[prev in list] [next in list] [prev in thread] [next in thread]
List: freeradius-users
Subject: Re: Question on what AAA attribute is available in the FreeRadius for responses back to a Cisco HA r
From: Iliya Peregoudov <iperegudov () cboss ! ru>
Date: 2013-11-21 5:35:37
Message-ID: 528D9BA9.8020602 () cboss ! ru
[Download RAW message or body]
On 20.11.2013 23:33, Alan DeKok wrote:
> Milton Volz wrote:
> > We are looking for help or guidance on what AAA attribute is available in the \
> > FreeRadius for responses back to a Cisco HA request for "chap password" & "chap \
> > challenge" from a Mobile device.
>
> In a general sense, *all* attributes are available to be in a
> response. That probably doesn't help much, though.
>
> > We now need to use the FreeRadius to manage both the MN-HA and MN-AAA keys and \
> > respond back to the Cisco HA properly to complete the device registration back to \
> > the Cisco HA. We have used the "3gpp2-mn-ha-shared-key" for the MN-HA attribute \
> > and response to the Cisco HA & tested this successfully, but are not able to find \
> > or determine what attribute to use for the response back to the Cisco HA for the \
> > "chap password" & "chap challenge" for the MN-AAA, which we are receiving from \
> > the Cisco HA. We are trying to determine if such an attribute exist and if so, \
> > which one will do the trick.
>
> The only answer here is to read the 3GPP specs. Or maybe the Cisco
> specs. That should say what to do when you receive a CHAP
> authentication request.
Refer to 3GPP2 X.S0011 "cdma2000 Wireless IP Network Standard" document.
It is available for download from www.3gpp2.org. Part 2 "Simple IP and
Mobile IP Access Services", section 4 "MIP4 Operation", subsection 4.4
"RADIUS Server Requirements". It seems you already have implemented
MN-HA Shared Key Distribution. Maybe you need to implement IKE
Pre-shared Secret Distribution.
All attributes mentioned in 3GPP2 X.S0011 are defined in freeradius
dictionaries and "available" to be sent from freeradius to Home Agent.
CHAP-Password and CHAP-Challenge are never sent from RADIUS server to
NAS. This is stated in RFC 2865 and also in 3GPP2 X.S0011.
> > I hope this is enough information and understandable in such a short write up. \
> > Please let me know if you have any suggestions or can point us in the right \
> > direction for the resources to resolve this.
>
> It's a lot of buzzwords in a short post. But as with most things
> RADIUS, the answers are nearly always the same. Yes, FreeRADIUS can do
> anything. But *when* to do things, and *what* to do is not documented.
>
> IN fact, we can't document it. Your issue is likely answered in the
> 3GPP specs, and we're not 3GPP people. But you should be able to read
> those specs, and then get FreeRADIUS to return the right thing.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic