Access Req from HA rejected

Ivan Kalik tnt at kalik.net
Thu Jun 18 12:19:17 CEST 2009


> I am using the Free Radius to test Proxy Authentication from H-AAA, the
> initial Authentication (proxied through H-AAA) goes through fine. But the
> HA then triggers an Access Request message (we are using PMIP), but this
> fails at the Free radius.

Because this request is not in any authentication protocol known to man.

> I suspect this is because the HA root keys etc
> are not generated by Free radius but by the H-AAA. Can you please let me
> know what configuration needs to be done to get this scenario working.
>
> rad_recv: Access-Request packet from host 10.142.139.65 port 52687,
> id=162, length=201
>
>         User-Name = "user at isp2.wimaxlab.com"
>
>         NAS-IP-Address = 10.142.139.68
>
>         Service-Type = Framed-User
>
>         Framed-IP-Address = 0.0.0.0
>
>         Vendor-Specific = 0x00001fe4180600000003
>
>         Vendor-Specific = 0x00001fe4a9060a8e8b46
>
>         WiMAX-Release = "1.0"
>
>         WiMAX-Accounting-Capabilities = 3
>
>         WiMAX-GMT-Timezone-offset = 3600
>
>         WiMAX-hHA-IP-MIP4 = 10.142.139.70
>
>         WiMAX-MN-hHA-MIP4-SPI = 512
>
>         WiMAX-HA-RK-SPI = 512
>
>         NAS-Identifier = "HA_ISP1"
>
>         Event-Timestamp = "Jun 18 2009 09:36:50 GMT"
>
>         Message-Authenticator = 0x7fc30b3f450c08556a469367efb2d166
>
>         Chargeable-User-Identity = "NUL"
>

There should be a field with password in there (User-Password,
EAP-Message, whatever). Ask H-AAA people how to fix the equipment so it
generates requests that do make sense. Some wimax equipment requires mppe
key to be removed from Access-Accept packet. If that is the case adjust it
in wimax module (raddb/modules/wimax).

Ivan Kalik
Kalik Informatika ISP




More information about the Freeradius-Users mailing list