chilli features...

[JB]

Hi,

I just stumbled across this idea for a new feature for CoovaChilli:

wlan at mac.com wrote:
> Right now, when you use MAC authentication, if an access-reject is  
> returned, the user will still get assigned an IP address and will  
> then be given the captive portal. This is good as a way to have  
> certain devices bypass the captive portal. But, it would also be  
> nice to use MAC authentication as a way to manage blocked devices.  
> I'm considering an option which will have chilli drop all traffic  
> from clients that get an access-reject during mac authentication.  
> When clients are in the 'drop' state, all traffic from them is  
> ignored.


I think that would be a great feature! Or has this been already  
implemented? If not, here are my two cents:

Why not (mis)use the Reply-Message attribute from RADIUS to achieve  
this? If the value of Reply-Message is a certain "code", like  
"chilli:drop", then Chilli knows it should ignore all further requests  
from this MAC address. Basically, there would be three ways to handle  
a response from an Access-Request request (apart from errors or the  
like):

Access-Accept -> UAM "success"
Access-Reject and Reply-Message is not "chilli:drop" -> UAM "failed"
Access-Reject and Reply-Message is "chilli:drop" -> Drop request(s)

This way, we would neither break the current behaviour nor the RFCs.  
No need to turn this feature on or off in chilli because the logic  
(maybe along with black-/white-lists) resides in the RADIUS server.

Would there still be some sort of session handling? How long would  
chilli drop requests until it "asks" RADIUS again?

JB