WiMAX Home Agent Authentication

[Alan DeKok]

Marck Gorszwick wrote:
> We're doing some work with integrating FreeRADIUS using EAP-TLS into a network with HItachi ASN-GW and Cisco HA that only uses Mobile-IP.  We successfully pass phase-1 authentication, and generate the appropriate keying material for the HA, but at phase-2 authentication we fail, since the MN-hHA-MIP4-KEY is not stored.

  Exactly.

> The rlm_wimax module implies that the HA authentication portion needs to retrieve the MN-hHA-MIP4-KEY from a store based on the SPI in the request, a couple questions:
> 
> -Does FreeRADIUS have any way of linking the two authentications,

  A database.  Store the attributes in a database, and retrieve them the
second time around.  See raddb/sql/mysql/wimax.*

> and can the TLS session cache can be used to store the TLVs from phase 1 access accept,

  Yes, but they will disappear when the server restarts.

> or does it need to be done externally?  If it can be cached within FreeRADIUS, how?

  They need to be cached in a DB.

> -FreeRADIUS complains that this phase-2 authentication has no known Auth-Type.  What needs to be done to have FreeRADIUS consider this?  Can we just pre-process or HINT the request to accept it with the when we have the appropriate KEY? 

  Look up the session data in the database, and if it matches, set
"Auth-Type := Accept".

  Alan DeKok.