2 # The WiMAX module currently takes no configuration.
4 # It should be listed in the "authorize" and "preacct" sections.
5 # This enables the module to fix the horrible binary version
6 # of Calling-Station-Id to the normal format, as specified in
7 # RFC 3580, Section 3.21.
9 # In order to calculate the various WiMAX keys, the module should
10 # be listed in the "post-auth" section. If EAP authentication
11 # has been used, AND the EAP method derives MSK and EMSK, then
12 # the various WiMAX keys can be calculated.
14 # Some useful things to remember:
16 # WiMAX-MSK = EAP MSK, but is 64 octets.
18 # MIP-RK-1 = HMAC-SHA256(ESMK, "miprk@wimaxforum.org" | 0x00020001)
19 # MIP-RK-2 = HMAC-SHA256(ESMK, MIP-RK-1 | "miprk@wimaxforum.org" | 0x00020002)
20 # MIP-RK = MIP-RK-1 | MIP-RK-2
22 # MIP-SPI = first 4 octets of HMAC-SHA256(MIP-RK, "SPI CMIP PMIP")
23 # plus some magic... you've got to track *all* MIP-SPI's
27 # SPI-PMIP4 = MIP-SPI + 1
28 # SPI-CMIP6 = MIP-SPI + 2
30 # MN-NAI is the Mobile node NAI. You have to create it, and put
31 # it into the request or reply as something like:
33 # WiMAX-MN-NAI = "%{User-Name}"
35 # You will also have to have the appropriate IP address (v4 or v6)
36 # in order to calculate the keys below.
38 # Lifetimes are derived from Session-Timeout. It needs to be set
39 # to some useful number.
41 # The hash function below H() is HMAC-SHA1.
44 # MN-HA-CMIP4 = H(MIP-RK, "CMIP4 MN HA" | HA-IPv4 | MN-NAI)
46 # Where HA-IPv4 is WiMAX-hHA-IP-MIP4
47 # or maybe WiMAX-vHA-IP-MIP4
49 # Which goes into WiMAX-MN-hHA-MIP4-Key
50 # or maybe WiMAX-RRQ-MN-HA-Key
51 # or maybe even WiMAX-vHA-MIP4-Key
53 # The corresponding SPI is SPI-CMIP4, which is MIP-SPI,
55 # which goes into WiMAX-MN-hHA-MIP4-SPI
56 # or maybe WiMAX-RRQ-MN-HA-SPI
57 # or even WiMAX-MN-vHA-MIP4-SPI
59 # MN-HA-PMIP4 = H(MIP-RK, "PMIP4 MN HA" | HA-IPv4 | MN-NAI)
60 # MN-HA-CMIP6 = H(MIP-RK, "CMIP6 MN HA" | HA-IPv6 | MN-NAI)
62 # both with similar comments to above for MN-HA-CMIP4.
64 # In order to tell which one to use (CMIP4, PMIP4, or CMIP6),
65 # you have to set WiMAX-IP-Technology in the reply to one of
66 # the appropriate values.
69 # FA-RK = H(MIP-RK, "FA-RK")
71 # MN-FA = H(FA-RK, "MN FA" | FA-IP | MN-NAI)
73 # Where does the FA-IP come from? No idea...
76 # The next two keys (HA-RK and FA-HA) are not generated
77 # for every authentication request, but only on demand.
79 # HA-RK = 160-bit random number assigned by the AAA server
82 # FA-HA = H(HA-RK, "FA-HA" | HA-IPv4 | FA-CoAv4 | SPI)
84 # where HA-IPv4 is as above.
85 # and FA-CoAv4 address of the FA as seen by the HA
86 # and SPI is the relevant SPI for the HA-RK.
88 # DHCP-RK = 160-bit random number assigned by the AAA server
89 # to a specific DHCP server. vDHCP-RK is the same
94 # Some WiMAX equipement requires that the MS-MPPE-*-Key
95 # attributes are sent in the Access-Accept, in addition to
96 # the WiMAX-MSK attribute.
98 # Other WiMAX equipment request that the MS-MPPE-*-Key
99 # attributes are NOT sent in the Access-Accept.
101 # By default, the EAP modules sends MS-MPPE-*-Key attributes.
102 # The default virtual server (raddb/sites-available/default)
103 # contains examples of adding the WiMAX-MSK.
105 # This configuration option makes the WiMAX module delete
106 # the MS-MPPE-*-Key attributes. The default is to leave
109 # If the keys are deleted (by setting this to "yes"), then
110 # the WiMAX-MSK attribute is automatically added to the reply.
111 delete_mppe_keys = no