445566778899aabbccddeeff
</TemporaryIdentityAES>
<AuthBy AKAWX>
# Other AKAWX configuration parameters
TemporaryIdentity temporary-id-aes
</AuthBy>
