For a bigger project I had to setup a smaller PMIPv6 test lab (see attached picture). There are only two APs, 3 ISR 2911/K9 acting as MAG and LMA and some Ubuntu 16.04 LTS hosts.
So far PMIPv6 without WLC works except Radius authentication from MAG to AAA.
- MN associates with AP2 using pre shared key WPA2-PSK. AP2 is configured to act as wireless bridge.
- After MN successfully associates with AP2 its wlan0 interface comes up and Linux IPv6 stack sends a Router Solicitation (RS) which is recognized by MAG2 as a PMIPv6 attachment trigger.
- MAG2 is configured to send a Radius access-request to the AAA server to provision MN properties like home prefix etc.
Now problem is that MAG2 sends a Radius Access-Request without User-Name attribute which is required by AAA server. The Access-Request looks like this:
User-Password [2] 18 * Calling-Station-Id [31] 19 "2c-4d-54-61-e4-48" Service-Type [6] 6 Outbound [5] NAS-IPv6-Address [95] 18 2001:DB8:1009::1 Nas-Identifier [32] 9 "router3"
How can MAG2 be configured to include MNID in Access-Request as User-Name attribute?
These are the relevant parts of MAG2 config:
interface GigabitEthernet0/0 no ip address duplex auto speed auto ipv6 address 2001:DB8:1009::1/64 ! interface GigabitEthernet0/1 no ip address duplex auto speed auto ipv6 address FE80::200:5EFF:FE00:5213 link-local ipv6 address 2001:DB8:1019::F/64 ipv6 nd ra interval 5 ! interface GigabitEthernet0/2 no ip address shutdown duplex auto speed auto ! RADIUS configuration aaa new-model aaa group server radius AAA-GROUP-PMIP server name AAA-SERVER-PMIP aaa authorization commands visible-keys aaa authorization ipmobile default group AAA-GROUP-PMIP aaa session-id common radius-server attribute 6 on-for-login-auth radius-server attribute 8 include-in-access-req radius-server attribute 32 include-in-access-req radius-server attribute 31 mac format ietf radius-server attribute 31 send nas-port-detail radius-server attribute 31 remote-id radius-server attribute wireless authentication callStationIdCase lower radius-server attribute wireless authentication mac-delimiter colon radius-server attribute wireless authentication call-station-id macaddress ! radius server AAA-SERVER-PMIP address ipv6 2001:DB8:101::2 auth-port 1812 acct-port 1813 key xxxxxxxx ! PMIPv6 domain ipv6 mobile pmipv6-domain dom1 ! First ask AAA (Radius) server when a MN connects for its ! properties. If this fails (either if AAA server not reachable or ! AAA server rejects access-request) try fallback with local NAI's ! (see below) mn-profile-load-aaa ! NAI for a given MN as MAC@realm ! @realm is only used if append profile in pmipv6-mag interface section is ! used AND a default profile is used AND the default profile NAI includes a @realm nai 2C4D.5461.E448@dom1.net ! If this NAI is left COMPLETELY blank then all attributes from ! the default NAI are copied over at first connection from this MN. ! After this the running config is altered to contain default NAI's attributes. ! See enable pmipv6 default ... entry in ipv6 mobile pmipv6-mag ... section ! Default NAI including @realm nai default@dom1.net lma lma1 service ipv6 ! PMIPv6 MAG ipv6 mobile pmipv6-mag mag2 domain dom1 discover-mn-detach poll interval 60 timeout 5 retries 3 address ipv6 2001:DB8:1009::1 binding maximum 200 binding lifetime 8640 binding refresh-time 360 no generate grekey interface GigabitEthernet0/1 enable pmipv6 default default@dom1.net append profile lma lma1 dom1 ipv6-address 2001:DB8:1009::F
For more infos and console logs please see also:
https://www.min.at/prinz/?x=entry:entry170628-120913#readmore-entry170628-120913
