If you are not generating the original keying material (i.e. you are the V-AAA) I would think you would need to proxy this request to the H-AAA as well as the required keys are going to be available there. You are not receiving the WiMAX-vHA-IP-MIP4 which would indicate that the V-AAA is capable of assigning the required keys.
>From the Steel Belted docs: 6. The home agent performs an authentication check by sending the HAAA server an Access-Request message requesting its cryptographic keys for the Mobile IP session. The Access-Request message contains the home agents cryptographic keys (MN-HA-MIP4-SPI and HA-RK-SPI). 7. The HAAA server responds to the Access-Request message by sending the home agent an Access-Accept message containing its cryptographic keys: MN-HA-MIP4-KEY, MN-HA-MIP4-SPI, HA-RK-KEY, HA-RK-SPI, and HA-RK-Lifetime. Ben From: freeradius-users-bounces+wiechman.lists=gmail....@lists.freeradius.org [mailto:freeradius-users-bounces+wiechman.lists=gmail....@lists.freeradius.o rg] On Behalf Of Kiran Kumar Sent: Thursday, June 18, 2009 4:58 AM To: freeradius-users@lists.freeradius.org Subject: Access Req from HA rejected Hi All, I am using the Free Radius to test Proxy Authentication from H-AAA, the initial Authentication (proxied through H-AAA) goes through fine. But the HA then triggers an Access Request message (we are using PMIP), but this fails at the Free radius. I suspect this is because the HA root keys etc are not generated by Free radius but by the H-AAA. Can you please let me know what configuration needs to be done to get this scenario working Sending Access-Accept of id 161 to 10.142.139.65 port 52687 MS-MPPE-Recv-Key = 0x6ef829271559b13ef642c20c60522275590132e27a5b64d744e77799f12508b0 MS-MPPE-Send-Key = 0x3b0dfc2d198cebbd3fe32e9b3a8e1fad36f26f1b8595ea5cd1698eb52d29d872 EAP-Message = 0x03080004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "u...@isp2.wimaxlab.com" Finished request 7. Going to the next request Waking up in 4.3 seconds. rad_recv: Access-Request packet from host 10.142.139.65 port 52687, id=162, length=201 User-Name = "u...@isp2.wimaxlab.com" NAS-IP-Address = 10.142.139.68 Service-Type = Framed-User Framed-IP-Address = 0.0.0.0 Vendor-Specific = 0x00001fe4180600000003 Vendor-Specific = 0x00001fe4a9060a8e8b46 WiMAX-Release = "1.0" WiMAX-Accounting-Capabilities = 3 WiMAX-GMT-Timezone-offset = 3600 WiMAX-hHA-IP-MIP4 = 10.142.139.70 WiMAX-MN-hHA-MIP4-SPI = 512 WiMAX-HA-RK-SPI = 512 NAS-Identifier = "HA_ISP1" Event-Timestamp = "Jun 18 2009 09:36:50 GMT" Message-Authenticator = 0x7fc30b3f450c08556a469367efb2d166 Chargeable-User-Identity = "NUL" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "isp2.wimaxlab.com" for User-Name = "u...@isp2.wimaxlab.com" [suffix] No such realm "isp2.wimaxlab.com" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [files] users: Matched entry u...@isp2.wimaxlab.com at line 205 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] No clear-text password in the request. Not performing PAP. ++[pap] returns noop WARNING: Please update your configuration, and remove 'Auth-Type = Local' WARNING: Use the PAP or CHAP modules instead. No User-Password or CHAP-Password attribute in the request. Cannot perform authentication. Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> u...@isp2.wimaxlab.com attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 8 for 1 seconds Going to the next request Waking up in 0.1 seconds. Thanks and Regards, Kiran Kumar.B WiMAX Test Engineer Fujitsu Telecommunications Europe Solihull Parkway, Birmingham B37 7YU Work Phone: +44 (0) 121 717 6299 Mobile: +44 (0) 7549 203 655 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html