[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freeradius-users
Subject:    Re: Question on what AAA attribute is available in the FreeRadius for	responses back to a Cisco HA r
From:       Iliya Peregoudov <iperegudov () cboss ! ru>
Date:       2013-11-21 5:35:37
Message-ID: 528D9BA9.8020602 () cboss ! ru
[Download RAW message or body]

On 20.11.2013 23:33, Alan DeKok wrote:
> Milton Volz wrote:
> > We are looking for help or guidance on what AAA attribute is available in the \
> > FreeRadius for responses back to a Cisco HA request for "chap password" & "chap \
> > challenge" from a Mobile device.
> 
> In a general sense, *all* attributes are available to be in a
> response.  That probably doesn't help much, though.
> 
> > We now need to use the FreeRadius to manage both the MN-HA and MN-AAA keys and \
> > respond back to the Cisco HA properly to complete the device registration back to \
> > the Cisco HA.  We have used the "3gpp2-mn-ha-shared-key" for the MN-HA attribute \
> > and response to the Cisco HA & tested this successfully, but are not able to find \
> > or determine what attribute to use for the response back to the Cisco HA for the \
> > "chap password" & "chap challenge" for the MN-AAA, which we are receiving from \
> > the Cisco HA.  We are trying to determine if such an attribute exist and if so, \
> > which one will do the trick.
> 
> The only answer here is to read the 3GPP specs.  Or maybe the Cisco
> specs.  That should say what to do when you receive a CHAP
> authentication request.

Refer to 3GPP2 X.S0011 "cdma2000 Wireless IP Network Standard" document. 
It is available for download from www.3gpp2.org. Part 2 "Simple IP and 
Mobile IP Access Services", section 4 "MIP4 Operation", subsection 4.4 
"RADIUS Server Requirements". It seems you already have implemented 
MN-HA Shared Key Distribution. Maybe you need to implement IKE 
Pre-shared Secret Distribution.

All attributes mentioned in 3GPP2 X.S0011 are defined in freeradius 
dictionaries and "available" to be sent from freeradius to Home Agent.

CHAP-Password and CHAP-Challenge are never sent from RADIUS server to 
NAS. This is stated in RFC 2865 and also in 3GPP2 X.S0011.

> > I hope this is enough information and understandable in such a short write up.  \
> > Please let me know if you have any suggestions or can point us in the right \
> > direction for the resources to resolve this.
> 
> It's a lot of buzzwords in a short post.  But as with most things
> RADIUS, the answers are nearly always the same.  Yes, FreeRADIUS can do
> anything.  But *when* to do things, and *what* to do is not documented.
> 
> IN fact, we can't document it.  Your issue is likely answered in the
> 3GPP specs, and we're not 3GPP people.  But you should be able to read
> those specs, and then get FreeRADIUS to return the right thing.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


[prev in list] [next in list] [prev in thread] [next in thread]