[Chilli] using coovachilli with wpa

David Bird david at coova.com
Thu Jul 25 17:34:20 UTC 2013


There are several ways...

Enable the compile time option --enable-location and also
--enable-proxyvsa

Then I think what you want is to use runtime option --locationcopycalled

Or, --proxylocattr=# where you can define the RADIUS attribute code (#)
of the attribute from hostapd that you want to use as "location" to be
sent in attribute ChilliSpot-Location.



On Thu, 2013-07-25 at 13:06 +0200, Tekán Dávid wrote:
> Hi David!
> 
> Thanks for the solution, it works, i should've thought about it by myself.
> 
> If i understand correctly i can not use different radius secret on
> each and every access points. If is the situation, is there any way to
> get to know, which session is through which access point (the initial
> access point is enough, if there is roaming between the aps).
> 
> Thanks again
> 
> Dávid
> 
> 
> On Wed, Jul 24, 2013 at 10:40 PM, David Bird <david at coova.com> wrote:
> > Hi,
> >
> > First, you can send the RADIUS from the WPA2 Enterprise AP/Authenticator
> > to chilli after configuring the following:
> >
> >       --proxylisten=STRING      Proxy IP address to listen on
> >       --proxyport=INT           Proxy UDP port to listen on (0 is off)
> >       --proxyclient=STRING      IP address of proxy client(s)
> >       --proxysecret=STRING      Radius proxy shared secret
> >
> > These settings control what IP and port chilli will listen for RADIUS on
> > and who can send to it. Chilli will then proxy this RADIUS through to
> > it's configured RADIUS servers. When clients are authenticated for
> > 802.1x, that is then known to chilli and they are authenticated in
> > chilli. The "WPA Guests" feature allows you do program your RADIUS
> > server such that it will return Access-Accept even for client stations
> > that did not successfully authenticate. The Access-Accept is needed for
> > them to pass the 802.1x/EAP phase and to be able to interact with chilli
> > and the captive portal. Adding the RADIUS attribute:
> >
> > ChilliSpotConfig=require-uam-auth
> >
> > to the Access-Accept which didn't really succeed will prompt chilli to
> > treat the client as unauthorized and sent to the captive portal.
> >
> > See
> > http://coova.org/CoovaChilli/WPACaptivePortal
> >
> > David
> >
> >
> >
> > On Wed, 2013-07-24 at 19:41 +0200, Tekán Dávid wrote:
> >> Hi all!
> >>
> >> I set up a coovachilli + freeradius + mysql combo at my dorm. It's
> >> working great with the wired network. Now we want to extend it to the
> >> wireless as well. Installed an access point configured to wpa2
> >> enterprise (with the same radius server) and connected to the
> >> coovachillis's lan side. It can authenticate users and do the process
> >> fine, but when i want to connect to the internet, i get redirected to
> >> the coovachilli's captive portal.
> >> I've read about the wpa guest config parameter, but i don't want to
> >> let users without sufficient credentials to connect, and reach any of
> >> my device (neither the captive portal nor the webpages which I allowed
> >> with uam_allow).
> >>
> >> So is there a way, that the users, who authenticated successfully
> >> through wpa2 (peap + mschapv2) do not need to reauthenticate at the
> >> captive portal page (and not let users who failed at wpa2 to try to
> >> authenticate themselves on the captive portal).
> >>
> >> Thanks for all the reply, all the best
> >>
> >> Dávid
> >> _______________________________________________
> >> Chilli mailing list
> >> Chilli at coova.org
> >> http://lists.coova.org/cgi-bin/mailman/listinfo/chilli
> >
> > --
> > --
> > David Bird
> > http://www.linkedin.com/in/dwbird/
> >
> _______________________________________________
> Chilli mailing list
> Chilli at coova.org
> http://lists.coova.org/cgi-bin/mailman/listinfo/chilli

-- 
--
David Bird
http://www.linkedin.com/in/dwbird/



More information about the Chilli mailing list