Access Req from HA rejected

Jay Xiong jayxiong007 at gmail.com
Thu Jul 2 18:08:42 CEST 2009 

Kiran,

The WiMAX forum does not define the user authentication between HA and
HAAA. HAAA solely depends on the shared secret between HA and HAAA to
validate the request from HA is good. Its security models uses the MIP
keys to authenticate users has been authenticated into ASN gateway at
HA. What you need to do is to set AUTH-TYPE := Accept if it is HA. You
may uses hints to indicate it is HA instead of ASN gateway.

Thanks,

Jay Xiong

On Fri, Jun 26, 2009 at 6:12 PM, Ben Wiechman<wiechman.lists at gmail.com> wrote:
> If you are not generating the original keying material (i.e. you are the
> V-AAA) I would think you would need to proxy this request to the H-AAA as
> well as the required keys are going to be available there. You are not
> receiving the WiMAX-vHA-IP-MIP4 which would indicate that the V-AAA is
> capable of assigning the required keys.
>
> >From the Steel Belted docs:
> 6. The home agent performs an authentication check by sending the HAAA
> server
> an Access-Request message requesting its cryptographic keys for the Mobile
> IP
> session. The Access-Request message contains the home agent’s cryptographic
> keys (MN-HA-MIP4-SPI and HA-RK-SPI).
> 7. The HAAA server responds to the Access-Request message by sending the
> home agent an Access-Accept message containing its cryptographic keys:
> MN-HA-MIP4-KEY, MN-HA-MIP4-SPI, HA-RK-KEY, HA-RK-SPI, and
> HA-RK-Lifetime.
>
> Ben
>
> From: freeradius-users-bounces+wiechman.lists=gmail.com at lists.freeradius.org
> [mailto:freeradius-users-bounces+wiechman.lists=gmail.com at lists.freeradius.o
> rg] On Behalf Of Kiran Kumar
> Sent: Thursday, June 18, 2009 4:58 AM
> To: freeradius-users at lists.freeradius.org
> Subject: Access Req from HA rejected
>
> Hi All,
>
> I am using the Free Radius to test Proxy Authentication from H-AAA, the
> initial Authentication (proxied through H-AAA) goes through fine. But the HA
> then triggers an Access Request message (we are using PMIP), but this fails
> at the Free radius. I suspect this is because the HA root keys etc are not
> generated by Free radius but by the H-AAA. Can you please let me know what
> configuration needs to be done to get this scenario working…
>
> Sending Access-Accept of id 161 to 10.142.139.65 port 52687
>         MS-MPPE-Recv-Key =
> 0x6ef829271559b13ef642c20c60522275590132e27a5b64d744e77799f12508b0
>         MS-MPPE-Send-Key =
> 0x3b0dfc2d198cebbd3fe32e9b3a8e1fad36f26f1b8595ea5cd1698eb52d29d872
>         EAP-Message = 0x03080004
>         Message-Authenticator = 0x00000000000000000000000000000000
>         User-Name = "user at isp2.wimaxlab.com"
> Finished request 7.
> Going to the next request
> Waking up in 4.3 seconds.
> rad_recv: Access-Request packet from host 10.142.139.65 port 52687, id=162,
> length=201
>         User-Name = "user at isp2.wimaxlab.com"
>         NAS-IP-Address = 10.142.139.68
>         Service-Type = Framed-User
>         Framed-IP-Address = 0.0.0.0
>         Vendor-Specific = 0x00001fe4180600000003
>         Vendor-Specific = 0x00001fe4a9060a8e8b46
>         WiMAX-Release = "1.0"
>         WiMAX-Accounting-Capabilities = 3
>         WiMAX-GMT-Timezone-offset = 3600
>         WiMAX-hHA-IP-MIP4 = 10.142.139.70
>         WiMAX-MN-hHA-MIP4-SPI = 512
>         WiMAX-HA-RK-SPI = 512
>         NAS-Identifier = "HA_ISP1"
>         Event-Timestamp = "Jun 18 2009 09:36:50 GMT"
>         Message-Authenticator = 0x7fc30b3f450c08556a469367efb2d166
>         Chargeable-User-Identity = "NUL"
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> [suffix] Looking up realm "isp2.wimaxlab.com" for User-Name =
> "user at isp2.wimaxlab.com"
> [suffix] No such realm "isp2.wimaxlab.com"
> ++[suffix] returns noop
> [eap] No EAP-Message, not doing EAP
> ++[eap] returns noop
> ++[unix] returns notfound
> [files] users: Matched entry user at isp2.wimaxlab.com at line 205
> ++[files] returns ok
> ++[expiration] returns noop
> ++[logintime] returns noop
> [pap] No clear-text password in the request.  Not performing PAP.
> ++[pap] returns noop
> WARNING: Please update your configuration, and remove 'Auth-Type = Local'
> WARNING: Use the PAP or CHAP modules instead.
> No User-Password or CHAP-Password attribute in the request.
> Cannot perform authentication.
> Failed to authenticate the user.
> Using Post-Auth-Type Reject
> +- entering group REJECT {...}
> [attr_filter.access_reject]     expand: %{User-Name} ->
> user at isp2.wimaxlab.com
>  attr_filter: Matched entry DEFAULT at line 11
> ++[attr_filter.access_reject] returns updated
> Delaying reject of request 8 for 1 seconds
> Going to the next request
> Waking up in 0.1 seconds.
>
>
>
>
> Thanks and Regards,
> Kiran Kumar.B
> WiMAX Test Engineer
> Fujitsu Telecommunications Europe
> Solihull Parkway, Birmingham B37 7YU
> Work Phone: +44 (0) 121 717 6299
> Mobile: +44 (0) 7549 203 655
>
>
>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>

More information about the Freeradius-Users mailing list