WiMAX Home Agent Authentication

Marck Gorszwick marck at grid-net.com
Fri Dec 10 04:39:10 CET 2010 

Hi All-
We're doing some work with integrating FreeRADIUS using EAP-TLS into a network with HItachi ASN-GW and Cisco HA that only uses Mobile-IP.  We successfully pass phase-1 authentication, and generate the appropriate keying material for the HA, but at phase-2 authentication we fail, since the MN-hHA-MIP4-KEY is not stored.

The rlm_wimax module implies that the HA authentication portion needs to retrieve the MN-hHA-MIP4-KEY from a store based on the SPI in the request, a couple questions:

-Does FreeRADIUS have any way of linking the two authentications, and can the TLS session cache can be used to store the TLVs from phase 1 access accept, or does it need to be done externally?  If it can be cached within FreeRADIUS, how?

-FreeRADIUS complains that this phase-2 authentication has no known Auth-Type.  What needs to be done to have FreeRADIUS consider this?  Can we just pre-process or HINT the request to accept it with the when we have the appropriate KEY? 



Phase 1 Access-Accept:

Sending Access-Accept of id 227 to 172.17.10.10 port 1814
	EAP-Message = 0x030d0004
	Message-Authenticator = 0x00000000000000000000000000000000
	User-Name = "anonymous at grid-net.com"
	WiMAX-IP-Technology = PMIP4
	WiMAX-FA-RK-Key = 0x4cf2d4149289d9a0ce8cbeb264cdb41206fc679a
	Chargeable-User-Identity = "gridnet"
	WiMAX-NSP-Id = 0x000021
	WiMAX-hHA-IP-MIP4 = 172.29.163.6
	Service-Type = Framed-User
	WiMAX-Accounting-Capabilities = IP-Session-Based
	WiMAX-Idle-Mode-Notification-Cap = Not-Supported
	WiMAX-AAA-Session-Id = 0x12346789012345678901
	WiMAX-DNS-Server = 1.2.3.4
	WiMAX-MSK = 0x4b0b12e1ea34fea4ae762a3d63eda2ed3bbb446bcc46f25af546f35b47a26bc287017df6af42587c4b46cacf960812c00d212635324bca42bd96172b346e56e6
	WiMAX-MN-hHA-MIP4-Key = 0x468d6588a03a1096acfd145a946b9dec0b8c44d2
	WiMAX-MN-hHA-MIP4-SPI = 754533938
	WiMAX-FA-RK-SPI = 754533937
	Proxy-State = 0x313630
Wed Dec  8 16:33:45 2010 : Info: Finished request 491.
Wed Dec  8 16:33:45 2010 : Debug: Going to the next request
Wed Dec  8 16:33:45 2010 : Debug: Waking up in 0.2 seconds.
Wed Dec  8 16:33:45 2010 : Info: Cleaning up request 484 ID 191 with timestamp +1844
Wed Dec  8 16:33:45 2010 : Debug: Waking up in 0.2 seconds.
Wed Dec  8 16:33:45 2010 : Info: Cleaning up request 485 ID 217 with timestamp +1844
Wed Dec  8 16:33:45 2010 : Debug: Waking up in 0.3 seconds.
Wed Dec  8 16:33:46 2010 : Info: Cleaning up request 486 ID 188 with timestamp +1845
Wed Dec  8 16:33:46 2010 : Debug: Waking up in 0.3 seconds.
Wed Dec  8 16:33:46 2010 : Info: Cleaning up request 487 ID 111 with timestamp +1845
Wed Dec  8 16:33:46 2010 : Debug: Waking up in 0.4 seconds.
Wed Dec  8 16:33:46 2010 : Info: Cleaning up request 488 ID 30 with timestamp +1845
Wed Dec  8 16:33:46 2010 : Debug: Waking up in 2.7 seconds.
Wed Dec  8 16:33:49 2010 : Info: Cleaning up request 489 ID 67 with timestamp +1848
Wed Dec  8 16:33:49 2010 : Debug: Waking up in 0.3 seconds.
Wed Dec  8 16:33:49 2010 : Info: Cleaning up request 490 ID 35 with timestamp +1848
Wed Dec  8 16:33:49 2010 : Debug: Waking up in 0.3 seconds.
Wed Dec  8 16:33:50 2010 : Info: Cleaning up request 491 ID 227 with timestamp +1849
Wed Dec  8 16:33:50 2010 : Info: Ready to process requests.




And Phase-2 Access-Request:

rad_recv: Access-Request packet from host 172.17.10.10 port 1814, id=168, length=153
	WiMAX-HA-IP-MIP4 = 172.29.163.6
	WiMAX-NSP-Id = 0x000021
	NAS-Identifier = "xxxxx"
	User-Name = "anonymous at grid-net.com"
	WiMAX-Release = "01.0"
	WiMAX-Accounting-Capabilities = IP-Session-Based
	WiMAX-Hotlining-Capabilities = Not-Supported
	WiMAX-MN-hHA-MIP4-SPI = 754533938
	Chargeable-User-Identity = ""
	Framed-IP-Address = 10.24.0.100
	Message-Authenticator = 0xee2061e520a73223364859f2c0822248
	NAS-IP-Address = 172.29.176.37
	Proxy-State = 0x313631
Wed Dec  8 16:33:58 2010 : Info: # Executing section authorize from file /opt/local/etc/raddb/sites-enabled/default
Wed Dec  8 16:33:58 2010 : Info: +- entering group authorize {...}
Wed Dec  8 16:33:58 2010 : Info: ++[preprocess] returns ok
Wed Dec  8 16:33:58 2010 : Info: ++[chap] returns noop
Wed Dec  8 16:33:58 2010 : Info: ++[mschap] returns noop
Wed Dec  8 16:33:58 2010 : Info: ++[wimax] returns ok
Wed Dec  8 16:33:58 2010 : Info: [suffix] Looking up realm "grid-net.com" for User-Name = "anonymous at grid-net.com"
Wed Dec  8 16:33:58 2010 : Info: [suffix] No such realm "grid-net.com"
Wed Dec  8 16:33:58 2010 : Info: ++[suffix] returns noop
Wed Dec  8 16:33:58 2010 : Info: [eap] No EAP-Message, not doing EAP
Wed Dec  8 16:33:58 2010 : Info: ++[eap] returns noop
Wed Dec  8 16:33:58 2010 : Info: ++[unix] returns notfound
Wed Dec  8 16:33:58 2010 : Info: [files] users: Matched entry DEFAULT at line 34
Wed Dec  8 16:33:58 2010 : Info: ++[files] returns ok
Wed Dec  8 16:33:58 2010 : Info: ++[expiration] returns noop
Wed Dec  8 16:33:58 2010 : Info: ++[logintime] returns noop
Wed Dec  8 16:33:58 2010 : Info: [pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
Wed Dec  8 16:33:58 2010 : Info: ++[pap] returns noop
Wed Dec  8 16:33:58 2010 : Info: 	expand: %{request:User-Name} -> anonymous at grid-net.com
Wed Dec  8 16:33:58 2010 : Info: ++[reply] returns noop
Wed Dec  8 16:33:58 2010 : Info: ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user
Wed Dec  8 16:33:58 2010 : Info: Failed to authenticate the user.
Wed Dec  8 16:33:58 2010 : Auth: Login incorrect: [anonymous at grid-net.com/<no User-Password attribute>] (from client winghead port 0)
Wed Dec  8 16:33:58 2010 : Info: Using Post-Auth-Type Reject
Wed Dec  8 16:33:58 2010 : Info: # Executing group from file /opt/local/etc/raddb/sites-enabled/default
Wed Dec  8 16:33:58 2010 : Info: +- entering group REJECT {...}
Wed Dec  8 16:33:58 2010 : Info: [attr_filter.access_reject] 	expand: %{User-Name} -> anonymous at grid-net.com
Wed Dec  8 16:33:58 2010 : Debug:  attr_filter: Matched entry DEFAULT at line 11
Wed Dec  8 16:33:58 2010 : Info: ++[attr_filter.access_reject] returns updated
Wed Dec  8 16:33:58 2010 : Info: Delaying reject of request 492 for 1 seconds
Wed Dec  8 16:33:58 2010 : Debug: Going to the next request
Wed Dec  8 16:33:58 2010 : Debug: Waking up in 0.9 seconds.
Wed Dec  8 16:33:59 2010 : Info: Sending delayed reject for request 492
Sending Access-Reject of id 168 to 172.17.10.10 port 1814
	Proxy-State = 0x313631
Wed Dec  8 16:33:59 2010 : Debug: Waking up in 4.9 seconds.
Wed Dec  8 16:34:04 2010 : Info: Cleaning up request 492 ID 168 with timestamp +1862
Wed Dec  8 16:34:04 2010 : Info: Ready to process requests.

More information about the Freeradius-Users mailing list