[Chilli] chilli as proxy for 802.1X

Anatoly Oreshkin Anatoly.Oreshkin at pnpi.spb.ru
Wed Apr 7 14:57:12 UTC 2010


I've run chilli and radius in debug mode.

Here is chilli debug output:
---------------------------

Starting chilli: 
main-opt.c: 307: 0 (Debug) DHCP Listen: 10.2.3.1
main-opt.c: 308: 0 (Debug) UAM Listen: 10.2.3.1
...

chilli.c: 1946: 0 (Debug) RADIUS Access-Request received
chilli.c: 1975: 0 (Debug) Calling Station ID is: 00-16-EA-8A-DE-38
dhcp.c: 389: 0 (Debug) DHCP newconn: 00:16:ea:8a:de:38
chilli.c: 3274: 0 (Debug) New DHCP request from MAC=00-16-EA-8A-DE-38
chilli.c: 3277: 0 (Debug) New DHCP connection established
radius.c: 1446: 0 (Debug) RADIUS to 212.193.96.134:1812
chilli.c: 2781: 0 (Debug) Received access request confirmation from radius server

chilli.c: 2817: 0 (Debug) Received access challenge from radius server
chilli.c: 913: 0 (Debug) Sending RADIUS AccessChallenge to client
chilli.c: 1946: 0 (Debug) RADIUS Access-Request received
chilli.c: 1975: 0 (Debug) Calling Station ID is: 00-16-EA-8A-DE-38
radius.c: 1446: 0 (Debug) RADIUS to 212.193.96.134:1812
chilli.c: 2781: 0 (Debug) Received access request confirmation from radius server

chilli.c: 2817: 0 (Debug) Received access challenge from radius server
chilli.c: 913: 0 (Debug) Sending RADIUS AccessChallenge to client
chilli.c: 1946: 0 (Debug) RADIUS Access-Request received
chilli.c: 1975: 0 (Debug) Calling Station ID is: 00-16-EA-8A-DE-38
radius.c: 1446: 0 (Debug) RADIUS to 212.193.96.134:1812
chilli.c: 2781: 0 (Debug) Received access request confirmation from radius server

chilli.c: 2817: 0 (Debug) Received access challenge from radius server
chilli.c: 913: 0 (Debug) Sending RADIUS AccessChallenge to client
chilli.c: 1946: 0 (Debug) RADIUS Access-Request received
chilli.c: 1975: 0 (Debug) Calling Station ID is: 00-16-EA-8A-DE-38
radius.c: 1446: 0 (Debug) RADIUS to 212.193.96.134:1812
chilli.c: 2781: 0 (Debug) Received access request confirmation from radius server

chilli.c: 2817: 0 (Debug) Received access challenge from radius server
chilli.c: 913: 0 (Debug) Sending RADIUS AccessChallenge to client
chilli.c: 1946: 0 (Debug) RADIUS Access-Request received
chilli.c: 1975: 0 (Debug) Calling Station ID is: 00-16-EA-8A-DE-38
radius.c: 1446: 0 (Debug) RADIUS to 212.193.96.134:1812
chilli.c: 2781: 0 (Debug) Received access request confirmation from radius server

chilli.c: 2817: 0 (Debug) Received access challenge from radius server
chilli.c: 913: 0 (Debug) Sending RADIUS AccessChallenge to client
chilli.c: 1946: 0 (Debug) RADIUS Access-Request received
chilli.c: 1975: 0 (Debug) Calling Station ID is: 00-16-EA-8A-DE-38
radius.c: 1446: 0 (Debug) RADIUS to 212.193.96.134:1812
chilli.c: 2781: 0 (Debug) Received access request confirmation from radius server

chilli.c: 2817: 0 (Debug) Received access challenge from radius server
chilli.c: 913: 0 (Debug) Sending RADIUS AccessChallenge to client
chilli.c: 1946: 0 (Debug) RADIUS Access-Request received
chilli.c: 1975: 0 (Debug) Calling Station ID is: 00-16-EA-8A-DE-38
radius.c: 1446: 0 (Debug) RADIUS to 212.193.96.134:1812
chilli.c: 2781: 0 (Debug) Received access request confirmation from radius server

chilli.c: 2817: 0 (Debug) Received access challenge from radius server
chilli.c: 913: 0 (Debug) Sending RADIUS AccessChallenge to client
chilli.c: 1946: 0 (Debug) RADIUS Access-Request received
chilli.c: 1975: 0 (Debug) Calling Station ID is: 00-16-EA-8A-DE-38
radius.c: 1446: 0 (Debug) RADIUS to 212.193.96.134:1812
chilli.c: 2781: 0 (Debug) Received access request confirmation from radius server

chilli.c: 2817: 0 (Debug) Received access challenge from radius server
chilli.c: 913: 0 (Debug) Sending RADIUS AccessChallenge to client
chilli.c: 1946: 0 (Debug) RADIUS Access-Request received
chilli.c: 1975: 0 (Debug) Calling Station ID is: 00-16-EA-8A-DE-38
radius.c: 1446: 0 (Debug) RADIUS to 212.193.96.134:1812
chilli.c: 2781: 0 (Debug) Received access request confirmation from radius server

chilli.c: 2817: 0 (Debug) Received access challenge from radius server
chilli.c: 913: 0 (Debug) Sending RADIUS AccessChallenge to client
chilli.c: 1946: 0 (Debug) RADIUS Access-Request received
chilli.c: 1975: 0 (Debug) Calling Station ID is: 00-16-EA-8A-DE-38
radius.c: 1446: 0 (Debug) RADIUS to 212.193.96.134:1812
chilli.c: 2781: 0 (Debug) Received access request confirmation from radius server

radius.c: 1446: 0 (Debug) RADIUS to 212.193.96.134:1813
chilli.c: 1946: 0 (Debug) RADIUS Access-Request received
chilli.c: 1975: 0 (Debug) Calling Station ID is: 00-16-EA-8A-DE-38
radius.c: 1446: 0 (Debug) RADIUS to 212.193.96.134:1813
radius.c: 1446: 0 (Debug) RADIUS to 212.193.96.134:1812
radius.c: 1703: 0 (Debug) Authenticator does not match request!
radius.c: 337: 0 (Debug) No such id in radius queue: id=12!
radius.c: 1698: 0 (Debug) Matching request was not found in queue: 12!

chilli.c: 1946: 0 (Debug) RADIUS Access-Request received
chilli.c: 1975: 0 (Debug) Calling Station ID is: 00-16-EA-8A-DE-38
chilli.c: 2047: 0 (Debug) Dropping RADIUS while waiting
chilli.c: 92: 0 (Debug) SIGTERM: shutdown


Radius debug is very big so I provide  only extract from radius log:
--------------------------------------------------------------------


rad_recv: Access-Request packet from host 195.19.214.216 port 34666, id=1, length=176
         Vendor-14559-Attr-8 = 0x312e322e332d726331
         User-Name = "csd-notebook\\oreshkin"
         EAP-Message = 0x0200001a016373642d6e6f7465626f6f6b5c6f726573686b696e
         Calling-Station-Id = "00-16-EA-8A-DE-38"
         Called-Station-Id = "00-0E-0C-36-AE-AA"
         NAS-Port-Type = Wireless-802.11
         NAS-Port = 22
         Service-Type = Login-User
         NAS-IP-Address = 10.2.3.1
         NAS-Identifier = "nas01"
         Message-Authenticator = 0xa196cb3c72607c5a911c0d818fbf849d
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "csd-notebook\oreshkin", looking up realm NULL
[suffix] Found realm "DEFAULT"
[suffix] Adding Stripped-User-Name = "csd-notebook\oreshkin"
[suffix] Adding Realm = "DEFAULT"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok

...

Sending Access-Challenge of id 1 to 195.19.214.216 port 34666
         EAP-Message = 0x010100061920
         Message-Authenticator = 0x00000000000000000000000000000000
         State = 0xb4a908b4b4a811d634d2e603ef8b3686
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 195.19.214.216 port 34666, id=2, length=300
         Vendor-14559-Attr-8 = 0x312e322e332d726331
         User-Name = "csd-notebook\\oreshkin"
         State = 0xb4a908b4b4a811d634d2e603ef8b3686
         EAP-Message = 
0x0201008419800000007a16030100750100007103014bbc8ca76a6a0af22c248b376d914e3b1bd333d1d667531662313ed
82eddda12000018002f00350005000ac009c00ac013c0140032003800130004010000300000001a00180000156373642d6e6f7465626f6f6b5c6f7265
73686b696e000a00080006001700180019000b00020100
         Calling-Station-Id = "00-16-EA-8A-DE-38"
         Called-Station-Id = "00-0E-0C-36-AE-AA"
         NAS-Port-Type = Wireless-802.11
         NAS-Port = 22
         Service-Type = Login-User
         NAS-IP-Address = 10.2.3.1
         NAS-Identifier = "nas01"
         Message-Authenticator = 0x5c5c2b874fa4a310fba8a70cf5ca495b
+- entering group authorize {...}

...

eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
   TLS Length 122
[peap] Length Included
[peap] eaptls_verify returned 11 
[peap]     (other): before/accept initialization 
[peap]     TLS_accept: before/accept initialization 
[peap] <<< TLS 1.0 Handshake [length 0075], ClientHello 
[peap]     TLS_accept: SSLv3 read client hello A 
[peap] >>> TLS 1.0 Handshake [length 002a], ServerHello 
[peap]     TLS_accept: SSLv3 write server hello A 
[peap] >>> TLS 1.0 Handshake [length 084e], Certificate 
[peap]     TLS_accept: SSLv3 write certificate A 
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone 
[peap]     TLS_accept: SSLv3 write server done A 
[peap]     TLS_accept: SSLv3 flush data 
[peap]     TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase 
In SSL Accept mode 
[peap] eaptls_process returned 13

Sending Access-Challenge of id 2 to 195.19.214.216 port 34666
         EAP-Message = 0x0102040019c00000088b160301002a02
....

rad_recv: Access-Request packet from host 195.19.214.216 port 34666, id=3, length=174
         Vendor-14559-Attr-8 = 0x312e322e332d726331
         User-Name = "csd-notebook\\oreshkin"
         State = 0xb4a908b4b5ab11d634d2e603ef8b3686
         EAP-Message = 0x020200061900
         Calling-Station-Id = "00-16-EA-8A-DE-38"
         Called-Station-Id = "00-0E-0C-36-AE-AA"
         NAS-Port-Type = Wireless-802.11
         NAS-Port = 22
         Service-Type = Login-User
         NAS-IP-Address = 10.2.3.1
         NAS-Identifier = "nas01"
         Message-Authenticator = 0x2134d380e3d668d43346116f694eaa5a
+- entering group authorize {...}
++[preprocess] returns ok

...

Sending Access-Challenge of id 3 to 195.19.214.216 port 34666
         EAP-Message = 0x010303fc194000300d06092a864886f70d

...

rad_recv: Access-Request packet from host 195.19.214.216 port 34666, id=4, length=174
         Vendor-14559-Attr-8 = 0x312e322e332d726331
         User-Name = "csd-notebook\\oreshkin"
         State = 0xb4a908b4b6aa11d634d2e603ef8b3686
         EAP-Message = 0x020300061900
         Calling-Station-Id = "00-16-EA-8A-DE-38"
         Called-Station-Id = "00-0E-0C-36-AE-AA"
         NAS-Port-Type = Wireless-802.11
         NAS-Port = 22
         Service-Type = Login-User
         NAS-IP-Address = 10.2.3.1
         NAS-Identifier = "nas01"
         Message-Authenticator = 0x0ba6de3feb6774afb1682c78ee26b3f5
+- entering group authorize {...}
++[preprocess] returns ok

...


Sending Access-Challenge of id 5 to 195.19.214.216 port 34666
         EAP-Message = 0x010500411900140301000101160301
...

Login OK: [csd-notebook\\oreshkin] (from client Chilli port 22 cli 00-16-EA-8A-DE-38 via TLS 
tunnel)
} # server inner-tunnel
[peap] Got tunneled reply code 2
         EAP-Message = 0x03080004
         Message-Authenticator = 0x00000000000000000000000000000000
         User-Name = "oreshkin"
[peap] Got tunneled reply RADIUS code 2
         EAP-Message = 0x03080004
         Message-Authenticator = 0x00000000000000000000000000000000
         User-Name = "oreshkin"
[peap] Tunneled authentication was successful.
[peap] SUCCESS
++[eap] returns handled
Sending Access-Challenge of id 9 to 195.19.214.216 port 34666
         EAP-Message = 
0x0109002b190017030100207a551685a86341f23608b1e782e24ba9952823075fe750bc7cd4a3a630d78b3a
         Message-Authenticator = 0x00000000000000000000000000000000
         State = 0xb4a908b4bca011d634d2e603ef8b3686
Finished request 9.

...

Sending Access-Accept of id 10 to 195.19.214.216 port 34666
         MS-MPPE-Recv-Key = 0x74131f24dd18434ebc00b17e4de36927023adb596def04cf80f05b8639ef7bfc
         MS-MPPE-Send-Key = 0x292842662ebec27e20e94036aba5d3526e1bb29eb016fa290734e4df500349e1
         EAP-Message = 0x03090004
         Message-Authenticator = 0x00000000000000000000000000000000
         User-Name = "csd-notebook\\oreshkin"
Finished request 10.

...

rad_recv: Accounting-Request packet from host 195.19.214.216 port 34666, id=11, length=230
         Vendor-14559-Attr-8 = 0x312e322e332d726331
         Vendor-14559-Attr-10 = 0x00000002
         Acct-Status-Type = Start
         User-Name = "csd-notebook\\oreshkin"
         Calling-Station-Id = "00-16-EA-8A-DE-38"
         NAS-Port-Type = Wireless-802.11
         NAS-Port = 22
         NAS-Port-Id = "00000022"
         Framed-IP-Address = 10.2.3.11
         Acct-Session-Id = "4bbc8ca200000016"
         NAS-IP-Address = 10.2.3.1
         Called-Station-Id = "00-0E-0C-36-AE-AA"
         NAS-Identifier = "nas01"
         WISPr-Location-ID = "isocc=,cc=,ac=,network=Coova,"
         WISPr-Location-Name = "My_HotSpot"
+- entering group preacct {...}
++[preprocess] returns ok

[acct_unique] Hashing 'NAS-Port = 22,Client-IP-Address = 195.19.214.216,NAS-IP-Address = 
10.2.3.1,Acct-Session-Id = "4bbc
8ca200000016",User-Name = "csd-notebook\\oreshkin"'
[acct_unique] Acct-Unique-Session-ID = "7891c6f25ae215b3".
++[acct_unique] returns ok
[suffix] No '@' in User-Name = "csd-notebook\oreshkin", looking up realm NULL
[suffix] Found realm "DEFAULT"
[suffix] Adding Stripped-User-Name = "csd-notebook\oreshkin"
[suffix] Adding Realm = "DEFAULT"
[suffix] Accounting realm is LOCAL.
++[suffix] returns ok
++[files] returns noop
+- entering group accounting {...}
[detail]        expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d 
-> /usr/local/var/log/radius
/radacct/195.19.214.216/detail-20100407
[detail] /usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to 
/usr/local/var/log/radius/radacc
t/195.19.214.216/detail-20100407
[detail]        expand: %t -> Wed Apr  7 17:46:10 2010
++[detail] returns ok
++[unix] returns ok
[radutmp]       expand: /usr/local/var/log/radius/radutmp -> /usr/local/var/log/radius/radutmp
[radutmp]       expand: %{User-Name} -> csd-notebook\oreshkin
++[radutmp] returns ok
[attr_filter.accounting_response]       expand: %{User-Name} -> csd-notebook\oreshkin

  attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated
Sending Accounting-Response of id 11 to 195.19.214.216 port 34666
Finished request 11.
Cleaning up request 11 ID 11 with timestamp +71
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 195.19.214.216 port 34666, id=12, length=176
         Vendor-14559-Attr-8 = 0x312e322e332d726331
         User-Name = "csd-notebook\\oreshkin"
         EAP-Message = 0x0200001a016373642d6e6f7465626f6f6b5c6f726573686b696e
         Calling-Station-Id = "00-16-EA-8A-DE-38"
         Called-Station-Id = "00-0E-0C-36-AE-AA"
         NAS-Port-Type = Wireless-802.11
         NAS-Port = 22
         Service-Type = Login-User
         NAS-IP-Address = 10.2.3.1
         NAS-Identifier = "nas01"
         Message-Authenticator = 0xa159e7391af38849331fcee9aa4d4126
+- entering group authorize {...}

...

Sending Access-Challenge of id 12 to 195.19.214.216 port 34666
         EAP-Message = 0x010100061920
         Message-Authenticator = 0x00000000000000000000000000000000
         State = 0x806bce12806ad75a757217b94df2bf0a

...

rad_recv: Accounting-Request packet from host 195.19.214.216 port 34666, id=12, length=278
         Vendor-14559-Attr-8 = 0x312e322e332d726331
         Vendor-14559-Attr-10 = 0x00000002
         Acct-Status-Type = Stop
         User-Name = "csd-notebook\\oreshkin"
         Calling-Station-Id = "00-16-EA-8A-DE-38"
         NAS-Port-Type = Wireless-802.11
         NAS-Port = 22
         NAS-Port-Id = "00000022"
         Framed-IP-Address = 10.2.3.11
         Acct-Session-Id = "4bbc8ca200000016"
         NAS-IP-Address = 10.2.3.1
         Called-Station-Id = "00-0E-0C-36-AE-AA"
         NAS-Identifier = "nas01"
         Acct-Input-Octets = 0
         Acct-Output-Octets = 0
         Acct-Input-Gigawords = 0
         Acct-Output-Gigawords = 0
         Acct-Input-Packets = 0
         Acct-Output-Packets = 0
         Acct-Session-Time = 4
         WISPr-Location-ID = "isocc=,cc=,ac=,network=Coova,"
         WISPr-Location-Name = "My_HotSpot"
         Acct-Terminate-Cause = User-Request
...

rad_recv: Accounting-Request packet from host 195.19.214.216 port 34666, id=14, length=148
         Vendor-14559-Attr-8 = 0x312e322e332d726331
         Vendor-14559-Attr-10 = 0x00000002
         Acct-Status-Type = Accounting-Off
         NAS-IP-Address = 10.2.3.1
         Called-Station-Id = "00-0E-0C-36-AE-AA"
         NAS-Identifier = "nas01"
         WISPr-Location-ID = "isocc=,cc=,ac=,network=Coova,"
         WISPr-Location-Name = "My_HotSpot"
         Acct-Terminate-Cause = 0
+- entering group preacct {...}
++[preprocess] returns ok

...





On Tue, 6 Apr 2010, David Bird wrote:

> Date: Tue, 06 Apr 2010 10:38:15 +0200
> From: David Bird <david at coova.com>
> To: Anatoly Oreshkin <Anatoly.Oreshkin at pnpi.spb.ru>
> Cc: chilli at coova.org
> Subject: Re: [Chilli] chilli as proxy for 802.1X
> 
> The chilli log suggests a bad shared secret. Of course, the auth success
> doesn't. Though, you would have seen more than just one packet to
> accomplish the EAP success, so the secret must be correct (and working).
> Run chilli and FreeRADIUS in debug mode for additional debugging.
>
>
> On Mon, 2010-04-05 at 18:29 +0400, Anatoly Oreshkin wrote:
>> Hello,
>>
>> I would like to use chilli as proxy between Access Point (AP) and
>> Radius server.
>> AP (not CoovaAP) is configured for WPA2/AES security with
>> 802.1X/EAP/PEAP/MSCHAPv2
>> authentication. Chilli address is specified as radius server in AP.
>>
>> Coovachilli is configured as follows.
>>
>> /usr/local/etc/chilli/config have the lines:
>>
>> HS_WANIF=eth0     # has 195.19.214.216 address
>> HS_LANIF=eth1
>> HS_NETWORK=10.2.3.0
>> HS_NETMASK=255.255.255.0
>> HS_UAMLISTEN=10.2.3.1
>> HS_UAMPORT=3990
>> HS_UAMUIPORT=4990
>> HS_DNS_DOMAIN=<my domain>
>> HS_DNS1=ipaddress1
>> HS_DNS2=ipaddress2
>> HS_RADIUS=<radius server address>
>> HS_RADIUS2=<radius server address>
>> HS_UAMALLOW="10.2.3.1/24,195.19.214.216"
>> HS_RADSECRET=<radius secret>
>> HS_UAMSECRET=<uam secret>
>> HS_UAMALIASNAME=chilli
>> HS_UAMSERVER=<uam server>
>> HS_UAMFORMAT=https://\$HS_UAMSERVER/cgi-bin/hotspotlogin.cgi
>> HS_TCP_PORTS="80 443"
>> HS_MODE=hotspot
>> HS_TYPE=chillispot
>> HS_WWWDIR=/usr/local/etc/chilli/www
>> HS_WWWBIN=/usr/local/etc/chilli/wwwsh
>> HS_PROVIDER=Coova
>> HS_PROVIDER_LINK=http://www.coova.org/
>> HS_LOC_NAME="My HotSpot"
>>
>> /usr/local/etc/chilli/local.conf:
>>
>> proxylisten=195.19.214.216     # eth0 address
>> proxyport=1812
>> proxyclient=192.168.14.242    #  AP address
>> proxysecret=<proxy secret>
>>
>>
>>
>> Radius configuration.
>> --------------------
>>
>> /usr/local/etc/raddb/clients.conf:
>>
>> # chilli hotspot
>> client 195.19.214.216 {
>>         secret      = <chilli secret>
>>         shortname   = Chilli
>>         nastype     = other
>> }
>>
>> /usr/local/etc/raddb/users:
>>
>> oreshkin Cleartext-Password := "client password", Calling-Station-Id ==
>> "00-16-EA-8A-DE-38"
>>
>> When a client is trying to authenticate through chilli I see on chilli
>> server in /var/log/messages:
>>
>> chilli.c: 3274: New DHCP request from MAC=00-16-EA-8A-DE-38
>> radius.c: 1703: Authenticator does not match request!
>> radius.c: 337: No such id in radius queue: id=12!
>> radius.c: 1698: Matching request was not found in queue: 12!
>> radius.c: 337: No such id in radius queue: id=12!
>> ....
>>
>> What do these messages mean ?
>>
>> On radius server in /usr/local/var/log/radius/radius.log I see
>>
>>  Auth: Login OK: [csd-notebook\\oreshkin] (from client Chilli port 15 cli
>> 00-16-EA-8A-DE-38 via TLS tunnel)
>> Auth: Login OK: [csd-notebook\\oreshkin] (from client Chilli port 15 cli
>> 00-16-EA-8A-DE-38)
>>
>>
>> That is the radius server authenticates the client successfully however
>> chilli does not.
>>
>> Coovachilli is taken from SVN and installed with the options:
>>
>> ./configure --enable-chilliproxy --with-curl
>>
>>
>> Also I've tried with additional parameter "eapolenable"  in local.conf but
>> with no difference.
>>
>> What might be wrong ? What more parameters should I specify ?
>>
>> Thanks.
>>
>> _______________________________________________
>> Chilli mailing list
>> Chilli at coova.org
>> http://lists.coova.org/cgi-bin/mailman/listinfo/chilli
>
>


More information about the Chilli mailing list