Go to content Go to menu

Proxy Mobile IPv6 using Cisco

Wednesday, June 28, 2017

pmipv6-cisco.jpg Proxy Mobile IPv6 (or PMIPv6 for short) allows an ordinary host (PC, Laptop, Smartphone etc.) to use a non changing IP address while roaming between different access points/routers within a PMIP domain. See Wikipedia for more info’s. Cisco offers a powerful implementation in its IOS targeted at large scale installations with regard to ease of deployment and management. For this to work Cisco recommends things like Lightweight Access Points - LAP, Wireless LAN Controllers - WLC and protocols like Control And Provisioning of Wireless Access Points - CAPWAP. Using these components its fairly easy to setup and manage PMIPv6 domains. See this Cisco guide for more infos.

For a project I had to design a very, very low level PMIPv6 lab without almost all the nice things Cisco recommends. And - it works - almost.


pmipv6-lab1.png

This picture shows the lab in detail. 3 Cisco 2911/K9 ISR routers acting als MAG and LMA running IOS 15.6, two Aironet 702I wireless access points (IOS 15.2(4)JB3a) and 3 hosts running Ubuntu 16.04 LTS acting as CN, MN and AAA (FreeRadius).


pmipv6-lab2.png

  1. MN associates with AP2 using pre shared key WPA2-PSK. AP2 is configured to act as wireless bridge.
  2. After MN successfully associates with AP2 its wlan0 interface comes up and Linux IPv6 stack sends a Router Solicitation (RS) which is recognized by MAG2 as a PMIPv6 attachment trigger.
  3. MAG2 is configured to send a Radius access-request to the AAA server to provision MN properties like home prefix etc.

So far everything works as expected. A Radius Access-Request must contain the User-Name attribute to authenticate/authorize the MN. In PMIPv6 the “user name” of a MN is its mobile node ID (MNID). This is normally the MAC address of the network interface the MN uses to connect to the AP. MAG2 correctly extracts the MNID of the connecting MN and constructs the following Radius Access-Request:

User-Password       [2]   18  *
Calling-Station-Id  [31]  19  "2c-4d-54-61-e4-48"
Service-Type        [6]   6   Outbound                  [5]
NAS-IPv6-Address    [95]  18  2001:DB8:1009::1
Nas-Identifier      [32]  9   "router3"

All values in this request are OK except the “User-Name” attribute is missing which should contain the MAC address of the MN. Instead the MAC address is placed in the “Calling-Station-Id” attribute. FreeRadius answers this Access-Request with a Access-Reject message as it cannot find the User-Name attribute.

The big question now is: How can MAG2 be configured to send MNID in User-Name attribute?
If anyone has an info, answer or hint - just leave a comment.

Note: For the lab to work anyway a NAI for the MN was locally configured in MAG2. So after the negative AAA Radius request MAG2 tries to locally handle the connecting MN which succeeds and MAG2 sends its binding update to LMA and receives binding acknowledge. See console logs at the end of this post.

Answer from Cisco Tech-Support: Currently there is no way to send MNID in User-Name attribute in the ISR based standalone MAG.

The relevant parts of the IOS configuration of MAG2 are as follows:

interface GigabitEthernet0/0
 no ip address
 duplex auto
 speed auto
 ipv6 address 2001:DB8:1009::1/64
!
interface GigabitEthernet0/1
 no ip address
 duplex auto
 speed auto
 ipv6 address FE80::200:5EFF:FE00:5213 link-local
 ipv6 address 2001:DB8:1019::F/64
 ipv6 nd ra interval 5
!
interface GigabitEthernet0/2
 no ip address
 shutdown
 duplex auto
 speed auto
! RADIUS configuration 
aaa new-model 
aaa group server radius AAA-GROUP-PMIP 
 server name AAA-SERVER-PMIP 
aaa authorization commands visible-keys 
aaa authorization ipmobile default group AAA-GROUP-PMIP 
aaa session-id common 
radius-server attribute 6 on-for-login-auth 
radius-server attribute 8 include-in-access-req 
radius-server attribute 32 include-in-access-req 
radius-server attribute 31 mac format ietf 
radius-server attribute 31 send nas-port-detail 
radius-server attribute 31 remote-id 
radius-server attribute wireless authentication callStationIdCase lower 
radius-server attribute wireless authentication mac-delimiter colon 
radius-server attribute wireless authentication call-station-id macaddress 
! 
radius server AAA-SERVER-PMIP 
 address ipv6 2001:DB8:101::2 auth-port 1812 acct-port 1813 
 key xxxxxxxx
 
! PMIPv6 domain 
ipv6 mobile pmipv6-domain dom1 
! First ask AAA (Radius) server when a MN connects for its 
! properties. If this fails (either if AAA server not reachable or 
! AAA server rejects access-request) try fallback with local NAI's 
! (see below) 
 mn-profile-load-aaa 
 
! NAI for a given MN as MAC@realm 
! @realm is only used if append profile in pmipv6-mag interface section is 
! used AND a default profile is used AND the default profile NAI includes a @realm 
 nai 2C4D.5461.E448@dom1.net 
! If this NAI is left COMPLETELY blank then all attributes from 
! the default NAI are copied over at first connection from this MN.  
! After this the running config is altered to contain default NAI's attributes. 
! See enable pmipv6 default ... entry in ipv6 mobile pmipv6-mag ... section 
 
! Default NAI including @realm 
 nai default@dom1.net 
  lma lma1 
  service ipv6 
 
! PMIPv6 MAG 
ipv6 mobile pmipv6-mag mag2 domain dom1
 discover-mn-detach poll interval 60 timeout 5 retries 3 
 address ipv6 2001:DB8:1009::1 
 binding maximum 200 
 binding lifetime 8640 
 binding refresh-time 360 
 no generate grekey 
 interface GigabitEthernet0/1 
  enable pmipv6 default default@dom1.net 
  append profile 
 lma lma1 dom1
  ipv6-address 2001:DB8:1009::F 

IOS console log output for debug radius

*Jun 28 09:41:02.553: [PMIPV6_MAG_EVENT]: Trigger request received (Router Solicit trigger) from (2C4D.5461.E448) on GigabitEthernet0/1
*Jun 28 09:41:02.553: [PMIPV6_PDB_INFO]: Request made to AAA for MN mac 2C4D.5461.E448 SeqNo 71

*Jun 28 09:41:02.553: RADIUS/ENCODE(00000000):Orig. component type = Invalid
*Jun 28 09:41:02.553: RADIUS(00000000): Config NAS IP: 0.0.0.0
*Jun 28 09:41:02.553: RADIUS(00000000): Config NAS IPv6: ::
*Jun 28 09:41:02.553: RADIUS(00000000): Config NAS IP: 0.0.0.0
*Jun 28 09:41:02.553: RADIUS(00000000): sending
*Jun 28 09:41:02.553: RADIUS/ENCODE: Best Local IPv6-Address 2001:DB8:1009::1 for Radius-Server 2001:DB8:101::2
*Jun 28 09:41:02.553: RADIUS(00000000): Send Access-Request to 2001:DB8:101::2:1812 onvrf(0) id 1645/64, len 90
*Jun 28 09:41:02.553: RADIUS: authenticator 40 A0 D9 D5 0C 56 06 B0 - D4 0B AD 44 A7 42 6B 98
*Jun 28 09:41:02.553: RADIUS: User-Password [2] 18 *
*Jun 28 09:41:02.553: RADIUS: Calling-Station-Id [31] 19 “2c-4d-54-61-e4-48”
*Jun 28 09:41:02.553: RADIUS: Service-Type [6] 6 Outbound [5]
*Jun 28 09:41:02.553: RADIUS: NAS-IPv6-Address [95] 18 2001:DB8:1009::1
*Jun 28 09:41:02.553: RADIUS: Nas-Identifier [32] 9 “router3”
*Jun 28 09:41:02.553: RADIUS(00000000): Sending a IPv6 Radius Packet
*Jun 28 09:41:02.553: RADIUS: IPv6 udp send - source address: 2001:DB8:1009::1, dest address: 2001:DB8:101::2
*Jun 28 09:41:02.553: RADIUS(00000000): Started 5 sec timeout
*Jun 28 09:41:03.569: RADIUS: Received from id 1645/64 2001:DB8:101::2:1812, Access-Reject, len 20
*Jun 28 09:41:03.569: RADIUS: authenticator 05 39 F3 EB 59 71 2D 75 - 6D DC F8 02 71 2D 56 31
*Jun 28 09:41:03.569: RADIUS/DECODE(00000000): There is no General DB. Reply server details may not be recorded
*Jun 28 09:41:03.569: RADIUS(00000000): Received from id 1645/64

*Jun 28 09:41:03.569: [PMIPV6_PDB_INFO]: AAA Response received SeqNo 71 status fail
*Jun 28 09:41:03.569: [PMIPV6_PDB_EVENT]: AAA request for 2C4D.5461.E448 failed
*Jun 28 09:41:03.569: [PMIPV6_PDB_INFO]:MN default@dom1.net found locally
*Jun 28 09:41:03.569: [PMIPV6_PDB_INFO]:MN 2C4D.5461.E448@dom1.net not found locally
*Jun 28 09:41:03.569: [PMIPV6_PDB_INFO]: 2C4D.5461.E448@dom1.net profile policy copied from default@dom1.net
*Jun 28 09:41:03.569: [PMIPV6_PDB_INFO]: Config_MN_Interface Mac:2C4D.5461.E448 sense:1
*Jun 28 09:41:03.569: [PMIPV6_BINDING_INFO_KEY]: Keytype as NAI. NAI: 2C4D.5461.E448@dom1.net
*Jun 28 09:41:03.569: [PMIPV6_BINDING_INFO]: binding not found on NAI tree
*Jun 28 09:41:03.569: [PMIPV6_BINDING_INFO]: binding not found
*Jun 28 09:41:03.569: [PMIPV6_MAG_EVENT]: Trigger attach request received
*Jun 28 09:41:03.569: [PMIPV6_BINDING_INFO_KEY]: Keytype as NAI. NAI: 2C4D.5461.E448@dom1.net
*Jun 28 09:41:03.569: [PMIPV6_BINDING_INFO]: binding not found on NAI tree
*Jun 28 09:41:03.569: [PMIPV6_BINDING_INFO]: binding not found
*Jun 28 09:41:03.569: [PMIPV6_MAG_EVENT]: Event received New MN intf attached for Nai: 2C4D.5461.E448@dom1.net in path state machine, pathT
*Jun 28 09:41:03.569: [PMIPV6_MAG_EVENT]: Starting Retx timer, period (1000)
*Jun 28 09:41:03.569: [PMIPV6_MM_EVENT]: Allocated packet of size 112 with tlv length 100
*Jun 28 09:41:03.569: [MIP_PDL_INFO]: seconds 1498642863, fraction 570000000
*Jun 28 09:41:03.569: [PMIPV6_MAG_INFO]: MAG PBU TIMESTAMP 1498642863
*Jun 28 09:41:03.569: [PMIPV6_MAG_INFO]: PBU message nai(2C4D.5461.E448@dom1.net), nai len: 25, hoa(None), att(4) llid(2C4D.5461.E448) , )
*Jun 28 09:41:03.569: [PMIPV6_MAG_EVENT]: PBU message sent for Nai: 2C4D.5461.E448@dom1.net
*Jun 28 09:41:03.569: [PMIPV6_MAG_EVENT]: Event received First path created for Nai: 2C4D.5461.E448@dom1.net in state: NULL, new state: INT
*Jun 28 09:41:03.569: [PMIPV6_BINDING_INFO_KEY]: Keytype as NAI. NAI: 2C4D.5461.E448@dom1.net
*Jun 28 09:41:03.569: [PMIPV6_BINDING_INFO]: binding added New NAI AVL node created
*Jun 28 09:41:03.569: PMIPV6_LMA_INFO: LMA is not initialized in this BOX
*Jun 28 09:41:03.569: [PMIPV6_MAG_EVENT]: message received: PBA