[Chilli] ipass deployment guidelines
wichert at wiggy.net
Thu May 20 18:34:48 UTC 2010
Since we have completed ipass testing on an chilli deployment and I've
been told someone else is in the process of going through their
production testplan I figured it might be helpful if I posted how our
iPass integration is fairly basic: it uses WISPr to authenticate with
RADIUS packets going through a special ipass radius proxy. SSL is
required for all requests after the initial request.
The first step is to setup a RADIUS server which proxies the IPASS realm
to the ipass netserver software or server (ipass deployments can either
use a java daemon you install on a linux server or a full
hardware box). We use FreeRADIUS, which is simple to configure and will
Second step is to setup chilli. The usual chilli installation procedures
apply. You will need to enable SSL support, which is required. We
configure chilli like this:
radiuslocationname "Attingo Services,KLM Lounges"
The RADIUS parameters are mandatory and must uniquely identify your
The SSL certificate must valid for the hostname used for uamaliasip,
which is formed by combining uamaliasname with the domain (which in our
case is wispr.aas.attingo.nl). The certificate must be signed by one of
the well known certification authorities, so no self-signed certs. The
CRL server for your SSL certificate must be listed in uamallowed, as
well as pb.ipass.com which ipass clients use to update their phonebook.
Your UAM implementation must also use https and use a proper SSL
certificate. Extra care must be taken when redirecting back to chilli:
unless you use a svn snapshot from revision 326 or later (which will
become version 1.2.3) you must ignore the ssl parameter from chilli and
generate the hostname yourself; earlier versions of chilli incorrectly
use the IP address in the URL which leads to SSL validation errors.
I have found uamaliasname to be somewhat unreliable: DNS requests
occasionally get both a response from chilli as well as a NXDOMAIN from
our normal nameserver. To circumvent this I would recommend to put the
uamaliasname in your DNS zone as well.
We use a Pylons based application for our UAM. I've attached the
controller code which implements the UAM side of the WISPr handling.
Wichert Akkerman <wichert at wiggy.net> It is simple to make things.
http://www.wiggy.net/ It is hard to make things simple.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4575 bytes
Desc: not available
More information about the Chilli