Hi All, I am using the Free Radius to test Proxy Authentication from H-AAA, the initial Authentication (proxied through H-AAA) goes through fine. But the HA then triggers an Access Request message (we are using PMIP), but this fails at the Free radius. I suspect this is because the HA root keys etc are not generated by Free radius but by the H-AAA. Can you please let me know what configuration needs to be done to get this scenario working. Sending Access-Accept of id 161 to 10.142.139.65 port 52687 MS-MPPE-Recv-Key = 0x6ef829271559b13ef642c20c60522275590132e27a5b64d744e77799f12508b0 MS-MPPE-Send-Key = 0x3b0dfc2d198cebbd3fe32e9b3a8e1fad36f26f1b8595ea5cd1698eb52d29d872 EAP-Message = 0x03080004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "user@isp2.wimaxlab.com" Finished request 7. Going to the next request Waking up in 4.3 seconds. rad_recv: Access-Request packet from host 10.142.139.65 port 52687, id=162, length=201 User-Name = "user@isp2.wimaxlab.com" NAS-IP-Address = 10.142.139.68 Service-Type = Framed-User Framed-IP-Address = 0.0.0.0 Vendor-Specific = 0x00001fe4180600000003 Vendor-Specific = 0x00001fe4a9060a8e8b46 WiMAX-Release = "1.0" WiMAX-Accounting-Capabilities = 3 WiMAX-GMT-Timezone-offset = 3600 WiMAX-hHA-IP-MIP4 = 10.142.139.70 WiMAX-MN-hHA-MIP4-SPI = 512 WiMAX-HA-RK-SPI = 512 NAS-Identifier = "HA_ISP1" Event-Timestamp = "Jun 18 2009 09:36:50 GMT" Message-Authenticator = 0x7fc30b3f450c08556a469367efb2d166 Chargeable-User-Identity = "NUL" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "isp2.wimaxlab.com" for User-Name = "user@isp2.wimaxlab.com" [suffix] No such realm "isp2.wimaxlab.com" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [files] users: Matched entry user@isp2.wimaxlab.com at line 205 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] No clear-text password in the request. Not performing PAP. ++[pap] returns noop WARNING: Please update your configuration, and remove 'Auth-Type = Local' WARNING: Use the PAP or CHAP modules instead. No User-Password or CHAP-Password attribute in the request. Cannot perform authentication. Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> user@isp2.wimaxlab.com attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 8 for 1 seconds Going to the next request Waking up in 0.1 seconds. Thanks and Regards, Kiran Kumar.B WiMAX Test Engineer Fujitsu Telecommunications Europe Solihull Parkway, Birmingham B37 7YU Work Phone: +44 (0) 121 717 6299 Mobile: +44 (0) 7549 203 655
I am using the Free Radius to test Proxy Authentication from H-AAA, the initial Authentication (proxied through H-AAA) goes through fine. But the HA then triggers an Access Request message (we are using PMIP), but this fails at the Free radius.
Because this request is not in any authentication protocol known to man.
I suspect this is because the HA root keys etc are not generated by Free radius but by the H-AAA. Can you please let me know what configuration needs to be done to get this scenario working.
rad_recv: Access-Request packet from host 10.142.139.65 port 52687, id=162, length=201
User-Name = "user@isp2.wimaxlab.com"
NAS-IP-Address = 10.142.139.68
Service-Type = Framed-User
Framed-IP-Address = 0.0.0.0
Vendor-Specific = 0x00001fe4180600000003
Vendor-Specific = 0x00001fe4a9060a8e8b46
WiMAX-Release = "1.0"
WiMAX-Accounting-Capabilities = 3
WiMAX-GMT-Timezone-offset = 3600
WiMAX-hHA-IP-MIP4 = 10.142.139.70
WiMAX-MN-hHA-MIP4-SPI = 512
WiMAX-HA-RK-SPI = 512
NAS-Identifier = "HA_ISP1"
Event-Timestamp = "Jun 18 2009 09:36:50 GMT"
Message-Authenticator = 0x7fc30b3f450c08556a469367efb2d166
Chargeable-User-Identity = "NUL"
There should be a field with password in there (User-Password, EAP-Message, whatever). Ask H-AAA people how to fix the equipment so it generates requests that do make sense. Some wimax equipment requires mppe key to be removed from Access-Accept packet. If that is the case adjust it in wimax module (raddb/modules/wimax). Ivan Kalik Kalik Informatika ISP
From the Steel Belted docs:
If you are not generating the original keying material (i.e. you are the V-AAA) I would think you would need to proxy this request to the H-AAA as well as the required keys are going to be available there. You are not receiving the WiMAX-vHA-IP-MIP4 which would indicate that the V-AAA is capable of assigning the required keys. 6. The home agent performs an authentication check by sending the HAAA server an Access-Request message requesting its cryptographic keys for the Mobile IP session. The Access-Request message contains the home agents cryptographic keys (MN-HA-MIP4-SPI and HA-RK-SPI). 7. The HAAA server responds to the Access-Request message by sending the home agent an Access-Accept message containing its cryptographic keys: MN-HA-MIP4-KEY, MN-HA-MIP4-SPI, HA-RK-KEY, HA-RK-SPI, and HA-RK-Lifetime. Ben From: freeradius-users-bounces+wiechman.lists=gmail.com@lists.freeradius.org [mailto:freeradius-users-bounces+wiechman.lists=gmail.com@lists.freeradius.o rg] On Behalf Of Kiran Kumar Sent: Thursday, June 18, 2009 4:58 AM To: freeradius-users@lists.freeradius.org Subject: Access Req from HA rejected Hi All, I am using the Free Radius to test Proxy Authentication from H-AAA, the initial Authentication (proxied through H-AAA) goes through fine. But the HA then triggers an Access Request message (we are using PMIP), but this fails at the Free radius. I suspect this is because the HA root keys etc are not generated by Free radius but by the H-AAA. Can you please let me know what configuration needs to be done to get this scenario working Sending Access-Accept of id 161 to 10.142.139.65 port 52687 MS-MPPE-Recv-Key = 0x6ef829271559b13ef642c20c60522275590132e27a5b64d744e77799f12508b0 MS-MPPE-Send-Key = 0x3b0dfc2d198cebbd3fe32e9b3a8e1fad36f26f1b8595ea5cd1698eb52d29d872 EAP-Message = 0x03080004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "user@isp2.wimaxlab.com" Finished request 7. Going to the next request Waking up in 4.3 seconds. rad_recv: Access-Request packet from host 10.142.139.65 port 52687, id=162, length=201 User-Name = "user@isp2.wimaxlab.com" NAS-IP-Address = 10.142.139.68 Service-Type = Framed-User Framed-IP-Address = 0.0.0.0 Vendor-Specific = 0x00001fe4180600000003 Vendor-Specific = 0x00001fe4a9060a8e8b46 WiMAX-Release = "1.0" WiMAX-Accounting-Capabilities = 3 WiMAX-GMT-Timezone-offset = 3600 WiMAX-hHA-IP-MIP4 = 10.142.139.70 WiMAX-MN-hHA-MIP4-SPI = 512 WiMAX-HA-RK-SPI = 512 NAS-Identifier = "HA_ISP1" Event-Timestamp = "Jun 18 2009 09:36:50 GMT" Message-Authenticator = 0x7fc30b3f450c08556a469367efb2d166 Chargeable-User-Identity = "NUL" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "isp2.wimaxlab.com" for User-Name = "user@isp2.wimaxlab.com" [suffix] No such realm "isp2.wimaxlab.com" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [files] users: Matched entry user@isp2.wimaxlab.com at line 205 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] No clear-text password in the request. Not performing PAP. ++[pap] returns noop WARNING: Please update your configuration, and remove 'Auth-Type = Local' WARNING: Use the PAP or CHAP modules instead. No User-Password or CHAP-Password attribute in the request. Cannot perform authentication. Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> user@isp2.wimaxlab.com attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 8 for 1 seconds Going to the next request Waking up in 0.1 seconds. Thanks and Regards, Kiran Kumar.B WiMAX Test Engineer Fujitsu Telecommunications Europe Solihull Parkway, Birmingham B37 7YU Work Phone: +44 (0) 121 717 6299 Mobile: +44 (0) 7549 203 655
Kiran,
The WiMAX forum does not define the user authentication between HA and
HAAA. HAAA solely depends on the shared secret between HA and HAAA to
validate the request from HA is good. Its security models uses the MIP
keys to authenticate users has been authenticated into ASN gateway at
HA. What you need to do is to set AUTH-TYPE := Accept if it is HA. You
may uses hints to indicate it is HA instead of ASN gateway.
Thanks,
Jay Xiong
On Fri, Jun 26, 2009 at 6:12 PM, Ben Wiechman<wiechman.lists@gmail.com> wrote:
> If you are not generating the original keying material (i.e. you are the
> V-AAA) I would think you would need to proxy this request to the H-AAA as
> well as the required keys are going to be available there. You are not
> receiving the WiMAX-vHA-IP-MIP4 which would indicate that the V-AAA is
> capable of assigning the required keys.
>
> >From the Steel Belted docs:
> 6. The home agent performs an authentication check by sending the HAAA
> server
> an Access-Request message requesting its cryptographic keys for the Mobile
> IP
> session. The Access-Request message contains the home agent’s cryptographic
> keys (MN-HA-MIP4-SPI and HA-RK-SPI).
> 7. The HAAA server responds to the Access-Request message by sending the
> home agent an Access-Accept message containing its cryptographic keys:
> MN-HA-MIP4-KEY, MN-HA-MIP4-SPI, HA-RK-KEY, HA-RK-SPI, and
> HA-RK-Lifetime.
>
> Ben
>
> From: freeradius-users-bounces+wiechman.lists=gmail.com@lists.freeradius.org
> [mailto:freeradius-users-bounces+wiechman.lists=gmail.com@lists.freeradius.o
> rg] On Behalf Of Kiran Kumar
> Sent: Thursday, June 18, 2009 4:58 AM
> To: freeradius-users@lists.freeradius.org
> Subject: Access Req from HA rejected
>
> Hi All,
>
> I am using the Free Radius to test Proxy Authentication from H-AAA, the
> initial Authentication (proxied through H-AAA) goes through fine. But the HA
> then triggers an Access Request message (we are using PMIP), but this fails
> at the Free radius. I suspect this is because the HA root keys etc are not
> generated by Free radius but by the H-AAA. Can you please let me know what
> configuration needs to be done to get this scenario working…
>
> Sending Access-Accept of id 161 to 10.142.139.65 port 52687
> MS-MPPE-Recv-Key =
> 0x6ef829271559b13ef642c20c60522275590132e27a5b64d744e77799f12508b0
> MS-MPPE-Send-Key =
> 0x3b0dfc2d198cebbd3fe32e9b3a8e1fad36f26f1b8595ea5cd1698eb52d29d872
> EAP-Message = 0x03080004
> Message-Authenticator = 0x00000000000000000000000000000000
> User-Name = "user@isp2.wimaxlab.com"
> Finished request 7.
> Going to the next request
> Waking up in 4.3 seconds.
> rad_recv: Access-Request packet from host 10.142.139.65 port 52687, id=162,
> length=201
> User-Name = "user@isp2.wimaxlab.com"
> NAS-IP-Address = 10.142.139.68
> Service-Type = Framed-User
> Framed-IP-Address = 0.0.0.0
> Vendor-Specific = 0x00001fe4180600000003
> Vendor-Specific = 0x00001fe4a9060a8e8b46
> WiMAX-Release = "1.0"
> WiMAX-Accounting-Capabilities = 3
> WiMAX-GMT-Timezone-offset = 3600
> WiMAX-hHA-IP-MIP4 = 10.142.139.70
> WiMAX-MN-hHA-MIP4-SPI = 512
> WiMAX-HA-RK-SPI = 512
> NAS-Identifier = "HA_ISP1"
> Event-Timestamp = "Jun 18 2009 09:36:50 GMT"
> Message-Authenticator = 0x7fc30b3f450c08556a469367efb2d166
> Chargeable-User-Identity = "NUL"
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> [suffix] Looking up realm "isp2.wimaxlab.com" for User-Name =
> "user@isp2.wimaxlab.com"
> [suffix] No such realm "isp2.wimaxlab.com"
> ++[suffix] returns noop
> [eap] No EAP-Message, not doing EAP
> ++[eap] returns noop
> ++[unix] returns notfound
> [files] users: Matched entry user@isp2.wimaxlab.com at line 205
> ++[files] returns ok
> ++[expiration] returns noop
> ++[logintime] returns noop
> [pap] No clear-text password in the request. Not performing PAP.
> ++[pap] returns noop
> WARNING: Please update your configuration, and remove 'Auth-Type = Local'
> WARNING: Use the PAP or CHAP modules instead.
> No User-Password or CHAP-Password attribute in the request.
> Cannot perform authentication.
> Failed to authenticate the user.
> Using Post-Auth-Type Reject
> +- entering group REJECT {...}
> [attr_filter.access_reject] expand: %{User-Name} ->
> user@isp2.wimaxlab.com
> attr_filter: Matched entry DEFAULT at line 11
> ++[attr_filter.access_reject] returns updated
> Delaying reject of request 8 for 1 seconds
> Going to the next request
> Waking up in 0.1 seconds.
>
>
>
>
> Thanks and Regards,
> Kiran Kumar.B
> WiMAX Test Engineer
> Fujitsu Telecommunications Europe
> Solihull Parkway, Birmingham B37 7YU
> Work Phone: +44 (0) 121 717 6299
> Mobile: +44 (0) 7549 203 655
>
>
>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
participants (4)
-
Ben Wiechman -
Ivan Kalik -
Jay Xiong -
Kiran Kumar