WiChours ASN Gateway (WiMAX): Anyone have experience setting one up?

[JoLLyRoGer]

This has been my latest project at work. We have several WiMAX base stations I'm trying to set up. My problem is configuring my WiChours ASN Gateway to handle authentication of the CPEs as well as packet store and forwarding for base station to base station handovers.

The WiChorus speaks its own bastardized version of Cisco IOS so getting in and writing a config hasn't been too difficult via serial using a standard 'baby blue' and Hyperterminal. The problem I'm having is with the built in AAA server. It uses a version of FreeRADIUS and for the life of me I can't seem to figure out how to access the underlying Linux OS directly.

Basically I need to be able to download the FreeRADIUS certs, access the users file and use the FreeRADIUS debugging mode, but without shell level access to the machine I'm stuck. Currently we have no SLAs for this equipment as it was bought about a year and a half ago and has set on a shelf ever since so getting help out of Tellabs is pointless right now...

Any advise?

TIA
-JR

 

[4GM@N]

Hi Mr Polly,

Not sure where you are based but i believe i can help you in this. Can you please share further details like Base Station vendor name, Authentication Type, CPE type and end to end scenario. Have you tested the scenario without authentication. WiChorus ASN-GW is very user friendly in configuring either as standalone scenario or as Mobile Internet Gateway (MIG).

Look forward to hearing from you.

Regards
4GM@N

 

[JoLLyRoGer]

Hello and thank you! I was beginning to think no one wanted to help.

Here is some information referencing the questions you posed.
The WiMAX Base Stations/CPEs are all from ADC/RuggedCOM. I've attached some configuration information about the WiChorus and then some screenshots of how the Base Stations are set up.:

This is a simple configuration with only one base station. With this I could not get CPEs to attach.

Wichorus Settings
------------------------------- begin ---------------------------------

login as: admin
Using keyboard-interactive authentication.
Password:
Last login: Mon Jan 12 05:42:14 2009 from xxx.xxx.xxx.xxx <--edited for protection
Welcome to MBOS!


MBOS version 2.1.1-93 SmartCore 07/26/09 18:36:46
SC20-R2>en
SC20-R2#sho run
!
no service password-encryption
!
hostname SC20-R2
!
debug authenticator all
debug aaa all
!
aaa local-server
!
system security
log auth
no log conf
!
interface Mgmt1
ip address 155.226.251.4/28
!
interface lo
ip address 127.0.0.1/8
ip address 10.16.100.6/32 secondary
ip address 10.16.100.7/32 secondary
!
interface Gig2.0
ip address 10.16.99.1/24
!
interface Gig2.1
ip address 10.16.90.100/24
!
ip route 0.0.0.0/0 10.16.90.2
!
service-flow
isf-maximum-bitrate unlimited
no one-step-provision
!
policy-management
!
local pool-mgmt
ip local-pool sc20-2-pool subnet 10.16.100.0/24 range 10.16.100.200 10.16.100.225
ip default-pool sc20-2-pool lease-time 14400
!
network-topology asn-gateway 100
local
ipv4 address 10.16.100.6
mac address 0000.0000.0256
!
network-topology basestation 1
ipv4 address 10.16.99.11
mac address 0013.d501.0959
parent-asn-gateway 100
nwg-version 1
!
router dhcp
ip server-address 10.16.100.7
ip service proxy functionality simple-ip
ip proxy-option subnet-mask 255.255.255.0
!
asn-tid-check-disable
!
ftpc
!
snmp-configuration
com2sec mgdNetwork1 127.0.0.0/8 wicPublic
com2sec mgdNetwork2 127.0.0.0/8 public
com2sec localNetwork 127.0.0.0/8 wicInternal
group chassisGroup v2c localNetwork
group emsGroup1 v2c mgdNetwork1
group emsGroup2 v1 mgdNetwork1
group emsGroup3 v2c mgdNetwork2
group emsGroup4 v1 mgdNetwork2
view all included .1 80
view HostRes included .1.3.6.1.4.1.27030.1.1.2 80
access chassisGroup "" any noauth exact all all none
access emsGroup1 "" any noauth exact all all none
access emsGroup2 "" any noauth exact all all none
access emsGroup3 "" any noauth exact all all none
access emsGroup4 "" any noauth exact all all none
trapcommunity public
trap2sink 127.0.0.1
agentaddress 161,4001
logtrap ALL
!
aaa server
ip server-name sc20-2 server-fqdn 127.1.0.64 preshared-key secret
ip default-server-name sc20-2
!
null-authentication-enable
logging file auth.log facility AUTH severity debug
logging file auth.log facility AUTHPRIV severity debug
aaa radius-client address 127.1.0.2
fib retain forever
arp-ageing-timeout 1200
!
line con 0
login
line vty 0 19
login
!
end



--------------------------------cut-----------------------------------



SC20-R2#sho aaa local
Server status: started
Default EAP type: ttls
MySQL Database: not configured
Certificate files: installed
users file: downloaded
Accounting file rotation: 2 rotation(s), size 10M



--------------------------------cut-----------------------------------



SC20-R2#sho proc
'**************************************************
****************** SLOT#: 2 ********************

PID PROCESS NAME STATUS Start Count
**************************************************
1779 openhpi RUNNING 1
1814 wi_ft_serv RUNNING 1
1816 sysmgr RUNNING 1
1888 card_mgr RUNNING 1
1955 WIPPd RUNNING 1
1966 cmgr RUNNING 1
1970 wi_hbd RUNNING 1
2027 lic_serv RUNNING 1
2040 nsm RUNNING 1
2041 imi RUNNING 1
2132 wi_logd RUNNING 1
2133 tca RUNNING 1
2151 hpic RUNNING 1
2157 lr RUNNING 1
2159 msc RUNNING 1
2162 wi_arp RUNNING 1
2165 wi_dhcp RUNNING 1
2167 ripd RUNNING 1
2170 ospfd RUNNING 1
2172 pm_serv RUNNING 1
2173 had RUNNING 1
2176 had_clnt RUNNING 1
2179 acctd RUNNING 1
2188 authd RUNNING 1
2190 aaad RUNNING 1
2192 fad RUNNING 1
2199 sfa RUNNING 1
2241 snmpd RUNNING 1
2205 pcm RUNNING 1
2214 aggregator RUNNING 1
2243 ftpclient RUNNING 1
2248 radiusd RUNNING 1
2267 policy_mgr RUNNING 1
2325 pm_clnt RUNNING 1
2364 fm_clnt RUNNING 1
2365 qos_mgr RUNNING 1
2366 ar6 RUNNING 1
2377 pcap RUNNING 1



--------------------------------cut-----------------------------------



SC20-R2#sho sys lic info
--------------------------------
License Information
--------------------------------

Identity
customer_name = xxx <--edited for protection
customer_email = xxx <--edited for protection
license_id = custLic_xxx <--edited for protection

Validity
device #1:
chassis_id = xxx <--edited for protection
yyyy = 2030
mm = 8
dd = 19

Device Personality = Mobile Internet Gateway

SmartCore Management = Enabled

Restrictions
feature #1:
feature_name = Wimax_topology_control
param #1: ss_limit=500

feature #2:
feature_name = Content_management
param #1: DPI_basic_enable=TRUE


-------------------------------the end ---------------------------------

Base Station Screenshots Settings

Quick Start Settings:
http://pics.bbzzdd.com/users/JoLLyRoGer/BTS_quickstart_settingst.JPG

Backbone Settings 1:
http://pics.bbzzdd.com/users/JoLLyRoGer/BTS_backbone_settings_1.JPG

Backbone Settings 2:
http://pics.bbzzdd.com/users/JoLLyRoGer/BTS_backbone_settings_2.JPG

ASNGW Settings 1:
http://pics.bbzzdd.com/users/JoLLyRoGer/BTS_asngw_settings_1.JPG

ASNGW Settings 2:
http://pics.bbzzdd.com/users/JoLLyRoGer/BTS_asngw_settings_2.JPG

Wireless Security Settings:
http://pics.bbzzdd.com/users/JoLLyRoGer/BTS_wireless_settings_2.JPG

The interesting thing here is that I never saw a place to enter a shared-secret password for the BS. Maybe I'm thinking of WiFi too much but it did not seem right since AAA uses EAP-TTLS authentication mode.

Of course since I can not get shell access to the RADIUS files I can't tell what my shared secret should be anyway.

-JR

 

[chubb]

Hello friend, got the same problem. Can not configure built-in AAA, was trying to configure external freeRadius Server but as I understood there is no way to do this until built-in Radius is running, cause external AAA debug has no activity. Also my asn-gateway config a little bit different ( I made it using config guide examples). Here it is:
ASN_GW_DSS#sh ru
!
no service password-encryption
!
hostname ASN_GW_DSS
!
ip dns
server 109.71.32.10
!
aaa local-server
!
system security
log auth
no log conf
!
user wimax
privilege tech-support
password $1$ZSGmzoZ2$HQTye0ttPusyIThStRKGd1
!
interface Mgmt1
shutdown
!
interface lo
ip address 127.0.0.1/8
ip address 34.34.34.1/32 secondary
!
interface Gig2.0
ip address 10.20.0.254/24
!
interface Gig2.1
ip address 10.23.0.254/24
!
ip route 0.0.0.0/0 10.23.0.1
!
policy-management
!
network-topology paging-group 1
paging-cycle 1000 frames
paging-offset 200 frames
!
local pool-mgmt
ip local-pool WIMAX_SS subnet 192.168.1.0/24 range 192.168.1.11 192.168.1.250
ip default-pool WIMAX_SS lease-time 32000
ip subscriber-domain WIMAX local-pool WIMAX_SS lease-time 500000
!
network-topology asn-gateway 1
local
ipv4 address 34.34.34.1
mac address 0000.0000.0001
paging-groups 1
!
network-topology basestation 1
name bs1_1
ipv4 address 10.20.0.1
mac address 0013.d501.2379
parent-asn-gateway 1
paging-groups 1
nwg-version 1
!
network-topology basestation 2
name bs2_1
ipv4 address 10.0.2.12
mac address 0013.d501.21e7
parent-asn-gateway 1
paging-groups 1
nwg-version 1
neighbor-basestation 0013.d501.237f
!
network-topology basestation 3
name bs2_2
ipv4 address 10.0.2.12
mac address 0013.d501.237f
parent-asn-gateway 1
paging-groups 1
nwg-version 1
neighbor-basestation 0013.d501.21e7
!
network-topology basestation 4
name bs3_1
ipv4 address 10.0.2.13
mac address 0013.d501.20e3
parent-asn-gateway 1
paging-groups 1
nwg-version 1
neighbor-basestation 0013.d501.20a1
!
network-topology basestation 5
name bs3_2
ipv4 address 10.0.2.13
mac address 0013.d501.20a1
parent-asn-gateway 1
paging-groups 1
nwg-version 1
neighbor-basestation 0013.d501.20e3
!
network-topology basestation 6
name bs4_1
ipv4 address 10.0.2.14
mac address 0013.d501.2381
parent-asn-gateway 1
paging-groups 1
nwg-version 1
neighbor-basestation 0013.d501.21f7
!
network-topology basestation 7
name bs4_2
ipv4 address 10.0.2.14
mac address 0013.d501.21f7
parent-asn-gateway 1
paging-groups 1
nwg-version 1
neighbor-basestation 0013.d501.2381
!
network-topology basestation 8
name bs5_1
ipv4 address 10.0.2.15
mac address 0013.d501.237d
parent-asn-gateway 1
paging-groups 1
nwg-version 1
neighbor-basestation 0013.d501.238d
!
network-topology basestation 9
name bs5_2
ipv4 address 10.0.2.15
mac address 0013.d501.238d
parent-asn-gateway 1
paging-groups 1
nwg-version 1
neighbor-basestation 0013.d501.237d
!
network-topology basestation 10
name bs6_1
ipv4 address 10.0.2.16
mac address 0013.d501.236b
parent-asn-gateway 1
paging-groups 1
nwg-version 1
neighbor-basestation 0013.d501.2389
!
network-topology basestation 11
name bs6_2
ipv4 address 10.0.2.16
mac address 0013.d501.2389
parent-asn-gateway 1
paging-groups 1
nwg-version 1
neighbor-basestation 0013.d501.236b
!
network-topology basestation 12
name bs7_1
ipv4 address 10.0.2.17
mac address 0013.d501.237b
parent-asn-gateway 1
paging-groups 1
nwg-version 1
neighbor-basestation 0013.d501.2369
neighbor-basestation 0013.d501.2377
!
network-topology basestation 13
name bs7_2
ipv4 address 10.0.2.17
mac address 0013.d501.2369
parent-asn-gateway 1
paging-groups 1
nwg-version 1
neighbor-basestation 0013.d501.2377
neighbor-basestation 0013.d501.237b
!
network-topology basestation 14
name bs7_3
ipv4 address 10.0.2.17
mac address 0013.d501.2377
parent-asn-gateway 1
paging-groups 1
nwg-version 1
neighbor-basestation 0013.d501.2369
neighbor-basestation 0013.d501.237b
!
network-topology basestation 15
name bs8_1
ipv4 address 10.0.2.18
mac address 0013.d501.2387
parent-asn-gateway 1
paging-groups 1
nwg-version 1
neighbor-basestation 0013.d501.2391
neighbor-basestation 0013.d501.2399
!
network-topology basestation 16
name bs8_2
ipv4 address 10.0.2.18
mac address 0013.d501.2399
parent-asn-gateway 1
paging-groups 1
nwg-version 1
neighbor-basestation 0013.d501.2387
neighbor-basestation 0013.d501.2391
!
network-topology basestation 17
name bs8_3
ipv4 address 10.0.2.18
mac address 0013.d501.2391
parent-asn-gateway 1
paging-groups 1
nwg-version 1
neighbor-basestation 0013.d501.2387
neighbor-basestation 0013.d501.2399
!
network-topology basestation 18
name bs9_1
ipv4 address 10.0.2.19
mac address 0013.d501.21ed
parent-asn-gateway 1
paging-groups 1
nwg-version 1
!
network-topology basestation 19
name bs10_1
ipv4 address 10.0.2.20
mac address 0013.d501.2373
parent-asn-gateway 1
paging-groups 1
nwg-version 1
neighbor-basestation 0013.d501.2385
!
network-topology basestation 20
name bs10_2
ipv4 address 10.0.2.20
mac address 0013.d501.2385
parent-asn-gateway 1
paging-groups 1
nwg-version 1
neighbor-basestation 0013.d501.2373
!
router dhcp
ip server-address 34.34.34.1
ip service proxy functionality simple-ip
!
ftpc
!
snmp-configuration
com2sec mgdNetwork1 127.0.0.0/8 wicPublic
com2sec localNetwork 127.0.0.0/8 wicInternal
com2sec mgdNetwork2 127.0.0.0/8 public
group chassisGroup v2c localNetwork
group emsGroup4 v1 mgdNetwork2
group emsGroup3 v2c mgdNetwork2
group emsGroup2 v1 mgdNetwork1
group emsGroup1 v2c mgdNetwork1
view all included .1 80
view HostRes included .1.3.6.1.4.1.27030.1.1.2 80
access chassisGroup "" any noauth exact all all none
access emsGroup4 "" any noauth exact all all none
access emsGroup3 "" any noauth exact all all none
access emsGroup2 "" any noauth exact all all none
access emsGroup1 "" any noauth exact all all none
trapcommunity public
trap2sink 127.0.0.1
agentaddress 161,4001
logtrap ALL
!
aaa server
ip server-quarantine-period 600
ip server-name aaa_server server-fqdn 10.23.0.1 preshared-key secret
ip domain cuman.kz dhcp-service proxy functionality simple-ip
ip domain cuman.kz server-name aaa_server
ip default-server-name aaa_server
!
null-authentication-enable
logging file auth.log facility AUTH severity debug
logging file auth.log facility AUTHPRIV severity debug
pcm
aaa radius-client address 34.34.34.1
fib retain
arp-ageing-timeout 1200
!
line con 0
login
line vty 0 4
privilege level 15
login local
line vty 5 871
login
!
end


Lets cooperate to make it work.
Best regards Alex

 

[chubb]

RuggedCom BS has same config as yours.

 

[JoLLyRoGer]

Yes I agree, let's work together.

I do not have as may base stations as you but once I get one working with the Wichorus I will add more.

I too am working on and external radius for authentication. I downloaded CIITIX w/ daloradius for simplicity sake. (It's a turn-key Linux + freeradius + mysql + daloradius)

Currently I have it authenticating WiFi using WPA2 Enterprise just as a test to make sure the radius server works. Next I will try to use it with a rugged bs in standalone mode and PKM2 authentication mode. If that will work, then I will try to incorporate the wichorus.

The main issue I have in this scenario is there is no dictionary file for wichorus the current distribution of CIITIX (which uses freeradius 2.0.4). I have seen this dictionary file in later versions of freeradius like 2.1.8 and wonder if I can copy that file from another install into my /usr/share/freeradius directory then edit the dictionary file to make use of it? The dictionary man page says these files are version specific to freeradius so I'm not hopeful that this will work. What are you using for your freeradius build?

Thank you for posting your configuration. It is always good to compare notes. I have some questions for you regarding it.

Where did you find the configuration guide? Also, do you know of a way to provision CPEs using the WiChorus and null-authentication? I have tried setting this up on my Wichrous using 'null-authentication-enable' but it does not seem to work.

Another problem I have is how to know if the base station is actually communicating with the WiChorus. There does not seem to be any indicators I've found that indicate if the R6 link is established. I have tried to view the output logs using 'sho log' command but it's not very informative. Is there other debugging I can try?

Also, you can verify your internal radius is running using the 'sho proc' command and looking for radiusd. 'show aaa local' will also give you some information too.

When you say your BS has the same config, do you mean it's the same version, or that you are set up the same as me for talking to the Wichorus?


Thanks!
-JR

 

[JoLLyRoGer]

I did notice in your network topology, that BS 1 has different subnet than the others. 10.20.0.1 vs 10.0.2.xx for all others. Could be a typo?

Also in several places, you have base stations with matching ip addresses. Was that intentional? I would think each base station needs a unique IP address.

Also according to documentation I have, your router dhcp ip-server must have its own secondary loopback address that is not used by any other services. You use 34.34.34.1 for your parent asn-gateway, your ip server-address and your aaa radius client address too. Maybe this works? I don't know but wanted to point that out.

Since my configuration is not working this may not be worth much, but the limited wichorus configuration procedures I have from RuggedCom state that the default ip addresses for the internal radius server are 127.1.0.64 for the server and 127.1.0.2 for the client.

 

[chubb]

Hello dear friend now I have fully working topology FreeRadius 2.1.12 and Smart Core ASN. If you still need help ask me I will explain every step in detail.
Best regards Alex

 

[Suse_user]

Hello
I think you have same equipment as me.
Did you succeed to start-up your network?

KR
Sam J.

 

[chandan.misra]

Hi

I am using ASN GW as wichorus smartcore 9140 and BTS alvarion
i can see the default ISF provided in service-flow(and by default I am getting this service flow with qos class as BE)

but after that what ever I am mentioning in classifier, qos or packet-flow i think i am unable to get any policies from aaa

if you have a standard procedure for configuring ASN-GW and freeradius, can you please share


Thanks
Chandan

Hello dear friend now I have fully working topology FreeRadius 2.1.12 and Smart Core ASN. If you still need help ask me I will explain every step in detail.
Best regards Alex

 

[Sharista]

Dear JoLLyRoGer,

I hope my message finds you Ok and also had the pleasure to speak to you now, because i thought i'll not be able to find you online after these years that past the latest replay in this thread,

I read this post you wrote longtime ago, and i found you have some information regarding those Wimax ASN, and you had some issues that you overcome,

In the past 3 weeks we were managed to have a Tellabs Wichorus smartcore 9160 working as a Wimax ASN, it were kept since 2012 in our partners store, and i'm planning to make use of it in a sub-urban area to deliver wimax coverage.

I have some issues regarding executing configuration commands, kernel (Windriver Linux) is booting fine but the IOS (that is similar to CISCO's ios) is not.

Again, its an honor to speak to you and I hope you are interested in sharing some of your experience, and our priorities now is to fulfill this goal.

Thank you in advance,