[Chilli] MAC blacklist and other security measures

David Bird david at coova.com
Wed Apr 14 04:38:01 UTC 2010 

Hi Felipe,

Thanks for the analysis. Indeed, the putting of the 'splash' into the
configuration file would be a mistake (bug).

David


On Tue, 2010-04-06 at 12:42 -0300, Felipe Augusto van de Wiel wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> 
> Hi,
> 
> 	Although it seems that I finally could make
> the below configuration to work, I would like to
> confirm if the solution is correct (or properly
> implemented). I would also like to report a possible
> bug related to this setup.
> 
> 	I'm also writing to document it on the list
> archive as reference for people trying to get the
> blacklist of MAC addresses working while still
> allowing users to authenticate thru the captive
> portal.
> 
> 
> On 21-03-2010 03:16, David Bird wrote:
> > Hm.. one way might be to enable MAC authentication
> > such that:
> 
> 	That means enable 'macauth', right?  Using
> only 'macauthdeny' didn't result in the expected
> behavior.
> 
> 
> > - You always return Access-Accept (plus attribute
> >   Chillispot-Config = 'splash') for non-blocked
> >   users.
> 
> > - You can return an Access-Reject for blocked users.
> >   When used with --macauthdeny, it means these
> >   devices will be ignored.
> 
> 	The proper way to achieve that would be to
> use a DEFAULT user in RADIUS? Here is the relevant
> part of my FreeRADIUS' users file:
> 
> <...>
> | AA-BB-CC-DD-EE-FF  Auth-Type := Reject
> |                    Reply-Message = "MAC address administratively blocked."
> |
> | 11-22-33-44-55-66  Auth-Type := Reject
> |                    Reply-Message = "MAC address administratively blocked."
> |
> | DEFAULT            Auth-Type := Accept
> |                    Chillispot-config = 'splash',
> |                    Fall-Through = Yes
> |
> | "user"             Cleartext-Password := "pass"
> |                    Reply-Message = "Hello, %{User-Name}"
> <...>
> 
> 
> 	Of course, that only worked after I added an
> include line inside /etc/freeradius/dictionary:
> 
> $INCLUDE        /etc/freeradius/dictionary.chillispot
> 
> 
> 	Now, the MAC addresses listed on the users
> file gets a 'drop' state when chilli starts, the rest
> gets a 'splash' state and addresses in the ethers file
> stays as 'dnat'. Once the user authenticates thru the
> splash screen they change to 'pass' as expected.
> 
> 	There is one interesting side effect that
> smells like a bug. Once I started using the
> Chillispot-config = 'splash' the contents of my
> local.conf file is replaced with 'splash' and Coova
> complains that there is no option '--splash':
> 
> Starting chilli: coova-chilli: unrecognized option `--splash'
> coova-chilli[7358]: options.c: 174: could not generate
>   configuration (/tmp/chilli-7358/config.bin), sleeping
>   one second
> coova-chilli: unrecognized option `--splash'
> 
> 
> 	The dirty hack I used is 'chattr +i local.conf'.
> I tried to figure out something from the functions or
> shell scripts but I couldn't spot where it replaces
> the contents of local.conf. For now, it solved the
> problem, but it isn't supposed to do that, or am I
> missing something?
> 
> 	So, I hope this helps others. :)
> 
> Kind regards,
> - -- 
> Felipe Augusto van de Wiel <felipe.wiel at hpp.org.br>
> Tecnologia da Informação (TI) - Complexo Pequeno Príncipe
> http://www.pequenoprincipe.org.br/    T: +55 41 3310 1747
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> 
> iQIcBAEBCgAGBQJLu1ZyAAoJECCPPxLgxLxPyLMP+gM7u6DJWZzZ89F0WaFhmKAB
> BxnLklJv2jsKvgFCH/AVlEhK3j1q9BaGJkZJnizC90PkgwKzz065iu7x+9v1zvN4
> xyfrUoRIbyO+4iUuDbP+bmg3j9WGnsKrvouKZDvXb+sBd5LB/prWHlVdOUi22XwP
> y56RibxFkNqg08rQfZAHFiUKOAWQEXSVmAkc7ung9U2K1AxWyvuW9nDAcWGylD0h
> 4+8lOzU8ghlDfGR+5KKStdyIU1Qmsq4boe5qNknAlB1elUlk/8ohLQAulPhaROI4
> UPCPUZ4kzuP1YrYbCcyRC35A6UvTGo62pFiayJH7rD0pun8ueEljIRLARNW5n3j9
> Z2uZ3uDu08vVks7Pt9F2Yi53K3zFlKq9xxp+j8wTiefOwrnShnfbe5+v/ZnIu41Q
> Qs45z8DnhrhOPIwBCUZCQTxUwHFQn0Y81nNlVEI+9oNGjlsZ6g3w5r52hh7cErxd
> tXpg+ZidB2IZBQonhC3QvQCtzO+Z418erSlfcnP1Dw2b7nCud5AycvbIQvfKnKC8
> VCnBnbHRvW+SdNq3SLRJW0ZMpOULRbLu+VpeYGfKo98EH/ceWpwbyMlmxtwvfrKk
> EI18niSHbhbG9UuLm7BhIVQcTYpBnTmH680LIGwIAVHgoV/QtddaEZOWDE+x1rZ0
> Qr/CPJBG4RVQapvqAKx4
> =8VQ7
> -----END PGP SIGNATURE-----

More information about the Chilli mailing list