[Chilli] CoovaChilli uam secret / RADIUS secret causing

Luis Ferreira lferreira at cabocom.cv
Wed Apr 30 14:03:57 UTC 2014


What you are telling me is indeed something that happen also with us.

 Normally, we just tell the client to close all windows and open only one.

But on the other hand, having a proper solution for this would be nice. Your
workaround was implementing a fixed challenge being sent by chilli. While
knowing of the security flaw, I would say that it is actually a good
workaround on that issue.

Would it be possible to share the code change on coova source, so that I
could try it here? 

Luis 


-----Mensagem original-----
De: chilli-bounces at coova.org [mailto:chilli-bounces at coova.org] Em nome de
james at purple.so
Enviada: 30 de abril de 2014 06:03
Para: chilli at coova.org
Assunto: Re: [Chilli] CoovaChilli uam secret / RADIUS secret causing

Hi Luis

Thanks again for your reply.

I am aware of the necessity to keep the secret random and want to do so but
there isn't any consistency between when coova generates a new challenge for
the same MAC.

As mentioned, I have most users who are ok, but say out of 10,000 logins a
day there are several hundred rejects because the CHAP challenge was
incorrect. By incorrect I mean when they hit our splash page and we generate
the CHAP response from the incoming challenge in the URL string, when we
send the login back to coova, coova has sometimes generated a different
challenge for that client because some other HTTP request went out from a
background app/service.

With the more increasing use of smartphones, inevitably as soon as the user
connects to an SSID there are many background apps/processes that try to get
to the Internet, so it's rather difficult to generate the correct response
if its changed.

It does seem to be random, as in my previous post I mentioned I opened up
multiple tabs/windows/programs and coova used the same challenge for that
session, but this isn't happening all the time.

Using CHAP is great, but when it means the fundamental part of the login
process breaks, it involves user complaints and headache (as you can
imagine).

Not sure of the best route to take...

Thanks

James 



-----Original Message-----
From: James Wood [mailto:james.wood at purplewifi.net]
Sent: 29 April 2014 22:29
To: 'chilli at coova.org'
Subject: RE: [Chilli] CoovaChilli uam secret / RADIUS secret causing

Hi Luis

Thanks very much for your reply.

Yes, I had thought this may be the issue, but I assumed that coova does not
re-generate a new challenge for every HTTP request a client makes. To test,
I opened 10 tabs in my browser, and 5 tabs in another browser, and the
"challenge" value in the URL was the same across them all. We notice the
challenge does change after around 10 minutes though (it must time out)...

We've recently modified the coova code to generate the challenge based on
something more unique to the user (their mac address, plus a secret, then
hashed), rather than what coova uses by default (a 16 character string from
/dev/random), so now, the challenge is unique per client MAC, and therefore
no matter what sessions they have open it will always be the same
"challenge". Does that make sense? Even if they return in 1 hour, the
challenge is the same, and only we know what the challenge is made up from
on our external splash page side.

But, I think coova should ensure that the same challenge is given to the
same client MAC, as without it, it's near impossible to know which challenge
to use at the correct one when encrypting the password to send back to coova
for the login (we use an external splash page).

What are your thoughts?

Thanks

James


_______________________________________________
Chilli mailing list
Chilli at coova.org
http://lists.coova.org/cgi-bin/mailman/listinfo/chilli



More information about the Chilli mailing list