Hi All- We're doing some work with integrating FreeRADIUS using EAP-TLS into a network with HItachi ASN-GW and Cisco HA that only uses Mobile-IP. We successfully pass phase-1 authentication, and generate the appropriate keying material for the HA, but at phase-2 authentication we fail, since the MN-hHA-MIP4-KEY is not stored. The rlm_wimax module implies that the HA authentication portion needs to retrieve the MN-hHA-MIP4-KEY from a store based on the SPI in the request, a couple questions: -Does FreeRADIUS have any way of linking the two authentications, and can the TLS session cache can be used to store the TLVs from phase 1 access accept, or does it need to be done externally? If it can be cached within FreeRADIUS, how? -FreeRADIUS complains that this phase-2 authentication has no known Auth-Type. What needs to be done to have FreeRADIUS consider this? Can we just pre-process or HINT the request to accept it with the when we have the appropriate KEY? Phase 1 Access-Accept: Sending Access-Accept of id 227 to 172.17.10.10 port 1814 EAP-Message = 0x030d0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "anonymous@grid-net.com" WiMAX-IP-Technology = PMIP4 WiMAX-FA-RK-Key = 0x4cf2d4149289d9a0ce8cbeb264cdb41206fc679a Chargeable-User-Identity = "gridnet" WiMAX-NSP-Id = 0x000021 WiMAX-hHA-IP-MIP4 = 172.29.163.6 Service-Type = Framed-User WiMAX-Accounting-Capabilities = IP-Session-Based WiMAX-Idle-Mode-Notification-Cap = Not-Supported WiMAX-AAA-Session-Id = 0x12346789012345678901 WiMAX-DNS-Server = 1.2.3.4 WiMAX-MSK = 0x4b0b12e1ea34fea4ae762a3d63eda2ed3bbb446bcc46f25af546f35b47a26bc287017df6af42587c4b46cacf960812c00d212635324bca42bd96172b346e56e6 WiMAX-MN-hHA-MIP4-Key = 0x468d6588a03a1096acfd145a946b9dec0b8c44d2 WiMAX-MN-hHA-MIP4-SPI = 754533938 WiMAX-FA-RK-SPI = 754533937 Proxy-State = 0x313630 Wed Dec 8 16:33:45 2010 : Info: Finished request 491. Wed Dec 8 16:33:45 2010 : Debug: Going to the next request Wed Dec 8 16:33:45 2010 : Debug: Waking up in 0.2 seconds. Wed Dec 8 16:33:45 2010 : Info: Cleaning up request 484 ID 191 with timestamp +1844 Wed Dec 8 16:33:45 2010 : Debug: Waking up in 0.2 seconds. Wed Dec 8 16:33:45 2010 : Info: Cleaning up request 485 ID 217 with timestamp +1844 Wed Dec 8 16:33:45 2010 : Debug: Waking up in 0.3 seconds. Wed Dec 8 16:33:46 2010 : Info: Cleaning up request 486 ID 188 with timestamp +1845 Wed Dec 8 16:33:46 2010 : Debug: Waking up in 0.3 seconds. Wed Dec 8 16:33:46 2010 : Info: Cleaning up request 487 ID 111 with timestamp +1845 Wed Dec 8 16:33:46 2010 : Debug: Waking up in 0.4 seconds. Wed Dec 8 16:33:46 2010 : Info: Cleaning up request 488 ID 30 with timestamp +1845 Wed Dec 8 16:33:46 2010 : Debug: Waking up in 2.7 seconds. Wed Dec 8 16:33:49 2010 : Info: Cleaning up request 489 ID 67 with timestamp +1848 Wed Dec 8 16:33:49 2010 : Debug: Waking up in 0.3 seconds. Wed Dec 8 16:33:49 2010 : Info: Cleaning up request 490 ID 35 with timestamp +1848 Wed Dec 8 16:33:49 2010 : Debug: Waking up in 0.3 seconds. Wed Dec 8 16:33:50 2010 : Info: Cleaning up request 491 ID 227 with timestamp +1849 Wed Dec 8 16:33:50 2010 : Info: Ready to process requests. And Phase-2 Access-Request: rad_recv: Access-Request packet from host 172.17.10.10 port 1814, id=168, length=153 WiMAX-HA-IP-MIP4 = 172.29.163.6 WiMAX-NSP-Id = 0x000021 NAS-Identifier = "xxxxx" User-Name = "anonymous@grid-net.com" WiMAX-Release = "01.0" WiMAX-Accounting-Capabilities = IP-Session-Based WiMAX-Hotlining-Capabilities = Not-Supported WiMAX-MN-hHA-MIP4-SPI = 754533938 Chargeable-User-Identity = "" Framed-IP-Address = 10.24.0.100 Message-Authenticator = 0xee2061e520a73223364859f2c0822248 NAS-IP-Address = 172.29.176.37 Proxy-State = 0x313631 Wed Dec 8 16:33:58 2010 : Info: # Executing section authorize from file /opt/local/etc/raddb/sites-enabled/default Wed Dec 8 16:33:58 2010 : Info: +- entering group authorize {...} Wed Dec 8 16:33:58 2010 : Info: ++[preprocess] returns ok Wed Dec 8 16:33:58 2010 : Info: ++[chap] returns noop Wed Dec 8 16:33:58 2010 : Info: ++[mschap] returns noop Wed Dec 8 16:33:58 2010 : Info: ++[wimax] returns ok Wed Dec 8 16:33:58 2010 : Info: [suffix] Looking up realm "grid-net.com" for User-Name = "anonymous@grid-net.com" Wed Dec 8 16:33:58 2010 : Info: [suffix] No such realm "grid-net.com" Wed Dec 8 16:33:58 2010 : Info: ++[suffix] returns noop Wed Dec 8 16:33:58 2010 : Info: [eap] No EAP-Message, not doing EAP Wed Dec 8 16:33:58 2010 : Info: ++[eap] returns noop Wed Dec 8 16:33:58 2010 : Info: ++[unix] returns notfound Wed Dec 8 16:33:58 2010 : Info: [files] users: Matched entry DEFAULT at line 34 Wed Dec 8 16:33:58 2010 : Info: ++[files] returns ok Wed Dec 8 16:33:58 2010 : Info: ++[expiration] returns noop Wed Dec 8 16:33:58 2010 : Info: ++[logintime] returns noop Wed Dec 8 16:33:58 2010 : Info: [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. Wed Dec 8 16:33:58 2010 : Info: ++[pap] returns noop Wed Dec 8 16:33:58 2010 : Info: expand: %{request:User-Name} -> anonymous@grid-net.com Wed Dec 8 16:33:58 2010 : Info: ++[reply] returns noop Wed Dec 8 16:33:58 2010 : Info: ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Wed Dec 8 16:33:58 2010 : Info: Failed to authenticate the user. Wed Dec 8 16:33:58 2010 : Auth: Login incorrect: [anonymous@grid-net.com/<no User-Password attribute>] (from client winghead port 0) Wed Dec 8 16:33:58 2010 : Info: Using Post-Auth-Type Reject Wed Dec 8 16:33:58 2010 : Info: # Executing group from file /opt/local/etc/raddb/sites-enabled/default Wed Dec 8 16:33:58 2010 : Info: +- entering group REJECT {...} Wed Dec 8 16:33:58 2010 : Info: [attr_filter.access_reject] expand: %{User-Name} -> anonymous@grid-net.com Wed Dec 8 16:33:58 2010 : Debug: attr_filter: Matched entry DEFAULT at line 11 Wed Dec 8 16:33:58 2010 : Info: ++[attr_filter.access_reject] returns updated Wed Dec 8 16:33:58 2010 : Info: Delaying reject of request 492 for 1 seconds Wed Dec 8 16:33:58 2010 : Debug: Going to the next request Wed Dec 8 16:33:58 2010 : Debug: Waking up in 0.9 seconds. Wed Dec 8 16:33:59 2010 : Info: Sending delayed reject for request 492 Sending Access-Reject of id 168 to 172.17.10.10 port 1814 Proxy-State = 0x313631 Wed Dec 8 16:33:59 2010 : Debug: Waking up in 4.9 seconds. Wed Dec 8 16:34:04 2010 : Info: Cleaning up request 492 ID 168 with timestamp +1862 Wed Dec 8 16:34:04 2010 : Info: Ready to process requests.
Marck Gorszwick wrote:
We're doing some work with integrating FreeRADIUS using EAP-TLS into a network with HItachi ASN-GW and Cisco HA that only uses Mobile-IP. We successfully pass phase-1 authentication, and generate the appropriate keying material for the HA, but at phase-2 authentication we fail, since the MN-hHA-MIP4-KEY is not stored.
Exactly.
The rlm_wimax module implies that the HA authentication portion needs to retrieve the MN-hHA-MIP4-KEY from a store based on the SPI in the request, a couple questions:
-Does FreeRADIUS have any way of linking the two authentications,
A database. Store the attributes in a database, and retrieve them the second time around. See raddb/sql/mysql/wimax.*
and can the TLS session cache can be used to store the TLVs from phase 1 access accept,
Yes, but they will disappear when the server restarts.
or does it need to be done externally? If it can be cached within FreeRADIUS, how?
They need to be cached in a DB.
-FreeRADIUS complains that this phase-2 authentication has no known Auth-Type. What needs to be done to have FreeRADIUS consider this? Can we just pre-process or HINT the request to accept it with the when we have the appropriate KEY?
Look up the session data in the database, and if it matches, set "Auth-Type := Accept". Alan DeKok.
participants (2)
-
Alan DeKok -
Marck Gorszwick