[Chilli] chilli as proxy for 802.1X

David Bird david at coova.com
Tue Apr 6 08:38:15 UTC 2010


The chilli log suggests a bad shared secret. Of course, the auth success
doesn't. Though, you would have seen more than just one packet to
accomplish the EAP success, so the secret must be correct (and working).
Run chilli and FreeRADIUS in debug mode for additional debugging. 


On Mon, 2010-04-05 at 18:29 +0400, Anatoly Oreshkin wrote:
> Hello,
> 
> I would like to use chilli as proxy between Access Point (AP) and
> Radius server.
> AP (not CoovaAP) is configured for WPA2/AES security with
> 802.1X/EAP/PEAP/MSCHAPv2
> authentication. Chilli address is specified as radius server in AP.
> 
> Coovachilli is configured as follows.
> 
> /usr/local/etc/chilli/config have the lines:
> 
> HS_WANIF=eth0     # has 195.19.214.216 address
> HS_LANIF=eth1
> HS_NETWORK=10.2.3.0
> HS_NETMASK=255.255.255.0
> HS_UAMLISTEN=10.2.3.1
> HS_UAMPORT=3990
> HS_UAMUIPORT=4990
> HS_DNS_DOMAIN=<my domain>
> HS_DNS1=ipaddress1
> HS_DNS2=ipaddress2
> HS_RADIUS=<radius server address>
> HS_RADIUS2=<radius server address>
> HS_UAMALLOW="10.2.3.1/24,195.19.214.216"
> HS_RADSECRET=<radius secret>
> HS_UAMSECRET=<uam secret>
> HS_UAMALIASNAME=chilli
> HS_UAMSERVER=<uam server>
> HS_UAMFORMAT=https://\$HS_UAMSERVER/cgi-bin/hotspotlogin.cgi
> HS_TCP_PORTS="80 443"
> HS_MODE=hotspot
> HS_TYPE=chillispot
> HS_WWWDIR=/usr/local/etc/chilli/www
> HS_WWWBIN=/usr/local/etc/chilli/wwwsh
> HS_PROVIDER=Coova
> HS_PROVIDER_LINK=http://www.coova.org/
> HS_LOC_NAME="My HotSpot"
> 
> /usr/local/etc/chilli/local.conf:
> 
> proxylisten=195.19.214.216     # eth0 address
> proxyport=1812
> proxyclient=192.168.14.242    #  AP address
> proxysecret=<proxy secret>
> 
> 
> 
> Radius configuration.
> --------------------
> 
> /usr/local/etc/raddb/clients.conf:
> 
> # chilli hotspot
> client 195.19.214.216 {
>         secret      = <chilli secret>
>         shortname   = Chilli
>         nastype     = other
> }
> 
> /usr/local/etc/raddb/users:
> 
> oreshkin Cleartext-Password := "client password", Calling-Station-Id ==
> "00-16-EA-8A-DE-38"
> 
> When a client is trying to authenticate through chilli I see on chilli
> server in /var/log/messages:
> 
> chilli.c: 3274: New DHCP request from MAC=00-16-EA-8A-DE-38
> radius.c: 1703: Authenticator does not match request!
> radius.c: 337: No such id in radius queue: id=12!
> radius.c: 1698: Matching request was not found in queue: 12!
> radius.c: 337: No such id in radius queue: id=12!
> ....
> 
> What do these messages mean ?
> 
> On radius server in /usr/local/var/log/radius/radius.log I see
> 
>  Auth: Login OK: [csd-notebook\\oreshkin] (from client Chilli port 15 cli
> 00-16-EA-8A-DE-38 via TLS tunnel)
> Auth: Login OK: [csd-notebook\\oreshkin] (from client Chilli port 15 cli
> 00-16-EA-8A-DE-38)
> 
> 
> That is the radius server authenticates the client successfully however
> chilli does not.
> 
> Coovachilli is taken from SVN and installed with the options:
> 
> ./configure --enable-chilliproxy --with-curl
> 
> 
> Also I've tried with additional parameter "eapolenable"  in local.conf but
> with no difference.
> 
> What might be wrong ? What more parameters should I specify ?
> 
> Thanks.
> 
> _______________________________________________
> Chilli mailing list
> Chilli at coova.org
> http://lists.coova.org/cgi-bin/mailman/listinfo/chilli




More information about the Chilli mailing list