Chetan Gaonker | 7f4bf74 | 2016-05-04 15:56:08 -0700 | [diff] [blame] | 1 | # |
| 2 | # The WiMAX module currently takes no configuration. |
| 3 | # |
| 4 | # It should be listed in the "authorize" and "preacct" sections. |
| 5 | # This enables the module to fix the horrible binary version |
| 6 | # of Calling-Station-Id to the normal format, as specified in |
| 7 | # RFC 3580, Section 3.21. |
| 8 | # |
| 9 | # In order to calculate the various WiMAX keys, the module should |
| 10 | # be listed in the "post-auth" section. If EAP authentication |
| 11 | # has been used, AND the EAP method derives MSK and EMSK, then |
| 12 | # the various WiMAX keys can be calculated. |
| 13 | # |
| 14 | # Some useful things to remember: |
| 15 | # |
| 16 | # WiMAX-MSK = EAP MSK, but is 64 octets. |
| 17 | # |
| 18 | # MIP-RK-1 = HMAC-SHA256(ESMK, "miprk@wimaxforum.org" | 0x00020001) |
| 19 | # MIP-RK-2 = HMAC-SHA256(ESMK, MIP-RK-1 | "miprk@wimaxforum.org" | 0x00020002) |
| 20 | # MIP-RK = MIP-RK-1 | MIP-RK-2 |
| 21 | # |
| 22 | # MIP-SPI = first 4 octets of HMAC-SHA256(MIP-RK, "SPI CMIP PMIP") |
| 23 | # plus some magic... you've got to track *all* MIP-SPI's |
| 24 | # on your system! |
| 25 | # |
| 26 | # SPI-CMIP4 = MIP-SPI |
| 27 | # SPI-PMIP4 = MIP-SPI + 1 |
| 28 | # SPI-CMIP6 = MIP-SPI + 2 |
| 29 | # |
| 30 | # MN-NAI is the Mobile node NAI. You have to create it, and put |
| 31 | # it into the request or reply as something like: |
| 32 | # |
| 33 | # WiMAX-MN-NAI = "%{User-Name}" |
| 34 | # |
| 35 | # You will also have to have the appropriate IP address (v4 or v6) |
| 36 | # in order to calculate the keys below. |
| 37 | # |
| 38 | # Lifetimes are derived from Session-Timeout. It needs to be set |
| 39 | # to some useful number. |
| 40 | # |
| 41 | # The hash function below H() is HMAC-SHA1. |
| 42 | # |
| 43 | # |
| 44 | # MN-HA-CMIP4 = H(MIP-RK, "CMIP4 MN HA" | HA-IPv4 | MN-NAI) |
| 45 | # |
| 46 | # Where HA-IPv4 is WiMAX-hHA-IP-MIP4 |
| 47 | # or maybe WiMAX-vHA-IP-MIP4 |
| 48 | # |
| 49 | # Which goes into WiMAX-MN-hHA-MIP4-Key |
| 50 | # or maybe WiMAX-RRQ-MN-HA-Key |
| 51 | # or maybe even WiMAX-vHA-MIP4-Key |
| 52 | # |
| 53 | # The corresponding SPI is SPI-CMIP4, which is MIP-SPI, |
| 54 | # |
| 55 | # which goes into WiMAX-MN-hHA-MIP4-SPI |
| 56 | # or maybe WiMAX-RRQ-MN-HA-SPI |
| 57 | # or even WiMAX-MN-vHA-MIP4-SPI |
| 58 | # |
| 59 | # MN-HA-PMIP4 = H(MIP-RK, "PMIP4 MN HA" | HA-IPv4 | MN-NAI) |
| 60 | # MN-HA-CMIP6 = H(MIP-RK, "CMIP6 MN HA" | HA-IPv6 | MN-NAI) |
| 61 | # |
| 62 | # both with similar comments to above for MN-HA-CMIP4. |
| 63 | # |
| 64 | # In order to tell which one to use (CMIP4, PMIP4, or CMIP6), |
| 65 | # you have to set WiMAX-IP-Technology in the reply to one of |
| 66 | # the appropriate values. |
| 67 | # |
| 68 | # |
| 69 | # FA-RK = H(MIP-RK, "FA-RK") |
| 70 | # |
| 71 | # MN-FA = H(FA-RK, "MN FA" | FA-IP | MN-NAI) |
| 72 | # |
| 73 | # Where does the FA-IP come from? No idea... |
| 74 | # |
| 75 | # |
| 76 | # The next two keys (HA-RK and FA-HA) are not generated |
| 77 | # for every authentication request, but only on demand. |
| 78 | # |
| 79 | # HA-RK = 160-bit random number assigned by the AAA server |
| 80 | # to a specific HA. |
| 81 | # |
| 82 | # FA-HA = H(HA-RK, "FA-HA" | HA-IPv4 | FA-CoAv4 | SPI) |
| 83 | # |
| 84 | # where HA-IPv4 is as above. |
| 85 | # and FA-CoAv4 address of the FA as seen by the HA |
| 86 | # and SPI is the relevant SPI for the HA-RK. |
| 87 | # |
| 88 | # DHCP-RK = 160-bit random number assigned by the AAA server |
| 89 | # to a specific DHCP server. vDHCP-RK is the same |
| 90 | # thing. |
| 91 | # |
| 92 | wimax { |
| 93 | # |
| 94 | # Some WiMAX equipment requires that the MS-MPPE-*-Key |
| 95 | # attributes are sent in the Access-Accept, in addition to |
| 96 | # the WiMAX-MSK attribute. |
| 97 | # |
| 98 | # Other WiMAX equipment request that the MS-MPPE-*-Key |
| 99 | # attributes are NOT sent in the Access-Accept. |
| 100 | # |
| 101 | # By default, the EAP modules sends MS-MPPE-*-Key attributes. |
| 102 | # The default virtual server (raddb/sites-available/default) |
| 103 | # contains examples of adding the WiMAX-MSK. |
| 104 | # |
| 105 | # This configuration option makes the WiMAX module delete |
| 106 | # the MS-MPPE-*-Key attributes. The default is to leave |
| 107 | # them in place. |
| 108 | # |
| 109 | # If the keys are deleted (by setting this to "yes"), then |
| 110 | # the WiMAX-MSK attribute is automatically added to the reply. |
| 111 | delete_mppe_keys = no |
| 112 | } |