[Chilli] CoovaChilli & (non CoovaAP) AP
David Bird
david at coova.com
Sat Mar 27 05:42:51 UTC 2010
Upgrade to subversion code-base please...
On Wed, 2010-03-24 at 20:20 +0300, Anatoly Oreshkin wrote:
>
> Hello,
>
> My CoovaChilli server is installed on Linux box.
> CoovaChilli is configured as:
> ./configure --with-nfqueue --enable-chilliproxy --with-curl
>
> HS_WANIF=eth0
> HS_LANIF=eth1
> HS_NETWORK=10.2.3.0
> HS_NETMASK=255.255.255.0
> HS_UAMLISTEN=10.2.3.1
> HS_UAMPORT=3990
> HS_NASID=nas01
> HS_RADIUS=212.193.96.134
> HS_RADSECRET=CHILLI_HOTSPOT
> ...
> HS_MODE=hotspot
> HS_TYPE=chillispot
>
> eth0 address = 195.19.214.216
> eth1 address = 10.2.3.1
>
> I've setup proxy parameters in /usr/local/etc/chilli/local.conf:
>
>
>
> proxylisten=195.19.214.216 # eth0 address
> proxyport=1812
> proxyclient=192.168.14.242 # my AP address
> proxysecret=CHILLI_HOTSPOT
>
> AP is configured as:
> -------------------
>
> WPA2/AES/802.1X
> Radius server: 195.19.214.216 (chilli address)
> Radius port: 1812
> Radius secret: CHILLI_HOTSPOT
>
> Radius server configured as:
> ----------------------------
>
> clients.conf
>
> # chilli hotspot
> client 195.19.214.216 {
> secret = CHILLI_HOTSPOT
> shortname = Chilli
> nastype = other
> }
>
> The file "users" has user data:
> oreshkin Cleartext-Password := "mypassword", Calling-Station-Id ==
> "00-16-EA-8A-DE-38"
>
> When I am trying to authenticate wireless client through coovachilli
> then I getting such messages:
>
> On coovachili server in /var/log/messages
>
> radius.c: 1677: Authenticator does not match request!
> radius.c: 335: No such id in radius queue: id=0!
> radius.c: 1672: Matching request was not found in queue: 0!
> radius.c: 335: No such id in radius queue: id=1!
> radius.c: 1672: Matching request was not found in queue: 1!
> ....
>
>
> On Radius server
> ----------------
>
> Radius daemon running in debug mode gives output which indicates that it
> receives Access-Request packets from coovachilli.
> Below is extract from radius output:
>
> rad_recv: Access-Request packet from host 195.19.214.216 port 32859, id=0,
> length=146
> Vendor-14559-Attr-8 = 0x312e322e32
> User-Name = "oreshkin"
> EAP-Message = 0x0200000d016f726573686b696e
> Message-Authenticator = 0x45f4d1100685765bd2b5004f650d0a2e
> Calling-Station-Id = "00-16-EA-8A-DE-38"
> Called-Station-Id = "00-0E-0C-36-AE-AA"
> NAS-Port-Type = Wireless-802.11
> NAS-Port = 11
> Service-Type = Login-User
> NAS-IP-Address = 10.2.3.1
> NAS-Identifier = "nas01"
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> [suffix] No '@' in User-Name = "oreshkin", looking up realm NULL
> [suffix] Found realm "DEFAULT"
> [suffix] Adding Stripped-User-Name = "oreshkin"
>
> .....
>
> Sending Access-Challenge of id 0 to 195.19.214.216 port 32859
> EAP-Message = 0x010100061920
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x41e5100541e4098a17fe112e0fc89cb1
> Finished request 0.
> Going to the next request
> Waking up in 4.9 seconds.
> Cleaning up request 0 ID 0 with timestamp +54
> Ready to process requests.
> ....
>
> Radius server receives from coovachilli Access-Request packets and responds
> with Access-Challenge packets many times. But it never sends Access-Accept
> packet and never output error messages.
>
> What might be wrong ? Configuration errors or do I need to do something
> else ?
>
> Coovachilli 1.2.2 has also some transparent proxy.
> /usr/local/sbin/chilli --help|grep proxy
> --proxylisten=STRING Proxy IP address to listen on
> --proxyport=INT Proxy UDP port to listen on (0 is off)
> --proxyclient=STRING IP address of proxy client(s)
> --proxysecret=STRING Radius proxy shared secret
> --postauthproxy=STRING IP of an upstream transparent proxy
> --postauthproxyport=INT Port of an upstream transparent proxy
>
> I don't know for what purpose transparent proxy is.
> May be it is of help ?
>
> Thanks.
>
>
> > You can bridge the networks so that chilli controls them both, or run
> > two instances of chilli. The instance handling the 802.1x network should
> > have these options defined:
> >
> > $ chilli --help|grep proxy
> > --proxylisten=STRING Proxy IP address to listen on
> > --proxyport=INT Proxy UDP port to listen on (0 is off)
> > --proxyclient=STRING IP address of proxy client(s)
> > --proxysecret=STRING Radius proxy shared secret
> >
> > And the 802.1x AP should use these settings for it's RADIUS.. chilli
> > will proxy the authentication, provide accounting, and still control the
> > network to enforce any limitations, etc.
> >
> > On Tue, 2010-03-23 at 19:20 +0300, Anatoly Oreshkin wrote:
> >> Hello,
> >>
> >> I have wireless Access Point 3Com AirConnect 9150 configured with
> >> WPA2/AES
> >> and 802.1X EAP-PEAP-MSCHAPv2 authentication. It uses Free Radius server
> >> for authentication and wireless clients get ip fixed addresses from DHCP
> >> server.
> >> I configured this AP with second SSID (without security) in order for
> >> wireless
> >> clients can authenticate through CoovaChilli using UAM method.
> >> It works.
> >> Now I would like to make both WPA2/802.1X and UAM authentication to work
> >> through CoovaChilli. I can specify CoovaChilli address as Radius
> >> server
> >> address in AP. But of course it's not enough. Is it possible at all to
> >> have CoovaChilli working in such configuration ?
> >> If so, how should I configure for this purpose CoovaChilli and Radius
> >> server ?
> >>
> >> Any hints.
> >>
> >> Thanks.
> >>
> >> _______________________________________________
> >> Chilli mailing list
> >> Chilli at coova.org
> >> http://lists.coova.org/cgi-bin/mailman/listinfo/chilli
> >
> >
>
> _______________________________________________
> Chilli mailing list
> Chilli at coova.org
> http://lists.coova.org/cgi-bin/mailman/listinfo/chilli
More information about the Chilli
mailing list