A SIM that is installed on the node can be secured using a personal identification number (PIN). The PIN is a 4- to 8-digit code that is used to control access to information stored on the SIM. The PIN is stored on the SIM and is used to lock the SIM, unlock the SIM, or change the PIN value.
To secure a node, the PIN needs to be set and the SIM must be locked using the PIN. When locked, the SIM cannot be used to access the cellular network unless the PIN is present in the configuration file of the node operating the SIM. If the locked SIM is inserted into another node that does not have the correct PIN configured for the SIM, the SIM will not allow access to the cellular network. If the number of attempts made to access the cellular network using an incorrect PIN exceeds the number of attempts allowed by the SIM, then the SIM will become blocked and will not allow any further attempts to gain access the cellular network.
When a SIM is procured from a carrier, the PIN is either not set or sometimes set to a default value such as 0000 or 1111. When a locked SIM is first installed in the node, the operator must enter the default PIN in the node system configuration twice. When stored in the system configuration, the PIN provides access to the locked SIM, both to read information from the SIM and to grant access to the cellular network.
The PIN can be stored in the system configuration in encrypted form to keep the PIN value secret.
Avoid entering an invalid PIN in the system configuration. If an invalid PIN is saved to the system configuration file, the system will attempt to enter that PIN on the SIM each time the system reboots. This will eventually exhaust the number of available PIN retries for the SIM and make the SIM inoperative until it is unblocked with the personal unblocking key (PUK).
In addition, if multiple attempts are made to either lock or unlock the SIM using an incorrect PIN, the SIM becomes blocked. In both cases, the SIM must be unblocked using the PUK.
The number of allowed attempts to access a SIM depends on the SIM. The ‟PIN retries left” field under the SIM Card heading in the show>port CLI output indicates the number of attempts left before the SIM is blocked and must be unblocked to establish cellular connections.
If the SIM becomes blocked, the operator must enter the personal unblocking key (PUK) in the CLI to unblock the SIM and reset the PIN. The PUK is stored on the SIM and must be acquired from the service provider or administrator.
Many carriers provide unlocked SIMs. If an unlocked SIM is installed in a node, the operator does not need to know the PIN or configure the PIN in order for a cellular port to become operational. For example, during the ADP-Hm process, setting the PIN before attempting to connect to the network is not required.
The default PIN can be changed on the SIM using the tools>perform>mda>cellular>sim>change-pin command. If the default PIN is changed on the SIM, the system configuration must be updated with the new PIN value using the config>card>mda>cellular>sim>pin command.
The commands described below are available for SIM security. All of the SIM security commands are in the tools>perform>mda>cellular>sim context.
The SIM specified in the tools>perform>mda>cellular>sim commands must be the currently active SIM. If the SIM is not the currently active SIM, the commands fail.
lock-sim—this command locks the SIM and enables the PIN verification function on the SIM. A locked SIM verifies the PIN stored in the system configuration for operation. To lock the SIM, the operator must enter the current PIN.
unlock-sim—this command unlocks the SIM and disables the PIN verification function on the SIM. To unlock the SIM, the operator must enter the current PIN.
unblock-sim—this command unblocks a SIM that is currently blocked because too many attempts were made to access the SIM with an incorrect PIN. To unblock the SIM, the operator must enter the PUK for the SIM and then enter a new PIN twice. The lock/unlock state of the SIM does not change when it becomes unblocked.
change-pin—this command allows the operator to change the PIN value on the SIM. The operator must enter the existing PIN and then enter the new PIN twice correctly to change the PIN. The command is shown in the output below.
A:Dut-A# tools perform mda 1/1 cellular sim 1 change-pin
Enter current PIN:
Enter new PIN:
Re-enter new PIN:
When an operator successfully locks a SIM, unblocks a SIM, or changes a SIM PIN, the system updates the PIN value in the system configuration. However, the system does not automatically save the system configuration containing the new PIN. The operator must perform an admin>save command immediately after changing the PIN in order to save the new PIN in the system configuration file and avoid potential service interruptions such as the node becoming unreachable.
If the SIM becomes blocked when setting the PIN remotely using in-band management over a cellular port, the node will be unreachable. Physical access to the node will be required to unblock the SIM.
Changes can only be made to the currently active SIM. If changes to the backup SIM in a dual SIM deployment are required, then a SIM switchover must be performed in order to modify the backup. Before switching over to the backup SIM, the operator must ensure that it is operational and not locked. The operator should configure the down-recovery-interval command and ensure that one of the SIMs is operational in order to reduce the risk of the node becoming unreachable.