Question on what AAA attribute is available in the FreeRadius for responses back to a Cisco HA request for "chap password" & "chap challenge" from a Mobile device.

Iliya Peregoudov iperegudov at cboss.ru
Thu Nov 21 06:35:37 CET 2013 

On 20.11.2013 23:33, Alan DeKok wrote:
> Milton Volz wrote:
>> We are looking for help or guidance on what AAA attribute is available in the FreeRadius for responses back to a Cisco HA request for "chap password" & "chap challenge" from a Mobile device.
>
>    In a general sense, *all* attributes are available to be in a
> response.  That probably doesn't help much, though.
>
>> We now need to use the FreeRadius to manage both the MN-HA and MN-AAA keys and respond back to the Cisco HA properly to complete the device registration back to the Cisco HA.  We have used the "3gpp2-mn-ha-shared-key" for the MN-HA attribute and response to the Cisco HA & tested this successfully, but are not able to find or determine what attribute to use for the response back to the Cisco HA for the "chap password" & "chap challenge" for the MN-AAA, which we are receiving from the Cisco HA.  We are trying to determine if such an attribute exist and if so, which one will do the trick.
>
>    The only answer here is to read the 3GPP specs.  Or maybe the Cisco
> specs.  That should say what to do when you receive a CHAP
> authentication request.

Refer to 3GPP2 X.S0011 "cdma2000 Wireless IP Network Standard" document. 
It is available for download from www.3gpp2.org. Part 2 "Simple IP and 
Mobile IP Access Services", section 4 "MIP4 Operation", subsection 4.4 
"RADIUS Server Requirements". It seems you already have implemented 
MN-HA Shared Key Distribution. Maybe you need to implement IKE 
Pre-shared Secret Distribution.

All attributes mentioned in 3GPP2 X.S0011 are defined in freeradius 
dictionaries and "available" to be sent from freeradius to Home Agent.

CHAP-Password and CHAP-Challenge are never sent from RADIUS server to 
NAS. This is stated in RFC 2865 and also in 3GPP2 X.S0011.

>> I hope this is enough information and understandable in such a short write up.  Please let me know if you have any suggestions or can point us in the right direction for the resources to resolve this.
>
>    It's a lot of buzzwords in a short post.  But as with most things
> RADIUS, the answers are nearly always the same.  Yes, FreeRADIUS can do
> anything.  But *when* to do things, and *what* to do is not documented.
>
>    IN fact, we can't document it.  Your issue is likely answered in the
> 3GPP specs, and we're not 3GPP people.  But you should be able to read
> those specs, and then get FreeRADIUS to return the right thing.

More information about the Freeradius-Users mailing list