Freeradius + Alvarion 4Motion specify filter-id value in access-accept from value in user conf file ?

David Peterson davidp at wirelessconnections.net
Wed Jun 1 14:06:31 CEST 2011 

I just use Framed-Filter-Id = "profilename" in the reply.  

When you added:
	update reply {
			WiMAX-FA-RK-Key = 0x00
			WiMAX-MSK = "%{reply:EAP-MSK}"
			Filter-Id = "Profile1"
		}

That replies with only 1 filter ID.  Take the Filter-Id out and keep it in
the users file:

cpe1 at eads.com Cleartext-Password := "cpe1"
        Session-Timeout = 3600,
        Termination-Action = Radius-Request,
        Filter-Id = "Profile1"

David

-----Original Message-----
From: Hahusseau, Thomas [mailto:thomas.hahusseau at cassidian.com] 
Sent: Wednesday, June 01, 2011 5:12 AM
To: David Peterson-WirelessConnections; FreeRadius users mailing list
Subject: RE: Freeradius + Alvarion 4Motion specify filter-id value in
access-accept from value in user conf file ?

Hello,

My Wimax device require MPPE keys to be sent in access accept if I change
that setting in module/wimax from no to yes the wimax don't connect anymore.
My problem is not getting my Wimax device connected it's already done.
My problem is that I want specific values of "Filter-Id" attribute sent in
access-accept according to the user-name sent in access-request. 

Filter-ID = "Profile1" when user CPE1 at eads.com is trying to connect.
Filter-ID = "Profile2" when user CPE2 at eads.com is trying to connect.

Regards,
Thomas

PS : Uncomment "wimax" lines in site-enable and inner-tunnel conf files
already done.

-----Message d'origine-----
De :
freeradius-users-bounces+thomas.hahusseau=cassidian.com at lists.freeradius.org
[mailto:freeradius-users-bounces+thomas.hahusseau=cassidian.com at lists.freera
dius.org] De la part de David Peterson Envoyé : mardi 31 mai 2011 19:31 À :
'FreeRadius users mailing list'
Objet : RE: Freeradius + Alvarion 4Motion specify filter-id
valueinaccess-accept from value in user conf file ?

Make sure you configure FR to delete the MPPE keys.  This can be found in
the /modules/wimax file.  Set the value from No to Yes.  

As well, you need to configure the server to use the inner-tunnel.  I would
start from the default FR settings, uncomment the wimax entries you see in
sites-available/default and sites-available/inner-tunnel, make the change in
the /modules/wimax file and make sure your profile names match as this is
case sensitive.

David

-----Original Message-----
From:
freeradius-users-bounces+david.peterson=acc-corp.net at lists.freeradius.or
freeradius-users-bounces+g
[mailto:freeradius-users-bounces+david.peterson=acc-corp.net at lists.freeradiu
s.org] On Behalf Of Hahusseau, Thomas
Sent: Tuesday, May 31, 2011 1:18 PM
To: freeradius-users at lists.freeradius.org
Subject: Freeradius + Alvarion 4Motion specify filter-id value
inaccess-accept from value in user conf file ?

Hello,

I'm running latest version form Master Branch of Freeradius. I managed to
connect an Alvarion CPE to an Alvarion 4M BS with Freeradius server as
authenticator. Everything works well except that I directly specified in my
/site-enable/default configuration file the value of "Filter-Id" attribute
required by the base station.

----------- /site-enabled/default
post-auth {

	exec
		update request {
		       WiMAX-MN-NAI = "%{User-Name}"
		}
	
	 	update reply {
			WiMAX-FA-RK-Key = 0x00
			WiMAX-MSK = "%{reply:EAP-MSK}"
			Filter-Id = "Profile1"
		}
	wimax
	Post-Auth-Type REJECT {
		# log failed authentications in SQL, too.
#		sql
		attr_filter.access_reject
	}
}
-----------
I would like to use different value of attribute "Filter-Id" for different
users (specific QoS setting in Alvarion ASN-GW for each Filter-Id). I would
like to use the "Filter-ID"'s value specified in my users conf file :
----------- users
#standard customer
cpe1 at eads.com Cleartext-Password := "cpe1"
        Session-Timeout = 3600,
        Termination-Action = Radius-Request,
        Filter-Id = "Profile1"
#VIP customer
cpe2 at eads.com Cleartext-Password := "cpe2"
        Session-Timeout = 3600,
        Termination-Action = Radius-Request,
        Filter-Id = "Profile2"
-----------
I tried to use the same syntax as for WiMAX-MSK attribute: Filter-ID
="%{Filter-Id}" but it doesn't work (Filter-ID value in access-accept is
empty). I googled "Filter-Id freeradius" and found nothing relevant.

Is it possible to use Filter-ID value form users conf file in access-accept
?

Here is an example on access-accept message with filter-id specified
directly in site-enable/default conf file.
----------- radiusd -X
(7) Found Auth-Type = ?
(7) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(7)   group authenticate {
(7)  - entering group authenticate {...}
(7) eap : Request found, released from the list
(7) eap : EAP/ttls
(7) eap : processing type ttls
(7) ttls : Authenticate
(7) ttls : processing EAP-TLS
(7) ttls : Received TLS ACK
(7) ttls : Received TLS ACK
(7) ttls : ACK handshake is finished
(7) ttls : eaptls_verify returned 3
(7) ttls : eaptls_process returned 3
(7) ttls : Using saved attributes from the original Access-Accept
(7) eap : Freeing handler
(7)   [eap] = ok
(7) # Executing section post-auth from file
/usr/local/etc/raddb/sites-enabled/default
(7)   group post-auth {
(7)  - entering group post-auth {...}
(7)   [exec] = noop
(7)   update request {
(7) 	expand: %{User-Name} ->
{am=1}791d05915a25400ca9d1a3cb1a2c7ffa at eads.com
(7)   } # update request = noop
(7)   update reply {
(7) 	expand: %{reply:EAP-MSK} ->
0x0473dcd65638bc4ef089945467f25e24f252b53f34e4d2f220d157c3d1192528cb185a0437
d0a641fd5434d28738eae8f013d4b0308662a0e1b365d8ad542ce0
(7)   } # update reply = noop
(7) wimax : MIP-RK =
0x9ec871a65c3033e03c0d77ed55a1517d4b7dbbbeb2d782bcf369635861e64925c5db13c362
86e2032c789ad6fe2c09cd21eda782a9a4758e9ce73f8f384c46b6
(7) wimax : MIP-SPI = bb9d949a
(7) wimax : WARNING: WiMAX-IP-Technology not found in reply.
(7) wimax : WARNING: Not calculating MN-HA keys
(7)   [wimax] = updated
Sending Access-Accept of id 246 to 192.168.100.10 port 1812
	MS-MPPE-Recv-Key =
0x0473dcd65638bc4ef089945467f25e24f252b53f34e4d2f220d157c3d1192528

	MS-MPPE-Send-Key =
0xcb185a0437d0a641fd5434d28738eae8f013d4b0308662a0e1b365d8ad542ce0

	EAP-Message = 0x03080004

	Message-Authenticator = 0x00000000000000000000000000000000

	User-Name = "{am=1}791d05915a25400ca9d1a3cb1a2c7ffa at eads.com"

	WiMAX-FA-RK-Key = 0xb37b0b5832687e02c31b94319b2ba3077479411f

	WiMAX-MSK =
0x0473dcd65638bc4ef089945467f25e24f252b53f34e4d2f220d157c3d1192528cb185a0437
d0a641fd5434d28738eae8f013d4b0308662a0e1b365d8ad542ce0

	Filter-Id = "Profile1"

	WiMAX-FA-RK-SPI = 2593430971

(7) Finished request 7.  
-----------

Regards,
Mr Thomas Hahusseau,
Ingénieur réseau
Cassidian (EADS)

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list