[Chilli] CoovaChilli & (non CoovaAP) AP

Вячеслав Адаманов adamanov at gmail.com
Fri Mar 26 11:16:54 UTC 2010


I too have faced such problem, but few times authorisation process
passed successfully.


chilli.c: 1943: 0 (Debug) RADIUS Access-Request received
chilli.c: 1971: 0 (Debug) Calling Station ID is: 00-1D-4F-AC-36-DD
dhcp.c: 389: 0 (Debug) DHCP newconn: 00:1d:4f:ac:36:dd
chilli.c: 3225: 0 (Debug) New DHCP request from MAC=00-1D-4F-AC-36-DD
chilli.c: 3228: 0 (Debug) New DHCP connection established
radius.c: 1415: 0 (Debug) RADIUS to 192.168.1.4:1812
radius.c: 330: 0 (Debug) No such id in radius queue: id=12!
radius.c: 1666: 0 (Debug) Matching request was not found in queue: 12!
chilli.c: 1943: 0 (Debug) RADIUS Access-Request received
chilli.c: 1971: 0 (Debug) Calling Station ID is: 00-1D-4F-AC-36-DD
chilli.c: 2045: 0 (Debug) Dropping RADIUS while waiting
chilli.c: 3568: 0 (Debug) EAP Packet received
chilli.c: 3589: 0 (Debug) Received EAP message, processing for authentication
chilli.c: 1943: 0 (Debug) RADIUS Access-Request received
chilli.c: 1971: 0 (Debug) Calling Station ID is: 00-1D-4F-AC-36-DD
chilli.c: 2042: 0 (Debug) Giving up on previous packet.. not dropping this one
radius.c: 1415: 0 (Debug) RADIUS to 192.168.1.4:1812
radius.c: 330: 0 (Debug) No such id in radius queue: id=12!
radius.c: 1666: 0 (Debug) Matching request was not found in queue: 12!
radius.c: 330: 0 (Debug) No such id in radius queue: id=12!
radius.c: 1666: 0 (Debug) Matching request was not found in queue: 12!

2010/3/24 Anatoly Oreshkin <Anatoly.Oreshkin at pnpi.spb.ru>:
>
>
> Hello,
>
> My CoovaChilli server is installed on Linux box.
> CoovaChilli is configured as:
> ./configure --with-nfqueue --enable-chilliproxy --with-curl
>
> HS_WANIF=eth0
> HS_LANIF=eth1
> HS_NETWORK=10.2.3.0
> HS_NETMASK=255.255.255.0
> HS_UAMLISTEN=10.2.3.1
> HS_UAMPORT=3990
> HS_NASID=nas01
> HS_RADIUS=212.193.96.134
> HS_RADSECRET=CHILLI_HOTSPOT
> ...
> HS_MODE=hotspot
> HS_TYPE=chillispot
>
> eth0 address = 195.19.214.216
> eth1 address = 10.2.3.1
>
> I've setup proxy parameters in /usr/local/etc/chilli/local.conf:
>
>
>
> proxylisten=195.19.214.216     #  eth0 address
> proxyport=1812
> proxyclient=192.168.14.242     #  my AP address
> proxysecret=CHILLI_HOTSPOT
>
> AP is configured as:
> -------------------
>
> WPA2/AES/802.1X
> Radius server: 195.19.214.216  (chilli address)
> Radius port: 1812
> Radius secret: CHILLI_HOTSPOT
>
> Radius server configured as:
> ----------------------------
>
> clients.conf
>
> # chilli hotspot
> client 195.19.214.216 {
>        secret      = CHILLI_HOTSPOT
>        shortname   = Chilli
>        nastype     = other
> }
>
> The file "users" has user data:
> oreshkin Cleartext-Password := "mypassword", Calling-Station-Id ==
> "00-16-EA-8A-DE-38"
>
> When I am trying to authenticate wireless client through coovachilli
> then I getting such messages:
>
> On coovachili server in /var/log/messages
>
> radius.c: 1677: Authenticator does not match request!
> radius.c: 335: No such id in radius queue: id=0!
> radius.c: 1672: Matching request was not found in queue: 0!
> radius.c: 335: No such id in radius queue: id=1!
> radius.c: 1672: Matching request was not found in queue: 1!
> ....
>
>
> On Radius server
> ----------------
>
> Radius daemon running in debug mode gives output which indicates that it
> receives Access-Request packets from coovachilli.
> Below is extract from radius output:
>
> rad_recv: Access-Request packet from host 195.19.214.216 port 32859, id=0,
> length=146
>        Vendor-14559-Attr-8 = 0x312e322e32
>        User-Name = "oreshkin"
>        EAP-Message = 0x0200000d016f726573686b696e
>        Message-Authenticator = 0x45f4d1100685765bd2b5004f650d0a2e
>        Calling-Station-Id = "00-16-EA-8A-DE-38"
>        Called-Station-Id = "00-0E-0C-36-AE-AA"
>        NAS-Port-Type = Wireless-802.11
>        NAS-Port = 11
>        Service-Type = Login-User
>        NAS-IP-Address = 10.2.3.1
>        NAS-Identifier = "nas01"
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> [suffix] No '@' in User-Name = "oreshkin", looking up realm NULL
> [suffix] Found realm "DEFAULT"
> [suffix] Adding Stripped-User-Name = "oreshkin"
>
> .....
>
> Sending Access-Challenge of id 0 to 195.19.214.216 port 32859
>        EAP-Message = 0x010100061920
>        Message-Authenticator = 0x00000000000000000000000000000000
>        State = 0x41e5100541e4098a17fe112e0fc89cb1
> Finished request 0.
> Going to the next request
> Waking up in 4.9 seconds.
> Cleaning up request 0 ID 0 with timestamp +54
> Ready to process requests.
> ....
>
> Radius server receives from coovachilli  Access-Request packets and responds
> with Access-Challenge packets many times. But it never sends  Access-Accept
> packet and never output error messages.
>
> What might be wrong ? Configuration errors or do I need to do something
> else ?
>
> Coovachilli 1.2.2 has also some transparent proxy.
> /usr/local/sbin/chilli --help|grep proxy
>      --proxylisten=STRING      Proxy IP address to listen on
>      --proxyport=INT           Proxy UDP port to listen on (0 is off)
>      --proxyclient=STRING      IP address of proxy client(s)
>      --proxysecret=STRING      Radius proxy shared secret
>      --postauthproxy=STRING    IP of an upstream transparent proxy
>      --postauthproxyport=INT   Port of an upstream transparent proxy
>
> I don't know for what purpose transparent proxy is.
> May be it is of help ?
>
> Thanks.
>
>
>> You can bridge the networks so that chilli controls them both, or run
>> two instances of chilli. The instance handling the 802.1x network should
>> have these options defined:
>>
>> $ chilli --help|grep proxy
>>       --proxylisten=STRING      Proxy IP address to listen on
>>       --proxyport=INT           Proxy UDP port to listen on (0 is off)
>>       --proxyclient=STRING      IP address of proxy client(s)
>>       --proxysecret=STRING      Radius proxy shared secret
>>
>> And the 802.1x AP should use these settings for it's RADIUS.. chilli
>> will proxy the authentication, provide accounting, and still control the
>> network to enforce any limitations, etc.
>>
>> On Tue, 2010-03-23 at 19:20 +0300, Anatoly Oreshkin wrote:
>>> Hello,
>>>
>>> I have wireless Access Point 3Com AirConnect 9150 configured with
>>> WPA2/AES
>>> and 802.1X EAP-PEAP-MSCHAPv2 authentication. It uses Free Radius server
>>> for authentication and wireless clients get ip fixed addresses from DHCP
>>> server.
>>> I configured this AP with second SSID (without security) in order for
>>> wireless
>>> clients can authenticate through CoovaChilli using UAM method.
>>> It works.
>>> Now I would like to make both WPA2/802.1X and UAM authentication to work
>>> through  CoovaChilli. I can specify  CoovaChilli address as Radius
>>> server
>>> address in AP. But of course it's not enough. Is it possible at all to
>>> have CoovaChilli working in such configuration ?
>>> If so, how should I configure for this purpose CoovaChilli and Radius
>>> server ?
>>>
>>> Any hints.
>>>
>>> Thanks.
>>>
>>> _______________________________________________
>>> Chilli mailing list
>>> Chilli at coova.org
>>> http://lists.coova.org/cgi-bin/mailman/listinfo/chilli
>>
>>
>
> _______________________________________________
> Chilli mailing list
> Chilli at coova.org
> http://lists.coova.org/cgi-bin/mailman/listinfo/chilli
>



-- 
__________________________
Adamanov Vyacheslav
87500, Ukraine, Mariupol,
st. Apatova 136а
mob: +38 (067) 621 32 61
email: adamanov at gmail.com
www: http://hl.ua


More information about the Chilli mailing list