[Chilli] chilli as proxy for 802.1X

Anatoly Oreshkin Anatoly.Oreshkin at pnpi.spb.ru
Mon Apr 5 14:29:26 UTC 2010 

Hello,

I would like to use chilli as proxy between Access Point (AP) and
Radius server.
AP (not CoovaAP) is configured for WPA2/AES security with
802.1X/EAP/PEAP/MSCHAPv2
authentication. Chilli address is specified as radius server in AP.

Coovachilli is configured as follows.

/usr/local/etc/chilli/config have the lines:

HS_WANIF=eth0     # has 195.19.214.216 address
HS_LANIF=eth1
HS_NETWORK=10.2.3.0
HS_NETMASK=255.255.255.0
HS_UAMLISTEN=10.2.3.1
HS_UAMPORT=3990
HS_UAMUIPORT=4990
HS_DNS_DOMAIN=<my domain>
HS_DNS1=ipaddress1
HS_DNS2=ipaddress2
HS_RADIUS=<radius server address>
HS_RADIUS2=<radius server address>
HS_UAMALLOW="10.2.3.1/24,195.19.214.216"
HS_RADSECRET=<radius secret>
HS_UAMSECRET=<uam secret>
HS_UAMALIASNAME=chilli
HS_UAMSERVER=<uam server>
HS_UAMFORMAT=https://\$HS_UAMSERVER/cgi-bin/hotspotlogin.cgi
HS_TCP_PORTS="80 443"
HS_MODE=hotspot
HS_TYPE=chillispot
HS_WWWDIR=/usr/local/etc/chilli/www
HS_WWWBIN=/usr/local/etc/chilli/wwwsh
HS_PROVIDER=Coova
HS_PROVIDER_LINK=http://www.coova.org/
HS_LOC_NAME="My HotSpot"

/usr/local/etc/chilli/local.conf:

proxylisten=195.19.214.216     # eth0 address
proxyport=1812
proxyclient=192.168.14.242    #  AP address
proxysecret=<proxy secret>



Radius configuration.
--------------------

/usr/local/etc/raddb/clients.conf:

# chilli hotspot
client 195.19.214.216 {
        secret      = <chilli secret>
        shortname   = Chilli
        nastype     = other
}

/usr/local/etc/raddb/users:

oreshkin Cleartext-Password := "client password", Calling-Station-Id ==
"00-16-EA-8A-DE-38"

When a client is trying to authenticate through chilli I see on chilli
server in /var/log/messages:

chilli.c: 3274: New DHCP request from MAC=00-16-EA-8A-DE-38
radius.c: 1703: Authenticator does not match request!
radius.c: 337: No such id in radius queue: id=12!
radius.c: 1698: Matching request was not found in queue: 12!
radius.c: 337: No such id in radius queue: id=12!
....

What do these messages mean ?

On radius server in /usr/local/var/log/radius/radius.log I see

 Auth: Login OK: [csd-notebook\\oreshkin] (from client Chilli port 15 cli
00-16-EA-8A-DE-38 via TLS tunnel)
Auth: Login OK: [csd-notebook\\oreshkin] (from client Chilli port 15 cli
00-16-EA-8A-DE-38)


That is the radius server authenticates the client successfully however
chilli does not.

Coovachilli is taken from SVN and installed with the options:

./configure --enable-chilliproxy --with-curl


Also I've tried with additional parameter "eapolenable"  in local.conf but
with no difference.

What might be wrong ? What more parameters should I specify ?

Thanks.

More information about the Chilli mailing list