Marck Gorszwick wrote:
We're doing some work with integrating FreeRADIUS using EAP-TLS into a network with HItachi ASN-GW and Cisco HA that only uses Mobile-IP. We successfully pass phase-1 authentication, and generate the appropriate keying material for the HA, but at phase-2 authentication we fail, since the MN-hHA-MIP4-KEY is not stored.
Exactly.
The rlm_wimax module implies that the HA authentication portion needs to retrieve the MN-hHA-MIP4-KEY from a store based on the SPI in the request, a couple questions:
-Does FreeRADIUS have any way of linking the two authentications,
A database. Store the attributes in a database, and retrieve them the second time around. See raddb/sql/mysql/wimax.*
and can the TLS session cache can be used to store the TLVs from phase 1 access accept,
Yes, but they will disappear when the server restarts.
or does it need to be done externally? If it can be cached within FreeRADIUS, how?
They need to be cached in a DB.
-FreeRADIUS complains that this phase-2 authentication has no known Auth-Type. What needs to be done to have FreeRADIUS consider this? Can we just pre-process or HINT the request to accept it with the when we have the appropriate KEY?
Look up the session data in the database, and if it matches, set "Auth-Type := Accept". Alan DeKok.