From: Alan T. DeKok Date: Thu, 11 Dec 2025 01:28:32 +0000 (-0500) Subject: move WiMAX examples to the WiMAX module. X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=74ef0e3da2de28c40054febe9b78261ce9da66db;p=thirdparty%2Ffreeradius-server.git move WiMAX examples to the WiMAX module. WiMAX is largely dead, so it does not need to appear in the default configuration. --- diff --git a/doc/antora/modules/reference/pages/raddb/mods-available/wimax.adoc b/doc/antora/modules/reference/pages/raddb/mods-available/wimax.adoc index fddb42b63ad..a7ece606032 100644 --- a/doc/antora/modules/reference/pages/raddb/mods-available/wimax.adoc +++ b/doc/antora/modules/reference/pages/raddb/mods-available/wimax.adoc @@ -4,7 +4,7 @@ = WiMAX Module -The `winmax` module implements the WiMAX attributes as defined in +The `wimax` module implements the WiMAX attributes as defined in NWG_R1_V1.2.1-Stage-3.pdf It should be listed in the `recv Access-Request` and `recv Accounting-Request` sections. @@ -13,11 +13,34 @@ NOTE: The module will change the horrible binary version of `link:https://freeradius.org/rfc/rfc2865.html#Calling-Station-Id[Calling-Station-Id]` to the normal format, as specified in RFC 3580, Section 3.21. +## recv Access-Request + +In the `recv Access-Request section. the `wimax` module fixes up +various non-standard WiMAX issues. + +The WiMAX specification says that the `link:https://freeradius.org/rfc/rfc2865.html#Calling-Station-Id[Calling-Station-Id]` +is 6 octets of the MAC. This definition conflicts with RFC +3580, and all common RADIUS practices. Uncommenting the +`wimax` module here allows the module to change the +`link:https://freeradius.org/rfc/rfc2865.html#Calling-Station-Id[Calling-Station-Id]` attribute to the normal format as +specified in https://tools.ietf.org/html/rfc3580#section-3.21.[RFC 3580 Section 3.21.] + + +== send Access-Accept + In order to calculate the various WiMAX keys, the module should -be listed in the `post-auth` section. If EAP authentication +be listed in the `send Access-Accept` section. If EAP authentication has been used, AND the EAP method derives MSK and EMSK, then the various WiMAX keys can be calculated. +send Access-Accept { + + + + + +== Miscellaneous + Some useful things to remember: [options="header,autowidth"] @@ -44,7 +67,7 @@ MN-NAI:: Mobile node NAI. You have to create it, and put it into the request or reply as something like: - WiMAX-MN-NAI = "%{User-Name}" + WiMAX-MN-NAI = User-Name} You will also have to have the appropriate IP address (`v4` or `v6`) in order to calculate the keys below. @@ -129,6 +152,31 @@ The default is to leave them in place. == Default Configuration ``` +# recv Access-Request { +# ... +# wimax +# ... +# } +# ... +# # define the WiMAX NAI +# request.WiMAX-MN-NAI = User-Name +# # Update the reply with "template" values. The wimax module +# # will see this, and replace the template values with the +# #correct ones taken from the cryptographic calculations, +# reply += { +# Vendor-Specific.WiMAX = { +# FA-RK-Key = 0x00 +# MSK = reply.EAP-MSK +# } +# } +# # You may want to delete the `MS-MPPE-*-Keys` from the +# # reply, as some WiMAX clients behave badly when those +# # attributes are included. See the configuration entry +# # `delete_mppe_keys` for more information. +# # +# wimax +# ... +# } wimax { delete_mppe_keys = no } diff --git a/doc/antora/modules/reference/pages/raddb/sites-available/default.adoc b/doc/antora/modules/reference/pages/raddb/sites-available/default.adoc index eac0042135c..4c632185c70 100644 --- a/doc/antora/modules/reference/pages/raddb/sites-available/default.adoc +++ b/doc/antora/modules/reference/pages/raddb/sites-available/default.adoc @@ -916,20 +916,6 @@ FreeRADIUS, the `digest` module will set `Auth-Type := ``` -The `wimax` module fixes up various WiMAX-specific stupidities. - -The WiMAX specification says that the `link:https://freeradius.org/rfc/rfc2865.html#Calling-Station-Id[Calling-Station-Id]` -is 6 octets of the MAC. This definition conflicts with RFC -3580, and all common RADIUS practices. Uncommenting the -`wimax` module here allows the module to change the -`link:https://freeradius.org/rfc/rfc2865.html#Calling-Station-Id[Calling-Station-Id]` attribute to the normal format as -specified in https://tools.ietf.org/html/rfc3580#section-3.21.[RFC 3580 Section 3.21.] - -``` -# wimax - -``` - The `eap` module takes care of all EAP authentication, including EAP-MD5, EAP-TLS, PEAP and EAP-TTLS. @@ -1353,40 +1339,6 @@ user's object in LDAP after a successful login. ``` -Calculate the various WiMAX keys. In order for this to -work, you will need to define the WiMAX NAI, usually -via: - -``` -# request.WiMAX-MN-NAI = "%{User-Name}" - -``` -If you want various keys to be calculated, you will -need to update the reply with "template" values. The -module will see this, and replace the template values -with the correct ones taken from the cryptographic -calculations, e.g. - -``` -# reply += { -# Vendor-Specific.WiMAX = { -# FA-RK-Key = 0x00 -# MSK = reply.EAP-MSK -# } -# } - -``` -You may want to delete the `MS-MPPE-*-Keys` from the -reply, as some WiMAX clients behave badly when those -attributes are included. See the configuration entry -`delete_mppe_keys` in xref:reference:raddb/mods-available/wimax.adoc[mods-available/wimax] for -more information. - -``` -# wimax - -``` - If there is a client certificate (EAP-TLS, and very occasionally PEAP and EAP-TTLS), then some attributes are filled out after the certificate verification has diff --git a/raddb/mods-available/wimax b/raddb/mods-available/wimax index a57a9faf2de..1bf61e39099 100644 --- a/raddb/mods-available/wimax +++ b/raddb/mods-available/wimax @@ -7,7 +7,7 @@ # # = WiMAX Module # -# The `winmax` module implements the WiMAX attributes as defined in +# The `wimax` module implements the WiMAX attributes as defined in # NWG_R1_V1.2.1-Stage-3.pdf # # It should be listed in the `recv Access-Request` and `recv Accounting-Request` sections. @@ -16,11 +16,59 @@ # `Calling-Station-Id` to the normal format, as specified in RFC # 3580, Section 3.21. # +# ## recv Access-Request +# +# In the `recv Access-Request section. the `wimax` module fixes up +# various non-standard WiMAX issues. +# +# The WiMAX specification says that the `Calling-Station-Id` +# is 6 octets of the MAC. This definition conflicts with RFC +# 3580, and all common RADIUS practices. Uncommenting the +# `wimax` module here allows the module to change the +# `Calling-Station-Id` attribute to the normal format as +# specified in RFC 3580 Section 3.21. +# +# recv Access-Request { +# ... +# wimax +# ... +# } +# +# == send Access-Accept +# # In order to calculate the various WiMAX keys, the module should -# be listed in the `post-auth` section. If EAP authentication +# be listed in the `send Access-Accept` section. If EAP authentication # has been used, AND the EAP method derives MSK and EMSK, then # the various WiMAX keys can be calculated. # +# send Access-Accept { +# ... +# +# # define the WiMAX NAI +# request.WiMAX-MN-NAI = User-Name +# +# # Update the reply with "template" values. The wimax module +# # will see this, and replace the template values with the +# #correct ones taken from the cryptographic calculations, +# reply += { +# Vendor-Specific.WiMAX = { +# FA-RK-Key = 0x00 +# MSK = reply.EAP-MSK +# } +# } +# +# # You may want to delete the `MS-MPPE-*-Keys` from the +# # reply, as some WiMAX clients behave badly when those +# # attributes are included. See the configuration entry +# # `delete_mppe_keys` for more information. +# # +# wimax +# +# ... +# } +# +# == Miscellaneous +# # Some useful things to remember: # # [options="header,autowidth"] @@ -47,7 +95,7 @@ # # You have to create it, and put it into the request or reply as something like: # -# WiMAX-MN-NAI = "%{User-Name}" +# WiMAX-MN-NAI = User-Name} # # You will also have to have the appropriate IP address (`v4` or `v6`) # in order to calculate the keys below. diff --git a/raddb/sites-available/default b/raddb/sites-available/default index e354512d7b3..4f192269a01 100644 --- a/raddb/sites-available/default +++ b/raddb/sites-available/default @@ -811,18 +811,6 @@ recv Access-Request { # digest - # - # The `wimax` module fixes up various WiMAX-specific stupidities. - # - # The WiMAX specification says that the `Calling-Station-Id` - # is 6 octets of the MAC. This definition conflicts with RFC - # 3580, and all common RADIUS practices. Uncommenting the - # `wimax` module here allows the module to change the - # `Calling-Station-Id` attribute to the normal format as - # specified in RFC 3580 Section 3.21. - # -# wimax - # # The `eap` module takes care of all EAP authentication, # including EAP-MD5, EAP-TLS, PEAP and EAP-TTLS. @@ -1192,34 +1180,6 @@ send Access-Accept { # # ldap - # - # Calculate the various WiMAX keys. In order for this to - # work, you will need to define the WiMAX NAI, usually - # via: - # -# request.WiMAX-MN-NAI = "%{User-Name}" - - # If you want various keys to be calculated, you will - # need to update the reply with "template" values. The - # module will see this, and replace the template values - # with the correct ones taken from the cryptographic - # calculations, e.g. - # -# reply += { -# Vendor-Specific.WiMAX = { -# FA-RK-Key = 0x00 -# MSK = reply.EAP-MSK -# } -# } - - # You may want to delete the `MS-MPPE-*-Keys` from the - # reply, as some WiMAX clients behave badly when those - # attributes are included. See the configuration entry - # `delete_mppe_keys` in `mods-available/wimax` for - # more information. - # -# wimax - # # If there is a client certificate (EAP-TLS, and very # occasionally PEAP and EAP-TTLS), then some attributes