[Wimax TTLS with Alcatel - Lucent ASN GW]

Jayanth1 jayanthbr at yahoo.com
Sun Apr 26 00:02:55 CEST 2009 

Hi Thomas,
I am trying to use freeradius as AAA server with ASNGW to authenticate WiMAX
device. Would you be kind enough to provide details on how to configure
freeradius for this? I saw that you were successful in getting it working
and did not want to reinvent the wheels.

Thanks a lot in advance..
Jayanth


Thomas Fagart wrote:
> 
> Hello,
> 
> First thanks again for this new release that adds very interesting 
> features for debug, specially raddebug and radmin.
> 
> Using basic setup, Freeradius successfully authenticate request coming 
> from CPE Wimax through ASN Alcatel GW (called WAC) using EAP/TTLS
> 
> Fri Apr  3 01:05:10 2009 : Auth: Login OK: [00210400E0D7 at test.fr/<via 
> Auth-Type = EAP>] (from client wimax port 0 cli 00-21-04-00-E0-D7)
> Fri Apr  3 01:05:19 2009 : Auth: Login OK: [cpe2-lab at test.fr/<via 
> Auth-Type = mschap>] (from client wimax port 0 via TLS tunnel)
> 
> I now have 2 issues to fill properly the access accept with correct 
> attribute. (This needs might be weird, but it is the way this ASN GW
> works)
> 
> 1. I would like that the outer access accept contains  attributes coming 
> from  the inner access accept
> 
> So I tried to use the update outer.reply on post-auth section of the 
> inner-tunnel virtual server
> 
>         update outer.reply {
>                 #User-Name = "%{request:User-Name}"
>                 WiMAX-Packet-Data-Flow-Id = 
> "%{request:WiMAX-Packet-Data-Flow-Id}"
>         }
> 
> But as I understand, you can only use "request" from the inner tunnel, 
> but not the attribute contained in the reply of the inner tunnel. Is 
> that true ? Is there a way to do that.
> 
> To be more precise this is the reply in the inner tunnel
> 
> Fri Apr  3 01:13:33 2009
>         Packet-Type = Access-Accept
>         WiMAX-Packet-Data-Flow-Id = 1
>         WiMAX-Service-Data-Flow-Id = 1
>         WiMAX-Service-Profile-Id = 1
>         WiMAX-Direction = Bi-Directional
>         WiMAX-QoS-Id = 1
>         WiMAX-Media-Flow-Type = Robust-Browser
>         WiMAX-Schedule-Type = Best-Effort
>         WiMAX-Traffic-Priority = 0
>         WiMAX-Maximum-Sustained-Traffic-Rate = 512000
>         MS-CHAP2-Success = 
> 0xdf533d37443041423038393133393032414333353841304630414336383132453546434243364130323046
>         MS-MPPE-Recv-Key = 0x1d7c9b57392b589e2849640bad969199
>         MS-MPPE-Send-Key = 0x4aa107e5fa9573846af44d21c5080749
>         MS-MPPE-Encryption-Policy = 0x00000001
>         MS-MPPE-Encryption-Types = 0x00000006
> 
> and the one in the outer tunnel
> 
> Fri Apr  3 01:13:34 2009
>         Packet-Type = Access-Accept
>         MS-MPPE-Recv-Key = 
> 0x6b185c55d7785700e6f52c9ae0160945476aa4ab9e5b699dc6cffb5427c06395
>         MS-MPPE-Send-Key = 
> 0x009d98e233e6911f97346381a77e90d01b7d41b3aa82dbf6ce56f54bb9b2598b
>         EAP-MSK = 
> 0x6b185c55d7785700e6f52c9ae0160945476aa4ab9e5b699dc6cffb5427c06395009d98e233e6911f97346381a77e90d01b7d41b3aa82dbf6ce56f54bb9b2598b
>         EAP-EMSK = 
> 0xc5f48626093f9313c5090254ffc375d4594bf6570025a260801e4b8d0ff852167d0748bd50b27d214b0ee67c1bbe1a4395faf094a8cb56663177fa8f32586f40
>         EAP-Message = 0x03f00004
>         Message-Authenticator = 0x00000000000000000000000000000000
>         User-Name = "00210400E0D7 at test.fr"
> 
> 
> I would like the reply of the outer tunnel to contain all the Wimax 
> Attribute I got in the inner.
> 
> 
> 2. For some weird reason again, Alcatel ASN needs to receive two times 
> the same attribute with differente value (Actually this 
> WiMAX-QoS-Descriptor (TLV Attribute))
> I guess this is not very compliant with RFC, but is there a way to send 
> 2 times the same attribute in the same reply.
> 
> I've tried that but without surprise this send only the first part of 
> the attribute
> 
> cpe2-lab at test.fr Cleartext-Password := "xxx"
>         WiMAX-Packet-Data-Flow-Id=1,
>         WiMAX-Service-Data-Flow-Id=1,
>         WiMAX-Service-Profile-Id=1,
>         WiMAX-Direction=Bi-Directional,
>         WiMAX-QoS-Id=01,
>         WiMAX-Media-Flow-Type=Robust-Browser,
>         WiMAX-Schedule-Type=BEST-EFFORT,
>         WiMAX-Traffic-Priority=0,
>         WiMAX-Maximum-Sustained-Traffic-Rate=512000,
>         WiMAX-QoS-Id=02,
>         WiMAX-Media-Flow-Type=Robust-Browser,
>         WiMAX-Schedule-Type=BEST-EFFORT,
>         WiMAX-Traffic-Priority=0,
>         WiMAX-Maximum-Sustained-Traffic-Rate=512000
> 
> 
> Maybe using perl module in the post-auth ?
> 
> 
> Thanks
> 
> Thomas Fagart
> 
> 
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> 
> 

-- 
View this message in context: http://www.nabble.com/-Wimax-TTLS-with-Alcatel---Lucent-ASN-GW--tp22859070p23204305.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.

More information about the Freeradius-Users mailing list