Where HA-IPv4 is WiMAX-hHA-IP-MIP4
or maybe WiMAX-vHA-IP-MIP4
Which goes into WiMAX-MN-hHA-MIP4-Key
or maybe WiMAX-RRQ-MN-HA-Key
or maybe even WiMAX-vHA-MIP4-Key
rlm_wimax
Synopsis
The wimax module calculates the WiMAX-specific keying material. This module
should only be used in WiMAX networks.
Processing Sections
authorize
When listed in the authorize section, the wimax module fixes the
non-standard format of the Calling-Station-Id attribute. The WiMAX
standard re-defines this attribute to contain the six bytes of the
Ethernet address in binary form. However,
RFC 2865 Section 5.31
defines this attribute to be of data type "string".
The Calling-Station-Id attribute is converted to the form
00-01-02-03-04-05.
- Return codes
-
okThe module always returns this value.
preacct
When listed in the preacct section, the wimax module behaves
exactly as described above for authorize.
post-auth
When listed in the preacct section, the wimax module calculates
the various keys required for WiMAX operation.
- Return codes
-
noopTheAccess-Acceptdoes not contain any MSKs, so no calculations can be done. -
updatedThe module successfully calculated one or more keys.
The WiMAX-MSK is the same as the EAP MSK with one exception: it is 64 octets long.
The following text describes, in brief, the calculations performed. For a more detailed analysis, please read the 400 page WiMAX Network Working Group specification document.
MIP-RK-1 = HMAC-SHA256(ESMK, "miprk@wimaxforum.org" | 0x00020001)
MIP-RK-2 = HMAC-SHA256(ESMK, MIP-RK-1 | "miprk@wimaxforum.org" | 0x00020002)
MIP-RK = MIP-RK-1 | MIP-RK-2
MIP-SPI = first 4 octets of HMAC-SHA256(MIP-RK, "SPI CMIP PMIP") plus some magic… all of the MIP-SPI’s on the system will require tracking.
SPI-CMIP4 = MIP-SPI
SPI-PMIP4 = MIP-SPI + 1
SPI-CMIP6 = MIP-SPI + 2
MN-NAI is the Mobile node NAI. It must be created and put into the request or reply. An example would be: WiMAX-MN-NAI = "%{User-Name}"
The appropriate IP address (v4 or v6) is also necessary to calculate the keys below.
Lifetimes are derived from Session-Timeout. Session-Timeout needs to be set to
some useful number.
The hash function H() in the examples below is HMAC-SHA1.
MN-HA-CMIP4 = H(MIP-RK, "CMIP4 MN HA" | HA-IPv4 | MN-NAI)
Comments
-
The corresponding SPI is SPI-CMIP4, which is MIP-SPI,
Comments
which goes into WiMAX-MN-hHA-MIP4-SPI
or maybe WiMAX-RRQ-MN-HA-SPI
or even WiMAX-MN-vHA-MIP4-SPI
-
MN-HA-PMIP4 = H(MIP-RK, "PMIP4 MN HA" | HA-IPv4 | MN-NAI)
-
MN-HA-CMIP6 = H(MIP-RK, "CMIP6 MN HA" | HA-IPv6 | MN-NAI)
-
both with similar comments to above for MN-HA-CMIP4.
-
To determine which one to use (CMIP4, PMIP4, or CMIP6), the WiMAX-IP-Technology must be set in the reply to one of the appropriate values.
-
FA-RK = H(MIP-RK, "FA-RK")
-
MN-FA = H(FA-RK, "MN FA" | FA-IP | MN-NAI)
-
Where does the FA-IP come from? It’s not clear from the specifications.
-
The next two keys (HA-RK and FA-HA) are generated only on demand, not for every authentication request.
-
HA-RK = 160-bit random number assigned by the AAA server to a specific HA.
-
FA-HA = H(HA-RK, "FA-HA" | HA-IPv4 | FA-CoAv4 | SPI)
Comments
where HA-IPv4 is as above. and FA-CoAv4 address of the FA as seen by the HA and SPI is the relevant SPI for the HA-RK
-
DHCP-RK = 160-bit random number assigned by the AAA server to a specific DHCP server. vDHCP-RK is the same thing.
Expansions
None.
Directives
delete_mppe_keys
- Syntax
-
delete_mppe_keys = boolean
- Default
-
no
- Description
-
Some WiMAX equipment requires that, in addition to the
WiMAX-MSKattribute, theMS-MPPE-*-Keyattributes are sent in theAccess-Acceptpacket. -
Other WiMAX equipment requires that the
MS-MPPE-*-Keyattributes are NOT sent in theAccess-Acceptpacket. -
By default, the EAP modules sends
MS-MPPE-*-Keyattributes. The default virtual server contains examples of adding theWiMAX-MSK. -
When set to
yes, theMS-MPPE-*-Key attributesare deleted from theAccess-Acceptpacket. -
If the keys are deleted by setting this directive to
yes, then theWiMAX-MSKattribute is automatically added to theAccess-Acceptpacket.