| 4 |
- |
1 |
#
|
|
|
2 |
# The WiMAX module currently takes no configuration.
|
|
|
3 |
#
|
|
|
4 |
# It should be listed in the "authorize" and "preacct" sections.
|
|
|
5 |
# This enables the module to fix the horrible binary version
|
|
|
6 |
# of Calling-Station-Id to the normal format, as specified in
|
|
|
7 |
# RFC 3580, Section 3.21.
|
|
|
8 |
#
|
|
|
9 |
# In order to calculate the various WiMAX keys, the module should
|
|
|
10 |
# be listed in the "post-auth" section. If EAP authentication
|
|
|
11 |
# has been used, AND the EAP method derives MSK and EMSK, then
|
|
|
12 |
# the various WiMAX keys can be calculated.
|
|
|
13 |
#
|
|
|
14 |
# Some useful things to remember:
|
|
|
15 |
#
|
|
|
16 |
# WiMAX-MSK = EAP MSK, but is 64 octets.
|
|
|
17 |
#
|
|
|
18 |
# MIP-RK-1 = HMAC-SHA256(ESMK, "miprk@wimaxforum.org" | 0x00020001)
|
|
|
19 |
# MIP-RK-2 = HMAC-SHA256(ESMK, MIP-RK-1 | "miprk@wimaxforum.org" | 0x00020002)
|
|
|
20 |
# MIP-RK = MIP-RK-1 | MIP-RK-2
|
|
|
21 |
#
|
|
|
22 |
# MIP-SPI = first 4 octets of HMAC-SHA256(MIP-RK, "SPI CMIP PMIP")
|
|
|
23 |
# plus some magic... you've got to track *all* MIP-SPI's
|
|
|
24 |
# on your system!
|
|
|
25 |
#
|
|
|
26 |
# SPI-CMIP4 = MIP-SPI
|
|
|
27 |
# SPI-PMIP4 = MIP-SPI + 1
|
|
|
28 |
# SPI-CMIP6 = MIP-SPI + 2
|
|
|
29 |
#
|
|
|
30 |
# MN-NAI is the Mobile node NAI. You have to create it, and put
|
|
|
31 |
# it into the request or reply as something like:
|
|
|
32 |
#
|
|
|
33 |
# WiMAX-MN-NAI = "%{User-Name}"
|
|
|
34 |
#
|
|
|
35 |
# You will also have to have the appropriate IP address (v4 or v6)
|
|
|
36 |
# in order to calculate the keys below.
|
|
|
37 |
#
|
|
|
38 |
# Lifetimes are derived from Session-Timeout. It needs to be set
|
|
|
39 |
# to some useful number.
|
|
|
40 |
#
|
|
|
41 |
# The hash function below H() is HMAC-SHA1.
|
|
|
42 |
#
|
|
|
43 |
#
|
|
|
44 |
# MN-HA-CMIP4 = H(MIP-RK, "CMIP4 MN HA" | HA-IPv4 | MN-NAI)
|
|
|
45 |
#
|
|
|
46 |
# Where HA-IPv4 is WiMAX-hHA-IP-MIP4
|
|
|
47 |
# or maybe WiMAX-vHA-IP-MIP4
|
|
|
48 |
#
|
|
|
49 |
# Which goes into WiMAX-MN-hHA-MIP4-Key
|
|
|
50 |
# or maybe WiMAX-RRQ-MN-HA-Key
|
|
|
51 |
# or maybe even WiMAX-vHA-MIP4-Key
|
|
|
52 |
#
|
|
|
53 |
# The corresponding SPI is SPI-CMIP4, which is MIP-SPI,
|
|
|
54 |
#
|
|
|
55 |
# which goes into WiMAX-MN-hHA-MIP4-SPI
|
|
|
56 |
# or maybe WiMAX-RRQ-MN-HA-SPI
|
|
|
57 |
# or even WiMAX-MN-vHA-MIP4-SPI
|
|
|
58 |
#
|
|
|
59 |
# MN-HA-PMIP4 = H(MIP-RK, "PMIP4 MN HA" | HA-IPv4 | MN-NAI)
|
|
|
60 |
# MN-HA-CMIP6 = H(MIP-RK, "CMIP6 MN HA" | HA-IPv6 | MN-NAI)
|
|
|
61 |
#
|
|
|
62 |
# both with similar comments to above for MN-HA-CMIP4.
|
|
|
63 |
#
|
|
|
64 |
# In order to tell which one to use (CMIP4, PMIP4, or CMIP6),
|
|
|
65 |
# you have to set WiMAX-IP-Technology in the reply to one of
|
|
|
66 |
# the appropriate values.
|
|
|
67 |
#
|
|
|
68 |
#
|
|
|
69 |
# FA-RK = H(MIP-RK, "FA-RK")
|
|
|
70 |
#
|
|
|
71 |
# MN-FA = H(FA-RK, "MN FA" | FA-IP | MN-NAI)
|
|
|
72 |
#
|
|
|
73 |
# Where does the FA-IP come from? No idea...
|
|
|
74 |
#
|
|
|
75 |
#
|
|
|
76 |
# The next two keys (HA-RK and FA-HA) are not generated
|
|
|
77 |
# for every authentication request, but only on demand.
|
|
|
78 |
#
|
|
|
79 |
# HA-RK = 160-bit random number assigned by the AAA server
|
|
|
80 |
# to a specific HA.
|
|
|
81 |
#
|
|
|
82 |
# FA-HA = H(HA-RK, "FA-HA" | HA-IPv4 | FA-CoAv4 | SPI)
|
|
|
83 |
#
|
|
|
84 |
# where HA-IPv4 is as above.
|
|
|
85 |
# and FA-CoAv4 address of the FA as seen by the HA
|
|
|
86 |
# and SPI is the relevant SPI for the HA-RK.
|
|
|
87 |
#
|
|
|
88 |
# DHCP-RK = 160-bit random number assigned by the AAA server
|
|
|
89 |
# to a specific DHCP server. vDHCP-RK is the same
|
|
|
90 |
# thing.
|
|
|
91 |
#
|
|
|
92 |
wimax {
|
|
|
93 |
#
|
|
|
94 |
# Some WiMAX equipement requires that the MS-MPPE-*-Key
|
|
|
95 |
# attributes are sent in the Access-Accept, in addition to
|
|
|
96 |
# the WiMAX-MSK attribute.
|
|
|
97 |
#
|
|
|
98 |
# Other WiMAX equipment request that the MS-MPPE-*-Key
|
|
|
99 |
# attributes are NOT sent in the Access-Accept.
|
|
|
100 |
#
|
|
|
101 |
# By default, the EAP modules sends MS-MPPE-*-Key attributes.
|
|
|
102 |
# The default virtual server (raddb/sites-available/default)
|
|
|
103 |
# contains examples of adding the WiMAX-MSK.
|
|
|
104 |
#
|
|
|
105 |
# This configuration option makes the WiMAX module delete
|
|
|
106 |
# the MS-MPPE-*-Key attributes. The default is to leave
|
|
|
107 |
# them in place.
|
|
|
108 |
#
|
|
|
109 |
# If the keys are deleted (by setting this to "yes"), then
|
|
|
110 |
# the WiMAX-MSK attribute is automatically added to the reply.
|
|
|
111 |
delete_mppe_keys = no
|
|
|
112 |
}
|