[Chilli] chilli as proxy question

Anatoly Oreshkin Anatoly.Oreshkin at pnpi.spb.ru
Tue Apr 13 16:05:48 UTC 2010 

I've understood the cause of my problem. Chilli correctly proxies radius 
requests from wifi 802.1X client to radius server and vice verse. And as 
result client is authenticated. When client disconnects from access point (AP) chilli 
does not know about it and does not release client's IP address. 
Therefore when clients reconnects again and send radius requests to chilli 
again then chilli answers with messages like these:

radius.c: 1703: 0 (Debug) Authenticator does not match request!
radius.c: 337: 0 (Debug) No such id in radius queue: id=12!

What options are there to solve this problem ?

Yet another question. How can I do that clients with UAM authentication 
get dynamic ip addresses from pool but 802.1X clients get static addresses 
from different subnet ?

Thanks.


On Tue, 13 Apr 2010, David Bird wrote:

> Date: Tue, 13 Apr 2010 07:27:49 +0200
> From: David Bird <david at coova.com>
> To: Anatoly Oreshkin <Anatoly.Oreshkin at pnpi.spb.ru>
> Cc: chilli at coova.org
> Subject: Re: [Chilli] chilli as proxy question
> 
> Hmm.. If the access-accept went through chilli, then you should see the
> session authorized using chilli_query. As for packet with id=12, you
> should be checking to see if it was your AP that sent that packet
> (chilli is just proxying) and you might check your AP logs for any
> related errors, etc.
>
> On Mon, 2010-04-12 at 19:31 +0400, Anatoly Oreshkin wrote:
>> Hello,
>>
>> I am trying to use chilli as proxy beetween Access Point (AP) and Radius
>> server. AP is configured with WPA2 security and EAP/PEAP/MSCHAPv2
>> authentication.
>>
>> Chilli configuration.
>>
>> /usr/local/etc/chilli/config:
>>
>> HS_WANIF=eth0             # address 195.19.214.216
>> HS_LANIF=eth1             # address 10.2.3.1
>> HS_NETWORK=10.2.3.0
>> HS_NETMASK=255.255.255.0
>> HS_UAMLISTEN=10.2.3.1
>> HS_RADIUS=212.193.96.134
>> ...
>>
>> /usr/local/etc/chilli/local.conf:
>>
>> proxylisten=10.2.3.1
>> proxyport=1812
>> proxyclient=10.2.3.254  # AP address
>> proxysecret=<secret>
>>
>> Radius configuration.
>>
>> clients.conf:
>>
>> # chilli hotspot
>> client 195.19.214.216 {
>>          secret      = <secret>
>>          shortname   = Chilli
>>          nastype     = other
>> }
>>
>> I ran chilli in debug mode and got such output:
>>
>> chilli.c: 1957: 0 (Debug) RADIUS Access-Request received
>> chilli.c: 1986: 0 (Debug) Calling Station ID is: 00-16-EA-8A-DE-38
>> dhcp.c: 389: 0 (Debug) DHCP newconn: 00:16:ea:8a:de:38
>> chilli.c: 3285: 0 (Debug) New DHCP request from MAC=00-16-EA-8A-DE-38
>> chilli.c: 3288: 0 (Debug) New DHCP connection established
>> radius.c: 1446: 0 (Debug) RADIUS to 212.193.96.134:1812
>> ...
>> chilli.c: 2792: 0 (Debug) Received access request confirmation from radius
>> server
>>
>> chilli.c: 2828: 0 (Debug) Received access challenge from radius server
>> chilli.c: 920: 0 (Debug) Sending RADIUS AccessChallenge to client
>> chilli.c: 1957: 0 (Debug) RADIUS Access-Request received
>> chilli.c: 1986: 0 (Debug) Calling Station ID is: 00-16-EA-8A-DE-38
>> radius.c: 1446: 0 (Debug) RADIUS to 212.193.96.134:1812
>> chilli.c: 2792: 0 (Debug) Received access request confirmation from radius
>> server
>>
>> chilli.c: 2828: 0 (Debug) Received access challenge from radius server
>> chilli.c: 920: 0 (Debug) Sending RADIUS AccessChallenge to client
>> chilli.c: 1957: 0 (Debug) RADIUS Access-Request received
>> chilli.c: 1986: 0 (Debug) Calling Station ID is: 00-16-EA-8A-DE-38
>> radius.c: 1446: 0 (Debug) RADIUS to 212.193.96.134:1812
>> chilli.c: 2792: 0 (Debug) Received access request confirmation from radius server
>> ...
>>
>> chilli.c: 1957: 0 (Debug) RADIUS Access-Request received
>> chilli.c: 1986: 0 (Debug) Calling Station ID is: 00-16-EA-8A-DE-38
>> radius.c: 1446: 0 (Debug) RADIUS to 212.193.96.134:1813
>> radius.c: 1446: 0 (Debug) RADIUS to 212.193.96.134:1812
>> radius.c: 1703: 0 (Debug) Authenticator does not match request!
>> radius.c: 337: 0 (Debug) No such id in radius queue: id=12!
>> radius.c: 1698: 0 (Debug) Matching request was not found in queue: 12!
>> chilli.c: 1957: 0 (Debug) RADIUS Access-Request received
>> ...
>>
>>
>> Radius output:
>> --------------
>>
>> Radius received from chilli Access-Request packet with id=1:
>>
>> rad_recv: Access-Request packet from host 195.19.214.216 port 37455, id=1, length=176
>>          Vendor-14559-Attr-8 = 0x312e322e332d726331
>>          User-Name = "csd-notebook\\oreshkin"
>>          EAP-Message =
>> 0x0200001a016373642d6e6f7465626f6f6b5c6f726573686b696e
>>          Calling-Station-Id = "00-16-EA-8A-DE-38"
>>          Called-Station-Id = "00-0E-0C-36-AE-AA"
>>          NAS-Port-Type = Wireless-802.11
>>          NAS-Port = 2
>>          Service-Type = Login-User
>>          NAS-IP-Address = 10.2.3.1
>>          NAS-Identifier = "nas01"
>>          Message-Authenticator = 0x70bb92e04f02f1717329cf61fff2e2f1
>> +- entering group authorize {...}
>> ++[preprocess] returns ok
>>
>> ...
>> ...
>>
>> Radius authenticated the client with MAC: 00-16-EA-8A-DE-38 and sent
>> chilli Access-Accept packet with id=10  to confirm authentication.
>>
>> Sending Access-Accept of id 10 to 195.19.214.216 port 37455
>>          MS-MPPE-Recv-Key =
>> 0x446fcdddb89288bd3b720a314422d9cccb1c09941636fbb4bbc15a07c1873bfb
>>          MS-MPPE-Send-Key =
>> 0x117f6d0a36318d0e869f7570773cf36a916c7c8ea4910d4c25c965977d876814
>>          EAP-Message = 0x03090004
>>          Message-Authenticator = 0x00000000000000000000000000000000
>>          User-Name = "csd-notebook\\oreshkin"
>> Finished request 10.
>>
>> Then radius  received from chilli Accounting-Request packet with id=11 and
>> sent Accounting-Response to chilli.
>>
>> Sending Accounting-Response of id 11 to 195.19.214.216 port 37455
>> Finished request 11.
>>
>> It seemed that authentication process to be complete !
>>
>> But radius got unexpectedly from chilli   Access-Request packet with id=12
>>
>> rad_recv: Access-Request packet from host 195.19.214.216 port 37455, id=12, length=176
>>          Vendor-14559-Attr-8 = 0x312e322e332d726331
>>          User-Name = "csd-notebook\\oreshkin"
>>          EAP-Message =
>> 0x0200001a016373642d6e6f7465626f6f6b5c6f726573686b696e
>>          Calling-Station-Id = "00-16-EA-8A-DE-38"
>>          Called-Station-Id = "00-0E-0C-36-AE-AA"
>>          NAS-Port-Type = Wireless-802.11
>>          NAS-Port = 2
>>          Service-Type = Login-User
>>          NAS-IP-Address = 10.2.3.1
>>          NAS-Identifier = "nas01"
>>          Message-Authenticator = 0x647799f84fc9779142b12a59a00dcac1
>> +- entering group authorize {...}
>> ++[preprocess] returns ok
>> ...
>>
>>
>> Why did this Access-Request with id=12 come from chilli ?
>> Chilli does not see such id=12 in radius queue and can not complete authentication.
>>
>> What might be wrong ? Configuration or something else ?
>> I installed chilli from SVN.
>>
>> Thanks.
>>
>>
>>
>> _______________________________________________
>> Chilli mailing list
>> Chilli at coova.org
>> http://lists.coova.org/cgi-bin/mailman/listinfo/chilli
>
>

More information about the Chilli mailing list