[Wimax TTLS with Alcatel - Lucent ASN GW]

Thomas Fagart tfagart at brozs.net
Fri Apr 3 13:37:26 CEST 2009 

Thanks for the  hint, it works well now.

I've got another question for my setup to work.

I've notice using Wireshark that Freeradius will "break" the TLV Attribut
into two attributes parts.

For sample when I configure this in users file

#ATTRIBUTE       WiMAX-Packet-Flow-Descriptor            28
        WiMAX-Packet-Data-Flow-Id=1,
        WiMAX-Service-Data-Flow-Id1,
        WiMAX-Direction=3,
        WiMAX-Transport-Type=1,
        WiMAX-Activation-Trigger=4,
        WiMAX-Uplink-QOS-Id=1,
        WiMAX-Downlink-QOS-Id=2,

And I have a look at the capture

The capture will display two times the attribute
WiMAX-Packet-Flow-Descriptor (28), the firt part will contain the first 6
sub attributes, and the second part the last 4 sub attributes.

I would like that all the subattribute being in one part.

I've read the documentation contains in dictionary.wimax at the beginning,
I've the feeling that this might be related, but I don't understand it
properly. (there's a part where it talks about size limitation ?)

So here are my questions

1. Is there a way to have it in one part ?

2. Is there's a way to specify the main attribute directly (instead of
specifying each subattribute

Something like this

WiMAX-Packet-Flow-Descriptor=0x000104000102040001040303060301050304070301080302

Regards

Thomas


On Fri, 03 Apr 2009 01:28:32 +0100, <tnt at kalik.net> wrote:
>>Using basic setup, Freeradius successfully authenticate request coming
>>from CPE Wimax through ASN Alcatel GW (called WAC) using EAP/TTLS
>>
>>Fri Apr  3 01:05:10 2009 : Auth: Login OK: [00210400E0D7 at test.fr/<via
>>Auth-Type = EAP>] (from client wimax port 0 cli 00-21-04-00-E0-D7)
>>Fri Apr  3 01:05:19 2009 : Auth: Login OK: [cpe2-lab at test.fr/<via
>>Auth-Type = mschap>] (from client wimax port 0 via TLS tunnel)
>>
>>I now have 2 issues to fill properly the access accept with correct
>>attribute. (This needs might be weird, but it is the way this ASN GW
> works)
>>
>>1. I would like that the outer access accept contains  attributes coming
>>from  the inner access accept
>>
>>So I tried to use the update outer.reply on post-auth section of the
>>inner-tunnel virtual server
>>
>>        update outer.reply {
>>                #User-Name = "%{request:User-Name}"
>>                WiMAX-Packet-Data-Flow-Id =
>>"%{request:WiMAX-Packet-Data-Flow-Id}"
>>        }
>>
>>But as I understand, you can only use "request" from the inner tunnel,
>>but not the attribute contained in the reply of the inner tunnel. Is
>>that true ? Is there a way to do that.
>>
>>To be more precise this is the reply in the inner tunnel
>>
>>Fri Apr  3 01:13:33 2009
>>        Packet-Type = Access-Accept
>>        WiMAX-Packet-Data-Flow-Id = 1
>>        WiMAX-Service-Data-Flow-Id = 1
>>        WiMAX-Service-Profile-Id = 1
>>        WiMAX-Direction = Bi-Directional
>>        WiMAX-QoS-Id = 1
>>        WiMAX-Media-Flow-Type = Robust-Browser
>>        WiMAX-Schedule-Type = Best-Effort
>>        WiMAX-Traffic-Priority = 0
>>        WiMAX-Maximum-Sustained-Traffic-Rate = 512000
>>        MS-CHAP2-Success =
>>0xdf533d37443041423038393133393032414333353841304630414336383132453546434243364130323046
>>        MS-MPPE-Recv-Key = 0x1d7c9b57392b589e2849640bad969199
>>        MS-MPPE-Send-Key = 0x4aa107e5fa9573846af44d21c5080749
>>        MS-MPPE-Encryption-Policy = 0x00000001
>>        MS-MPPE-Encryption-Types = 0x00000006
>>
>>and the one in the outer tunnel
>>
>>Fri Apr  3 01:13:34 2009
>>        Packet-Type = Access-Accept
>>        MS-MPPE-Recv-Key =
>>0x6b185c55d7785700e6f52c9ae0160945476aa4ab9e5b699dc6cffb5427c06395
>>        MS-MPPE-Send-Key =
>>0x009d98e233e6911f97346381a77e90d01b7d41b3aa82dbf6ce56f54bb9b2598b
>>        EAP-MSK =
>>0x6b185c55d7785700e6f52c9ae0160945476aa4ab9e5b699dc6cffb5427c06395009d98e233e6911f97346381a77e90d01b7d41b3aa82dbf6ce56f54bb9b2598b
>>        EAP-EMSK =
>>0xc5f48626093f9313c5090254ffc375d4594bf6570025a260801e4b8d0ff852167d0748bd50b27d214b0ee67c1bbe1a4395faf094a8cb56663177fa8f32586f40
>>        EAP-Message = 0x03f00004
>>        Message-Authenticator = 0x00000000000000000000000000000000
>>        User-Name = "00210400E0D7 at test.fr"
>>
>>
>>I would like the reply of the outer tunnel to contain all the Wimax
>>Attribute I got in the inner.
>>
> 
> Set use_tunneled_reply in ttls section of eap.conf.
> 
>>2. For some weird reason again, Alcatel ASN needs to receive two times
>>the same attribute with differente value (Actually this
>>WiMAX-QoS-Descriptor (TLV Attribute))
>>I guess this is not very compliant with RFC, but is there a way to send
>>2 times the same attribute in the same reply.
>>
>>I've tried that but without surprise this send only the first part of
>>the attribute
>>
>>cpe2-lab at test.fr Cleartext-Password := "xxx"
>>        WiMAX-Packet-Data-Flow-Id=1,
>>        WiMAX-Service-Data-Flow-Id=1,
>>        WiMAX-Service-Profile-Id=1,
>>        WiMAX-Direction=Bi-Directional,
>>        WiMAX-QoS-Id=01,
>>        WiMAX-Media-Flow-Type=Robust-Browser,
>>        WiMAX-Schedule-Type=BEST-EFFORT,
>>        WiMAX-Traffic-Priority=0,
>>        WiMAX-Maximum-Sustained-Traffic-Rate=512000,
>>        WiMAX-QoS-Id=02,
>>        WiMAX-Media-Flow-Type=Robust-Browser,
>>        WiMAX-Schedule-Type=BEST-EFFORT,
>>        WiMAX-Traffic-Priority=0,
>>        WiMAX-Maximum-Sustained-Traffic-Rate=512000
>>
>>
>>Maybe using perl module in the post-auth ?
>>
> 
> Use += operator and add them twice. In whatever module you added them
> first time.
> 
> Ivan Kalik
> Kalik Informatika ISP
> 
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list