<p>Hello All,</p>
<p> </p>
<p>Let me just say I'm a big fan of the work being done by Freeradius. We've been thinking of ditching our Cisco Access Registrar (AAA) for sometime now as we've been facing many issues with it, massive memory leakage being one of them. For this purpose we did some testing with Freeradius and one of our NAS gear, Samsung General ATM Switching Network (GAN) deployed in a 3GPP2 EV-DO environment for the purpose of hardware autentication only. Things didn't go too well however, following is the output of radiusd -X </p>
<p> </p>
<p>Listening on authentication address * port 1812<br>
Listening on accounting address * port 1813<br>
Listening on command file /var/run/radiusd/radiusd.sock<br>
Listening on proxy address * port 1814<br>
Ready to process requests.<br>
rad_recv: Access-Request packet from host 172.16.1.24 port 1812, id=252, length=88<br>
User-Name = "92421013626"<br>
CHAP-Password = 0x01ef28b52424c1b5f35683fb12ffb371f8<br>
NAS-IP-Address = 172.16.1.24<br>
CHAP-Challenge = 0xfd2f308b721c8fbbd198087e43ed71f0<br>
3GPP2-Attr-60 = 0x00000001<br>
+- entering group authorize {...}<br>
++[preprocess] returns ok<br>
Setting 'Auth-Type := CHAP'<br>
++[chap] returns ok<br>
++[mschap] returns noop<br>
No <a href="mailto:'@'">'@'</a> in User-Name = "92421013626", looking up realm NULL<br>
No such realm "NULL"<br>
++[suffix] returns noop<br>
No EAP-Message, not doing EAP<br>
++[eap] returns noop<br>
++[unix] returns notfound<br>
users: Matched entry 92421013626 at line 85<br>
++[files] returns ok<br>
++[expiration] returns noop<br>
++[logintime] returns noop<br>
Found existing Auth-Type, not changing it.<br>
++[pap] returns noop<br>
Found Auth-Type = CHAP<br>
+- entering group CHAP {...}<br>
login attempt by "92421013626" with CHAP password<br>
Using clear text password "0D2379B0" for user 92421013626 authentication.<br>
chap user 92421013626 authenticated succesfully<br>
++[chap] returns ok<br>
+- entering group post-auth {...}<br>
++[exec] returns noop<br>
Sending Access-Accept of id 252 to 172.16.1.24 port 1812<br>
Callback-Id = "410530421013626"<br>
Finished request 0.<br>
Going to the next request<br>
Waking up in 4.9 seconds.<br>
Cleaning up request 0 ID 252 with timestamp +5<br>
Ready to process requests.<br>
rad_recv: Access-Request packet from host 172.16.1.24 port 1812, id=253, length=88<br>
User-Name = "92421013626"<br>
CHAP-Password = 0x01ff3da64a9d26f7eddeb6043deafcdc5b<br>
NAS-IP-Address = 172.16.1.24<br>
CHAP-Challenge = 0x79bc887e81bdff4ebacb6bacd26945f9<br>
3GPP2-Attr-60 = 0x00000001<br>
+- entering group authorize {...}<br>
++[preprocess] returns ok<br>
Setting 'Auth-Type := CHAP'<br>
++[chap] returns ok<br>
++[mschap] returns noop<br>
No <a href="mailto:'@'">'@'</a> in User-Name = "92421013626", looking up realm NULL<br>
No such realm "NULL"<br>
++[suffix] returns noop<br>
No EAP-Message, not doing EAP<br>
++[eap] returns noop<br>
++[unix] returns notfound<br>
users: Matched entry 92421013626 at line 85<br>
++[files] returns ok<br>
++[expiration] returns noop<br>
++[logintime] returns noop<br>
Found existing Auth-Type, not changing it.<br>
++[pap] returns noop<br>
Found Auth-Type = CHAP<br>
+- entering group CHAP {...}<br>
login attempt by "92421013626" with CHAP password<br>
Using clear text password "0D2379B0" for user 92421013626 authentication.<br>
chap user 92421013626 authenticated succesfully<br>
++[chap] returns ok<br>
+- entering group post-auth {...}<br>
++[exec] returns noop<br>
Sending Access-Accept of id 253 to 172.16.1.24 port 1812<br>
Callback-Id = "410530421013626"<br>
Finished request 1.<br>
Going to the next request<br>
Waking up in 4.9 seconds.<br>
Cleaning up request 1 ID 253 with timestamp +39<br>
Ready to process requests.<br>
rad_recv: Access-Request packet from host 172.16.1.24 port 1812, id=254, length=88<br>
User-Name = "92421013626"<br>
CHAP-Password = 0x0122be6028d9a8501e7df9d2da160d5366<br>
NAS-IP-Address = 172.16.1.24<br>
CHAP-Challenge = 0x7db1dfd61694cc5d964c6ceb1f15dd67<br>
3GPP2-Attr-60 = 0x00000001<br>
+- entering group authorize {...}<br>
++[preprocess] returns ok<br>
Setting 'Auth-Type := CHAP'<br>
++[chap] returns ok<br>
++[mschap] returns noop<br>
No <a href="mailto:'@'">'@'</a> in User-Name = "92421013626", looking up realm NULL<br>
No such realm "NULL"<br>
++[suffix] returns noop<br>
No EAP-Message, not doing EAP<br>
++[eap] returns noop<br>
++[unix] returns notfound<br>
users: Matched entry 92421013626 at line 85<br>
++[files] returns ok<br>
++[expiration] returns noop<br>
++[logintime] returns noop<br>
Found existing Auth-Type, not changing it.<br>
++[pap] returns noop<br>
Found Auth-Type = CHAP<br>
+- entering group CHAP {...}<br>
login attempt by "92421013626" with CHAP password<br>
Using clear text password "0D2379B0" for user 92421013626 authentication.<br>
chap user 92421013626 authenticated succesfully<br>
++[chap] returns ok<br>
+- entering group post-auth {...}<br>
++[exec] returns noop<br>
Sending Access-Accept of id 254 to 172.16.1.24 port 1812<br>
Callback-Id = "410530421013626"<br>
Finished request 2.<br>
Going to the next request<br>
Waking up in 4.9 seconds.<br>
Cleaning up request 2 ID 254 with timestamp +62<br>
Ready to process requests.</p>
<p> </p>
<p>As you can see freeradius is sending an access accept with the callback-id to the client but nothing happens afterwards and the user is unable to connect. From what I've been able to understand the NAS is sending a 3GPP2-Attr-60 = 0x00000001 which is the 3GPP2-HRPD-Access-Authentication which in not defined in the 3GPP2 dictionary, would patching the 3GPP2 dictionary do the trick or is there something else I am missing? as this VSA is I would've tested this already however this kind of testing requires approval from other departements as well which is gonna take a couple of days</p>