WiMAX HA access-request problem

Ivan Kalik tnt at kalik.net
Sun Oct 4 17:51:21 CEST 2009 

> Sending Access-Accept of id 23 to 192.168.10.10 port 6001
>         MS-MPPE-Recv-Key =
> 0xdd32bb1bf83d56f4493782d3244f5d501011ffce043c3f5d70fb2f8ec22675c7
>         MS-MPPE-Send-Key =
> 0xd131eacf354482cec6a997bd7b25e7660f96c85f0290572af781fbe6f79e31fa
>         EAP-Message = 0x03080004
>         Message-Authenticator = 0x00000000000000000000000000000000
>         Service-Type = Framed-User
>         Framed-MTU = 1400
>         WiMAX-HA-RK-Lifetime = 172788
>         WiMAX-hHA-IP-MIP4 = 172.16.10.10
>         WiMAX-HA-RK-Key = 0xe3004e23455fd2e998b8def4dfe9ddaa34528742
>         WiMAX-HA-RK-SPI = 283734
>         WiMAX-FA-RK-Key = 0x85dd1a75f40398fe0168602b3a200a235db058fd
>         WiMAX-MSK =
> 0xdd32bb1bf83d56f4493782d3244f5d501011ffce043c3f5d70fb2f8ec22675c7d131eacf354482cec6a997bd7b25e7660f96c85f0290572af781fbe6f79e31fa
>         WiMAX-AAA-Session-Id = 0xc4e88757e4a7773cb7868674d19199e4
>         WiMAX-Capability = 0x020301
>         WiMAX-Packet-Flow-Descriptor =
> 0x01040001030600000002040303050307060301
>         WiMAX-DNS-Server = 172.16.1.1
>         Session-Timeout = 43200
>         Termination-Action = RADIUS-Request
>         Chargeable-User-Identity = "test at testwimax.com"
>         WiMAX-MN-hHA-MIP4-Key = 0x58c32ecc237cdc44474cc0a32b4203e511c6d569
>         WiMAX-MN-hHA-MIP4-SPI = 571665657
>         WiMAX-FA-RK-SPI = 571665656
>
> In phase 2, ASN-GW send the MobileIP registration request to Home Agent.
> The Home Agent will check this MIP RRQ is valid or not by sending a radius
> request to AAA.
>
> FreeRADIUS received the request as below:
>
> rad_recv: Access-Request packet from host 172.16.10.10 port 52511, id=10,
> length=213
>         Packet-Type = Access-Request
>         User-Name = "test at testwimax.com"
>         NAS-IP-Address = 172.16.10.10
>         NAS-Identifier = "HA_1"
>         WiMAX-HA-RK-SPI = 283734
>         Framed-IP-Address = 0.0.0.0
>         WiMAX-MN-HA-MIP4-SPI = 571665657
>         WiMAX-hHA-IP-MIP4 = 172.16.10.10
>         Vendor-Specific = 0x00001fe4180600000003
>         Vendor-Specific = 0x00001fe4a906d34f3f31
>         WiMAX-Release = "1.0"
>         WiMAX-Accounting-Capabilities = 3
>         WiMAX-GMT-Timezone-offset = 28800
>         Service-Type = Framed-User
>         Event-Timestamp = "Sep 30 2009 15:21:22 CST"
>         Message-Authenticator = 0x30f398da4df2f3673568f56b36063a2b
>         Chargeable-User-Identity = "NUL"
>
> I set the FreeRADIUS to send the Home Agent the Access-accept packet with
> some attribute(WiMAX-HA-RK-SPI,WiMAX-HA-RK-Key) with fixed value.
> But the FreeRADIUS can not generate the WiMAX-MN-hHA-MIP4-Key and
> WiMAX-MN-hHA-MIP4-SPI for that request.
> so Home Agent fail to validate the MIP RRQ because short of the
> attribute(WiMAX-MN-hHA-MIP4-Key and WiMAX-MN-hHA-MIP4-SPI).
> Is that any configurations for FreeRADIUS to generate the original
> WiMAX-MN-hHA-MIP4-Key and WiMAX-MN-hHA-MIP4-SPI for Home Agent
> Authentication request,
> or can the FreeRADIUS cache the keys been generated in phase 1 and for use
> in phase 2 authentication?

It seems that gateway included original WiMAX-MN-hHA-MIP4-SPI as
WiMAX-MN-HA-MIP4-SPI in the request for Home Agent. It should also include
WiMAX-MN-hHA-MIP4-Key from the Access-Accept. Freeradius can't link
authentication and Home Agent requests (so not much point in cacheing).
Link should be made by the gateway.

Ivan Kalik
Kalik Informatika ISP

More information about the Freeradius-Users mailing list