[Wimax TTLS with Alcatel - Lucent ASN GW]

Thomas Fagart tfagart at brozs.net
Mon Apr 6 17:50:43 CEST 2009 

Thanx for your answer, Freeradius is now able to do local authentification
for this Wimax Solution, which is great.

Now I'm trying to do the following

ASN <---- EAP/TTLS --> Radius A (Proxy) <---- Inner CHAP Request ---->
Radius A

The idea would be that Radius B only do simple authentication (ie send
access accept without Wimax attribute), and Radius A would add Static Wimax
Attribute in the Outer Tunnel reply, using post-proxy filter attrs.

1. I've tried to apply post-proxy filter in the inner-tunnel virtual
server, but it doesn't seem to have an effect.

2. When I use it in the main virtual server (default for me), It works but
not as I was expected to.


Extract of attrs
###################################
test.fr
        Service-Type := Framed-User,
        Framed-IP-Address := 172.16.3.33,
        EAP-Message =* ANY,
        Message-Authenticator =* ANY,
#       MS-CHAP2-Success =* ANY,
#        MS-MPPE-Recv-Key =* ANY,
#        MS-MPPE-Send-Key =* ANY,
#        MS-CHAP-MPPE-Keys =* ANY,
#       MS-MPPE-Encryption-Policy =* ANY,
#       MS-MPPE-Encryption-Types =* ANY,
#3GPP2 Attribute
        3GPP2-Service-Option-Profile := 0x000000010104B001,
# WiMAX Attribute
#WiMAX-Packet-Flow-Descriptor
        WiMAX-Packet-Data-Flow-Id := 1,
        WiMAX-Service-Data-Flow-Id := 1,
        WiMAX-Direction := 3,
        WiMAX-Activation-Trigger := 4,
        WiMAX-Transport-Type := 1,
        WiMAX-Uplink-QOS-Id := 1,
        WiMAX-Downlink-QOS-Id := 2,
#WiMAX-QoS-Descriptor 1
#       WiMAX-QoS-Descriptor:= 000103010C030204030205030006060001F400
        WiMAX-QoS-Id := 1,
        WiMAX-Schedule-Type := 2,
        WiMAX-Traffic-Priority := 0,
        WiMAX-Maximum-Sustained-Traffic-Rate := 128000,
        WiMAX-Media-Flow-Type := 2,
#WiMAX-QoS-Descriptor 2
#       WiMAX-QoS-Descriptor:= 000103020C030204030205030006060001F400
        WiMAX-QoS-Id := 2,
        WiMAX-Schedule-Type := 2,
        WiMAX-Traffic-Priority := 0,
        WiMAX-Maximum-Sustained-Traffic-Rate := 1024000,
        WiMAX-Media-Flow-Type := 2
########################################


With that configured I've got the following reply

Mon Apr  6 17:39:35 2009
        Packet-Type = Access-Accept
        Service-Type := Framed-User
        Framed-IP-Address := 172.16.3.33
        3GPP2-Service-Option-Profile := 0x000000010104b001
        WiMAX-Packet-Data-Flow-Id := 1
        WiMAX-Service-Data-Flow-Id := 1
        WiMAX-Direction := Bi-Directional
        WiMAX-Activation-Trigger := 4
        WiMAX-Transport-Type := IPv4-CS
        WiMAX-Uplink-QOS-Id := 1
        WiMAX-Downlink-QOS-Id := 2
        WiMAX-QoS-Id := 1
        WiMAX-Schedule-Type := Best-Effort
        WiMAX-Traffic-Priority := 0
        WiMAX-Maximum-Sustained-Traffic-Rate := 128000
        WiMAX-Media-Flow-Type := Robust-Browser
        WiMAX-QoS-Id := 2
        WiMAX-Schedule-Type := Best-Effort
        WiMAX-Traffic-Priority := 0
        WiMAX-Maximum-Sustained-Traffic-Rate := 1024000
        WiMAX-Media-Flow-Type := Robust-Browser
        MS-MPPE-Recv-Key =
0x71ed589b8e837324d47495472db7da4dd6b0de3ec00989e1302fe293c667619c
        MS-MPPE-Send-Key =
0x8d810a02c7ba85a7a6f43a8ade921b5828306c1f8a5ae3b07a4ca087edb8add6
        EAP-MSK =
0x71ed589b8e837324d47495472db7da4dd6b0de3ec00989e1302fe293c667619c8d810a02c7ba85a7a6f43a8ade921b5828306c1f8a5ae3b07a4ca087edb8add6
        EAP-EMSK =
0xa79a1c166e077a2e02f60d07980c6b46c334c78f24fb084cc31050d558f0d25f469961d048daf09dbdbbd0e6acbf1219926b1c39453f583c51e4b622e9a688c6
        EAP-Message = 0x03720004
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = "00210400E0D7 at test.fr"


which is what I want, but in that case, the chap challenge won't be send to
ASN (cause MS-CHAP2-Success is commented).

If i'm enable MS-CHAP2-Success attribute, then the chap challenge is being
sent, but the reply becomes

Mon Apr  6 17:44:06 2009
        Packet-Type = Access-Accept
        Service-Type := Framed-User
        Framed-IP-Address := 172.16.3.33
        3GPP2-Service-Option-Profile := 0x000000010104b001
        WiMAX-Packet-Data-Flow-Id := 1
        WiMAX-Service-Data-Flow-Id := 1
        WiMAX-Direction := Bi-Directional
        WiMAX-Activation-Trigger := 4
        WiMAX-Transport-Type := IPv4-CS
        WiMAX-Uplink-QOS-Id := 1
        WiMAX-Downlink-QOS-Id := 2
        WiMAX-QoS-Id := 2
        WiMAX-Schedule-Type := Best-Effort
        WiMAX-Traffic-Priority := 0
        WiMAX-Maximum-Sustained-Traffic-Rate := 1024000
        WiMAX-Media-Flow-Type := Robust-Browser
        MS-MPPE-Recv-Key =
0x8975a67313e522170555477b8af1736aa7d82bafcad34af2ea4a01b3284bf453
        MS-MPPE-Send-Key =
0xcf575423d99ebcb96651472e306a1ef2d8740705dbe83343a97bdef699fc4f08
        EAP-MSK =
0x8975a67313e522170555477b8af1736aa7d82bafcad34af2ea4a01b3284bf453cf575423d99ebcb96651472e306a1ef2d8740705dbe83343a97bdef699fc4f08
        EAP-EMSK =
0xf1b5140862d8944cb3c4548b65faf80209f9d7a6432060534f63128d2554bb69abf81d0544068ce2c0c549ef620d5d217dd4857ba563709e014a4f14ad90dbbc
        EAP-Message = 0x03fa0004
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = "00210400E0D7 at test.fr"

-> In that case some of the Wimax attribute are missing (actually this is
the attribute I've got twice with differents values).

Do you have an idea how to explain that ?

I agree that post-proxy filter might not be the good tool to do that (It
should be use to filter, and I use it to add new attributes), maybe I
should use policies instead ?


Thanks

Thomas

More information about the Freeradius-Users mailing list