Cisco Cisco 3G Wireless WAN High-Speed WAN Interface Card
© 2014 Cisco and/or its affiliates All rights reserved. This document is Cisco Public Information. Page 5 of 23
SIM Security Guide for ISR and CGR with Verizon Wireless 4G LTE
Basic Guidelines and Configuration for LTE SIM Lock
The EHWIC-4G-LTE-V needs an active SIM (Subscriber Identity Module) provided by Verizon Wireless, who provides
the SIM. The SIM cards are given out as either unlocked (can be used without a PIN) or locked (will require PIN
configuration). Cisco IOS provides a feature to lock and unlock a SIM, along with setting or changing the PIN code.
This will ensure that the SIM is only used in an authorized device (in this case, a Cisco ISR G2). The SIM lock and
unlock procedure is carried out using the Cisco Command Line Interface (CLI) via console or telnet to the ISR. This
feature is explained below.
The SIM can be in two states- locked or unlocked. If the SIM card is unlocked, the SIM can be inserted into the EHWIC
and used without an authorization code.
The SIM lock command can be used to lock the SIM using a PIN code defined by the ISR administrator. The SIM can
be initially locked (with a 4 to 8 digit code defined by the ISR administrator). Once the SIM is locked, it cannot initiate a
data call unless authentication is done by IOS using the same PIN. This authentication is done automatically by IOS.
The required configuration for this is done via Cisco IOS CLI as part of the router start-up configuration.
the SIM. The SIM cards are given out as either unlocked (can be used without a PIN) or locked (will require PIN
configuration). Cisco IOS provides a feature to lock and unlock a SIM, along with setting or changing the PIN code.
This will ensure that the SIM is only used in an authorized device (in this case, a Cisco ISR G2). The SIM lock and
unlock procedure is carried out using the Cisco Command Line Interface (CLI) via console or telnet to the ISR. This
feature is explained below.
The SIM can be in two states- locked or unlocked. If the SIM card is unlocked, the SIM can be inserted into the EHWIC
and used without an authorization code.
The SIM lock command can be used to lock the SIM using a PIN code defined by the ISR administrator. The SIM can
be initially locked (with a 4 to 8 digit code defined by the ISR administrator). Once the SIM is locked, it cannot initiate a
data call unless authentication is done by IOS using the same PIN. This authentication is done automatically by IOS.
The required configuration for this is done via Cisco IOS CLI as part of the router start-up configuration.
Once the IOS configuration is in place, the ISR can initiate an LTE connection and the ISR will use the configured PIN
to authenticate prior to connecting. If the IOS PIN configuration is missing or is wrong, the authentication will fail and
the LTE connection will not succeed.
If the locked SIM is moved to a different ISR or another device, or if the EHWIC in which the locked SIM resides is
moved to a different eHWIC slot in the same ISR, the configuration of the new or changed ISR needs to be changed.
The configuration is associated with the cellular controller that is specific an ISR EHWIC slot number. This will ensure
the SIM card will be not be used in any unauthorized device. An authentication command (with the same PIN used to
lock the SIM) must be defined on the new device or on the new cellular controller slot in order to successfully make the
LTE connection.
to authenticate prior to connecting. If the IOS PIN configuration is missing or is wrong, the authentication will fail and
the LTE connection will not succeed.
If the locked SIM is moved to a different ISR or another device, or if the EHWIC in which the locked SIM resides is
moved to a different eHWIC slot in the same ISR, the configuration of the new or changed ISR needs to be changed.
The configuration is associated with the cellular controller that is specific an ISR EHWIC slot number. This will ensure
the SIM card will be not be used in any unauthorized device. An authentication command (with the same PIN used to
lock the SIM) must be defined on the new device or on the new cellular controller slot in order to successfully make the
LTE connection.
Locking the SIM card with a PIN
cellular lte sim lock
To lock or unlock the SIM card provided by your service provider, use the cellular lte sim lock command in privileged
EXEC mode. Note that a Verizon LTE SIM ships unlocked, and the default PIN is 1111. Note that SIM lock must be
first enabled with the default PIN first, then a new PIN can be defined and configured. To
EXEC mode. Note that a Verizon LTE SIM ships unlocked, and the default PIN is 1111. Note that SIM lock must be
first enabled with the default PIN first, then a new PIN can be defined and configured. To
cellular
slot/wic_slot/port lte sim lock <pin>
Command Default
None.
Command Modes
Privileged EXEC
Usage Guidelines
To verify the SIM lock, use the show cellular <slot/wic_slot/port|0> security command.
To change the PIN, use the cellular <slot/wic_slot/port|0> lte sim change-pin <current PIN> command.
To change the PIN, use the cellular <slot/wic_slot/port|0> lte sim change-pin <current PIN> command.
Examples
See section: Console log examples of basic configuration