Kiran, The WiMAX forum does not define the user authentication between HA and HAAA. HAAA solely depends on the shared secret between HA and HAAA to validate the request from HA is good. Its security models uses the MIP keys to authenticate users has been authenticated into ASN gateway at HA. What you need to do is to set AUTH-TYPE := Accept if it is HA. You may uses hints to indicate it is HA instead of ASN gateway.
Thanks, Jay Xiong On Fri, Jun 26, 2009 at 6:12 PM, Ben Wiechman<[email protected]> wrote: > If you are not generating the original keying material (i.e. you are the > V-AAA) I would think you would need to proxy this request to the H-AAA as > well as the required keys are going to be available there. You are not > receiving the WiMAX-vHA-IP-MIP4 which would indicate that the V-AAA is > capable of assigning the required keys. > > >From the Steel Belted docs: > 6. The home agent performs an authentication check by sending the HAAA > server > an Access-Request message requesting its cryptographic keys for the Mobile > IP > session. The Access-Request message contains the home agent’s cryptographic > keys (MN-HA-MIP4-SPI and HA-RK-SPI). > 7. The HAAA server responds to the Access-Request message by sending the > home agent an Access-Accept message containing its cryptographic keys: > MN-HA-MIP4-KEY, MN-HA-MIP4-SPI, HA-RK-KEY, HA-RK-SPI, and > HA-RK-Lifetime. > > Ben > > From: freeradius-users-bounces+wiechman.lists=gmail....@lists.freeradius.org > [mailto:freeradius-users-bounces+wiechman.lists=gmail....@lists.freeradius.o > rg] On Behalf Of Kiran Kumar > Sent: Thursday, June 18, 2009 4:58 AM > To: [email protected] > Subject: Access Req from HA rejected > > Hi All, > > I am using the Free Radius to test Proxy Authentication from H-AAA, the > initial Authentication (proxied through H-AAA) goes through fine. But the HA > then triggers an Access Request message (we are using PMIP), but this fails > at the Free radius. I suspect this is because the HA root keys etc are not > generated by Free radius but by the H-AAA. Can you please let me know what > configuration needs to be done to get this scenario working… > > Sending Access-Accept of id 161 to 10.142.139.65 port 52687 > MS-MPPE-Recv-Key = > 0x6ef829271559b13ef642c20c60522275590132e27a5b64d744e77799f12508b0 > MS-MPPE-Send-Key = > 0x3b0dfc2d198cebbd3fe32e9b3a8e1fad36f26f1b8595ea5cd1698eb52d29d872 > EAP-Message = 0x03080004 > Message-Authenticator = 0x00000000000000000000000000000000 > User-Name = "[email protected]" > Finished request 7. > Going to the next request > Waking up in 4.3 seconds. > rad_recv: Access-Request packet from host 10.142.139.65 port 52687, id=162, > length=201 > User-Name = "[email protected]" > NAS-IP-Address = 10.142.139.68 > Service-Type = Framed-User > Framed-IP-Address = 0.0.0.0 > Vendor-Specific = 0x00001fe4180600000003 > Vendor-Specific = 0x00001fe4a9060a8e8b46 > WiMAX-Release = "1.0" > WiMAX-Accounting-Capabilities = 3 > WiMAX-GMT-Timezone-offset = 3600 > WiMAX-hHA-IP-MIP4 = 10.142.139.70 > WiMAX-MN-hHA-MIP4-SPI = 512 > WiMAX-HA-RK-SPI = 512 > NAS-Identifier = "HA_ISP1" > Event-Timestamp = "Jun 18 2009 09:36:50 GMT" > Message-Authenticator = 0x7fc30b3f450c08556a469367efb2d166 > Chargeable-User-Identity = "NUL" > +- entering group authorize {...} > ++[preprocess] returns ok > ++[chap] returns noop > ++[mschap] returns noop > [suffix] Looking up realm "isp2.wimaxlab.com" for User-Name = > "[email protected]" > [suffix] No such realm "isp2.wimaxlab.com" > ++[suffix] returns noop > [eap] No EAP-Message, not doing EAP > ++[eap] returns noop > ++[unix] returns notfound > [files] users: Matched entry [email protected] at line 205 > ++[files] returns ok > ++[expiration] returns noop > ++[logintime] returns noop > [pap] No clear-text password in the request. Not performing PAP. > ++[pap] returns noop > WARNING: Please update your configuration, and remove 'Auth-Type = Local' > WARNING: Use the PAP or CHAP modules instead. > No User-Password or CHAP-Password attribute in the request. > Cannot perform authentication. > Failed to authenticate the user. > Using Post-Auth-Type Reject > +- entering group REJECT {...} > [attr_filter.access_reject] expand: %{User-Name} -> > [email protected] > attr_filter: Matched entry DEFAULT at line 11 > ++[attr_filter.access_reject] returns updated > Delaying reject of request 8 for 1 seconds > Going to the next request > Waking up in 0.1 seconds. > > > > > Thanks and Regards, > Kiran Kumar.B > WiMAX Test Engineer > Fujitsu Telecommunications Europe > Solihull Parkway, Birmingham B37 7YU > Work Phone: +44 (0) 121 717 6299 > Mobile: +44 (0) 7549 203 655 > > > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
