Access Req from HA rejected

Ben Wiechman wiechman.lists at
Sat Jun 27 00:12:04 CEST 2009

If you are not generating the original keying material (i.e. you are the
V-AAA) I would think you would need to proxy this request to the H-AAA as
well as the required keys are going to be available there. You are not
receiving the WiMAX-vHA-IP-MIP4 which would indicate that the V-AAA is
capable of assigning the required keys.

>From the Steel Belted docs:
6. The home agent performs an authentication check by sending the HAAA
an Access-Request message requesting its cryptographic keys for the Mobile
session. The Access-Request message contains the home agent’s cryptographic
keys (MN-HA-MIP4-SPI and HA-RK-SPI).
7. The HAAA server responds to the Access-Request message by sending the
home agent an Access-Accept message containing its cryptographic keys:


From: at
[ at lists.freeradius.o
rg] On Behalf Of Kiran Kumar
Sent: Thursday, June 18, 2009 4:58 AM
To: freeradius-users at
Subject: Access Req from HA rejected

Hi All,

I am using the Free Radius to test Proxy Authentication from H-AAA, the
initial Authentication (proxied through H-AAA) goes through fine. But the HA
then triggers an Access Request message (we are using PMIP), but this fails
at the Free radius. I suspect this is because the HA root keys etc are not
generated by Free radius but by the H-AAA. Can you please let me know what
configuration needs to be done to get this scenario working

Sending Access-Accept of id 161 to port 52687
        MS-MPPE-Recv-Key =
        MS-MPPE-Send-Key =
        EAP-Message = 0x03080004
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = "user at"
Finished request 7.
Going to the next request
Waking up in 4.3 seconds.
rad_recv: Access-Request packet from host port 52687, id=162,
        User-Name = "user at"
        NAS-IP-Address =
        Service-Type = Framed-User
        Framed-IP-Address =
        Vendor-Specific = 0x00001fe4180600000003
        Vendor-Specific = 0x00001fe4a9060a8e8b46
        WiMAX-Release = "1.0"
        WiMAX-Accounting-Capabilities = 3
        WiMAX-GMT-Timezone-offset = 3600
        WiMAX-hHA-IP-MIP4 =
        WiMAX-MN-hHA-MIP4-SPI = 512
        WiMAX-HA-RK-SPI = 512
        NAS-Identifier = "HA_ISP1"
        Event-Timestamp = "Jun 18 2009 09:36:50 GMT"
        Message-Authenticator = 0x7fc30b3f450c08556a469367efb2d166
        Chargeable-User-Identity = "NUL"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "" for User-Name =
"user at"
[suffix] No such realm ""
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry user at at line 205
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] No clear-text password in the request.  Not performing PAP.
++[pap] returns noop
WARNING: Please update your configuration, and remove 'Auth-Type = Local'
WARNING: Use the PAP or CHAP modules instead.
No User-Password or CHAP-Password attribute in the request.
Cannot perform authentication.
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} ->
user at
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 8 for 1 seconds
Going to the next request
Waking up in 0.1 seconds.

Thanks and Regards,
Kiran Kumar.B
WiMAX Test Engineer
Fujitsu Telecommunications Europe
Solihull Parkway, Birmingham B37 7YU
Work Phone: +44 (0) 121 717 6299
Mobile: +44 (0) 7549 203 655

More information about the Freeradius-Users mailing list