rlm_wimax

Synopsis

The wimax module calculates the WiMAX-specific keying material. This module should only be used in WiMAX networks.

Processing Sections

authorize

When listed in the authorize section, the wimax module fixes the non-standard format of the Calling-Station-Id attribute. The WiMAX standard re-defines this attribute to contain the six bytes of the Ethernet address in binary form. However, RFC 2865 Section 5.31 defines this attribute to be of data type "string".

The Calling-Station-Id attribute is converted to the form 00-01-02-03-04-05.

Return codes

ok The module always returns this value.

preacct

When listed in the preacct section, the wimax module behaves exactly as described above for authorize.

post-auth

When listed in the preacct section, the wimax module calculates the various keys required for WiMAX operation.

Return codes

noop The Access-Accept does not contain any MSKs, so no calculations can be done.

updated The module successfully calculated one or more keys.

The WiMAX-MSK is the same as the EAP MSK with one exception: it is 64 octets long.

The following text describes, in brief, the calculations performed. For a more detailed analysis, please read the 400 page WiMAX Network Working Group specification document.

MIP-RK-1 = HMAC-SHA256(ESMK, "miprk@wimaxforum.org" | 0x00020001)

MIP-RK-2 = HMAC-SHA256(ESMK, MIP-RK-1 | "miprk@wimaxforum.org" | 0x00020002)

MIP-RK = MIP-RK-1 | MIP-RK-2

MIP-SPI = first 4 octets of HMAC-SHA256(MIP-RK, "SPI CMIP PMIP") plus some magic…​ all of the MIP-SPI’s on the system will require tracking.

SPI-CMIP4 = MIP-SPI

SPI-PMIP4 = MIP-SPI + 1

SPI-CMIP6 = MIP-SPI + 2

MN-NAI is the Mobile node NAI. It must be created and put into the request or reply. An example would be: WiMAX-MN-NAI = "%{User-Name}"

The appropriate IP address (v4 or v6) is also necessary to calculate the keys below.

Lifetimes are derived from Session-Timeout. Session-Timeout needs to be set to some useful number.

The hash function H() in the examples below is HMAC-SHA1.

MN-HA-CMIP4 = H(MIP-RK, "CMIP4 MN HA" | HA-IPv4 | MN-NAI)

Comments
    Where HA-IPv4 is	WiMAX-hHA-IP-MIP4
    or maybe		WiMAX-vHA-IP-MIP4
    Which goes into	WiMAX-MN-hHA-MIP4-Key
    or maybe		WiMAX-RRQ-MN-HA-Key
    or maybe even	WiMAX-vHA-MIP4-Key

The corresponding SPI is SPI-CMIP4, which is MIP-SPI,

Comments
    which goes into	WiMAX-MN-hHA-MIP4-SPI
    or maybe		WiMAX-RRQ-MN-HA-SPI
    or even		WiMAX-MN-vHA-MIP4-SPI

MN-HA-PMIP4 = H(MIP-RK, "PMIP4 MN HA" | HA-IPv4 | MN-NAI)

MN-HA-CMIP6 = H(MIP-RK, "CMIP6 MN HA" | HA-IPv6 | MN-NAI)

both with similar comments to above for MN-HA-CMIP4.

To determine which one to use (CMIP4, PMIP4, or CMIP6), the WiMAX-IP-Technology must be set in the reply to one of the appropriate values.

FA-RK = H(MIP-RK, "FA-RK")

MN-FA = H(FA-RK, "MN FA" | FA-IP | MN-NAI)

Where does the FA-IP come from? It’s not clear from the specifications.

The next two keys (HA-RK and FA-HA) are generated only on demand, not for every authentication request.

HA-RK = 160-bit random number assigned by the AAA server to a specific HA.

FA-HA = H(HA-RK, "FA-HA" | HA-IPv4 | FA-CoAv4 | SPI)

Comments
where HA-IPv4 is as above.
and FA-CoAv4 address of the FA as seen by the HA
and SPI is the relevant SPI for the HA-RK

DHCP-RK = 160-bit random number assigned by the AAA server to a specific DHCP server. vDHCP-RK is the same thing.

Expansions

None.

Directives

delete_mppe_keys
Syntax

delete_mppe_keys = boolean

Default

no

Description

Some WiMAX equipment requires that, in addition to the WiMAX-MSK attribute, the MS-MPPE-*-Key attributes are sent in the Access-Accept packet.

Other WiMAX equipment requires that the MS-MPPE-*-Key attributes are NOT sent in the Access-Accept packet.

By default, the EAP modules sends MS-MPPE-*-Key attributes. The default virtual server contains examples of adding the WiMAX-MSK.

When set to yes, the MS-MPPE-*-Key attributes are deleted from the Access-Accept packet.

If the keys are deleted by setting this directive to yes, then the WiMAX-MSK attribute is automatically added to the Access-Accept packet.