[Chilli] CoovaChilli & (non CoovaAP) AP

David Bird david at coova.com
Sat Mar 27 05:42:51 UTC 2010


Upgrade to subversion code-base please...


On Wed, 2010-03-24 at 20:20 +0300, Anatoly Oreshkin wrote:
> 
> Hello,
> 
> My CoovaChilli server is installed on Linux box.
> CoovaChilli is configured as:
> ./configure --with-nfqueue --enable-chilliproxy --with-curl
> 
> HS_WANIF=eth0
> HS_LANIF=eth1
> HS_NETWORK=10.2.3.0
> HS_NETMASK=255.255.255.0
> HS_UAMLISTEN=10.2.3.1
> HS_UAMPORT=3990
> HS_NASID=nas01
> HS_RADIUS=212.193.96.134
> HS_RADSECRET=CHILLI_HOTSPOT
> ...
> HS_MODE=hotspot
> HS_TYPE=chillispot
> 
> eth0 address = 195.19.214.216
> eth1 address = 10.2.3.1
> 
> I've setup proxy parameters in /usr/local/etc/chilli/local.conf:
> 
> 
> 
> proxylisten=195.19.214.216     #  eth0 address
> proxyport=1812
> proxyclient=192.168.14.242     #  my AP address
> proxysecret=CHILLI_HOTSPOT
> 
> AP is configured as:
> -------------------
> 
> WPA2/AES/802.1X
> Radius server: 195.19.214.216  (chilli address)
> Radius port: 1812
> Radius secret: CHILLI_HOTSPOT
> 
> Radius server configured as:
> ----------------------------
> 
> clients.conf
> 
> # chilli hotspot
> client 195.19.214.216 {
>         secret      = CHILLI_HOTSPOT
>         shortname   = Chilli
>         nastype     = other
> }
> 
> The file "users" has user data:
> oreshkin Cleartext-Password := "mypassword", Calling-Station-Id ==
> "00-16-EA-8A-DE-38"
> 
> When I am trying to authenticate wireless client through coovachilli
> then I getting such messages:
> 
> On coovachili server in /var/log/messages
> 
> radius.c: 1677: Authenticator does not match request!
> radius.c: 335: No such id in radius queue: id=0!
> radius.c: 1672: Matching request was not found in queue: 0!
> radius.c: 335: No such id in radius queue: id=1!
> radius.c: 1672: Matching request was not found in queue: 1!
> ....
> 
> 
> On Radius server
> ----------------
> 
> Radius daemon running in debug mode gives output which indicates that it
> receives Access-Request packets from coovachilli.
> Below is extract from radius output:
> 
> rad_recv: Access-Request packet from host 195.19.214.216 port 32859, id=0,
> length=146
>         Vendor-14559-Attr-8 = 0x312e322e32
>         User-Name = "oreshkin"
>         EAP-Message = 0x0200000d016f726573686b696e
>         Message-Authenticator = 0x45f4d1100685765bd2b5004f650d0a2e
>         Calling-Station-Id = "00-16-EA-8A-DE-38"
>         Called-Station-Id = "00-0E-0C-36-AE-AA"
>         NAS-Port-Type = Wireless-802.11
>         NAS-Port = 11
>         Service-Type = Login-User
>         NAS-IP-Address = 10.2.3.1
>         NAS-Identifier = "nas01"
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> [suffix] No '@' in User-Name = "oreshkin", looking up realm NULL
> [suffix] Found realm "DEFAULT"
> [suffix] Adding Stripped-User-Name = "oreshkin"
> 
> .....
> 
> Sending Access-Challenge of id 0 to 195.19.214.216 port 32859
>         EAP-Message = 0x010100061920
>         Message-Authenticator = 0x00000000000000000000000000000000
>         State = 0x41e5100541e4098a17fe112e0fc89cb1
> Finished request 0.
> Going to the next request
> Waking up in 4.9 seconds.
> Cleaning up request 0 ID 0 with timestamp +54
> Ready to process requests.
> ....
> 
> Radius server receives from coovachilli  Access-Request packets and responds
> with Access-Challenge packets many times. But it never sends  Access-Accept
> packet and never output error messages.
> 
> What might be wrong ? Configuration errors or do I need to do something
> else ?
> 
> Coovachilli 1.2.2 has also some transparent proxy.
> /usr/local/sbin/chilli --help|grep proxy
>       --proxylisten=STRING      Proxy IP address to listen on
>       --proxyport=INT           Proxy UDP port to listen on (0 is off)
>       --proxyclient=STRING      IP address of proxy client(s)
>       --proxysecret=STRING      Radius proxy shared secret
>       --postauthproxy=STRING    IP of an upstream transparent proxy
>       --postauthproxyport=INT   Port of an upstream transparent proxy
> 
> I don't know for what purpose transparent proxy is.
> May be it is of help ?
> 
> Thanks.
> 
> 
> > You can bridge the networks so that chilli controls them both, or run
> > two instances of chilli. The instance handling the 802.1x network should
> > have these options defined:
> >
> > $ chilli --help|grep proxy
> >       --proxylisten=STRING      Proxy IP address to listen on
> >       --proxyport=INT           Proxy UDP port to listen on (0 is off)
> >       --proxyclient=STRING      IP address of proxy client(s)
> >       --proxysecret=STRING      Radius proxy shared secret
> >
> > And the 802.1x AP should use these settings for it's RADIUS.. chilli
> > will proxy the authentication, provide accounting, and still control the
> > network to enforce any limitations, etc.
> >
> > On Tue, 2010-03-23 at 19:20 +0300, Anatoly Oreshkin wrote:
> >> Hello,
> >>
> >> I have wireless Access Point 3Com AirConnect 9150 configured with
> >> WPA2/AES
> >> and 802.1X EAP-PEAP-MSCHAPv2 authentication. It uses Free Radius server
> >> for authentication and wireless clients get ip fixed addresses from DHCP
> >> server.
> >> I configured this AP with second SSID (without security) in order for
> >> wireless
> >> clients can authenticate through CoovaChilli using UAM method.
> >> It works.
> >> Now I would like to make both WPA2/802.1X and UAM authentication to work
> >> through  CoovaChilli. I can specify  CoovaChilli address as Radius
> >> server
> >> address in AP. But of course it's not enough. Is it possible at all to
> >> have CoovaChilli working in such configuration ?
> >> If so, how should I configure for this purpose CoovaChilli and Radius
> >> server ?
> >>
> >> Any hints.
> >>
> >> Thanks.
> >>
> >> _______________________________________________
> >> Chilli mailing list
> >> Chilli at coova.org
> >> http://lists.coova.org/cgi-bin/mailman/listinfo/chilli
> >
> >
> 
> _______________________________________________
> Chilli mailing list
> Chilli at coova.org
> http://lists.coova.org/cgi-bin/mailman/listinfo/chilli




More information about the Chilli mailing list