Access Req from HA rejected

Ben Wiechman wiechman.lists at gmail.com
Sat Jun 27 00:12:04 CEST 2009


If you are not generating the original keying material (i.e. you are the
V-AAA) I would think you would need to proxy this request to the H-AAA as
well as the required keys are going to be available there. You are not
receiving the WiMAX-vHA-IP-MIP4 which would indicate that the V-AAA is
capable of assigning the required keys.

>From the Steel Belted docs:
6. The home agent performs an authentication check by sending the HAAA
server
an Access-Request message requesting its cryptographic keys for the Mobile
IP
session. The Access-Request message contains the home agent’s cryptographic
keys (MN-HA-MIP4-SPI and HA-RK-SPI).
7. The HAAA server responds to the Access-Request message by sending the
home agent an Access-Accept message containing its cryptographic keys:
MN-HA-MIP4-KEY, MN-HA-MIP4-SPI, HA-RK-KEY, HA-RK-SPI, and
HA-RK-Lifetime.

Ben

From: freeradius-users-bounces+wiechman.lists=gmail.com at lists.freeradius.org
[mailto:freeradius-users-bounces+wiechman.lists=gmail.com at lists.freeradius.o
rg] On Behalf Of Kiran Kumar
Sent: Thursday, June 18, 2009 4:58 AM
To: freeradius-users at lists.freeradius.org
Subject: Access Req from HA rejected

Hi All,

I am using the Free Radius to test Proxy Authentication from H-AAA, the
initial Authentication (proxied through H-AAA) goes through fine. But the HA
then triggers an Access Request message (we are using PMIP), but this fails
at the Free radius. I suspect this is because the HA root keys etc are not
generated by Free radius but by the H-AAA. Can you please let me know what
configuration needs to be done to get this scenario working


Sending Access-Accept of id 161 to 10.142.139.65 port 52687
        MS-MPPE-Recv-Key =
0x6ef829271559b13ef642c20c60522275590132e27a5b64d744e77799f12508b0
        MS-MPPE-Send-Key =
0x3b0dfc2d198cebbd3fe32e9b3a8e1fad36f26f1b8595ea5cd1698eb52d29d872
        EAP-Message = 0x03080004
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = "user at isp2.wimaxlab.com"
Finished request 7.
Going to the next request
Waking up in 4.3 seconds.
rad_recv: Access-Request packet from host 10.142.139.65 port 52687, id=162,
length=201
        User-Name = "user at isp2.wimaxlab.com"
        NAS-IP-Address = 10.142.139.68
        Service-Type = Framed-User
        Framed-IP-Address = 0.0.0.0
        Vendor-Specific = 0x00001fe4180600000003
        Vendor-Specific = 0x00001fe4a9060a8e8b46
        WiMAX-Release = "1.0"
        WiMAX-Accounting-Capabilities = 3
        WiMAX-GMT-Timezone-offset = 3600
        WiMAX-hHA-IP-MIP4 = 10.142.139.70
        WiMAX-MN-hHA-MIP4-SPI = 512
        WiMAX-HA-RK-SPI = 512
        NAS-Identifier = "HA_ISP1"
        Event-Timestamp = "Jun 18 2009 09:36:50 GMT"
        Message-Authenticator = 0x7fc30b3f450c08556a469367efb2d166
        Chargeable-User-Identity = "NUL"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "isp2.wimaxlab.com" for User-Name =
"user at isp2.wimaxlab.com"
[suffix] No such realm "isp2.wimaxlab.com"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry user at isp2.wimaxlab.com at line 205
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] No clear-text password in the request.  Not performing PAP.
++[pap] returns noop
WARNING: Please update your configuration, and remove 'Auth-Type = Local'
WARNING: Use the PAP or CHAP modules instead.
No User-Password or CHAP-Password attribute in the request.
Cannot perform authentication.
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} ->
user at isp2.wimaxlab.com
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 8 for 1 seconds
Going to the next request
Waking up in 0.1 seconds.




Thanks and Regards,
Kiran Kumar.B
WiMAX Test Engineer
Fujitsu Telecommunications Europe
Solihull Parkway, Birmingham B37 7YU
Work Phone: +44 (0) 121 717 6299
Mobile: +44 (0) 7549 203 655
 
    






More information about the Freeradius-Users mailing list