[Chilli] Repeated, rapid-fire mac-auth requests received by the RADIUS server

David Bird david at coova.com
Thu Mar 22 05:45:21 UTC 2012

Using strictmacauth (with macauth) should limit some radius requests. Chilli used to always be 'strict' in that it would not respond to the first dhcp request (instead sends radius which may return setting the IP to use). This made dhcp 'slow' even though most people do not probably use the IP setting feature. I will look into why chilli is sending too many macauth quickly. Though, it may be good for it to not just do it once and never again for the session (may seem to use macauth as primary auth mechanism after adding visitor Macs to database. Maybe I offer a new option for 'dhcpmacauth' that will continue to send auth for dhcp requests,  with the default being only one Mac auth at first dhcp association (after IP was assigned) , and strictmacauth will have the one (or two) auths - one before IP assignment and possibly one after chilli had assigned an IP (if not otherwise assigned by first radius response).

-------- Original message --------
Subject: Re: [Chilli] Repeated,	rapid-fire mac-auth requests received by the RADIUS server 
From: Adam Hammond <adam at freerunr.com> 
To: Mike Puchol <puchol at me.com> 
CC: chilli at coova.org 

Hi Mike,

If my understanding is correct coova-chilli implements basic mac-auth functionality by sending an authentication packet every time is receives a DHCPREQUEST. If you look at your debug output you'll probably see that devices actually ask for all sorts of ip addresses when talking to dhcp servers and receiving an ip address (self signed, old addresses, the address that are given etc etc). Each request results in an auth attempt. 

I was looking into this the other day as I wanted a system where I only get one access request per device. There is an option that changes the way the macauth process works in chilli:

--strictmacauth	Be strict about MAC Auth (no DHCP reply until we get RADIUS reply)  (default=off)

... which implements macauth functionality how it should be (IMO).

Unfortunately I can't get it to work on 1.2.9 (I haven't tried older versions). When added as an additional option to --macauth I still see lots of auth packets flying around. When I replace --macauth with --strictmacauth then mac auth functionality is un-enabled. I don't see any reference to this 'strictmacauth' in the 'functions' file so I'm not even sure it's implemented any more.

Hopefully David can clear this up and it's a feature I'd really like to use.


On 21 Mar 2012, at 12:51, Mike Puchol wrote:

> Hi all,
> I'm having an odd problem with my setup, involving Ubiquiti routers and a Radiator server, with MAC authentication against RADIUS enabled. The server will receive a seemingly random number of access-request packets, in rapid succession (even less than 1 second between them), usually between one and six packets.
> My first thought is that chilli is sending out requests without a reply wait timer, or a timer set too low, and so it fires away until it gets a reply from the server.
> Has anyone else come across this?
> Cheers,
> Mike
> _______________________________________________
> Chilli mailing list
> Chilli at coova.org
> http://lists.coova.org/cgi-bin/mailman/listinfo/chilli

Chilli mailing list
Chilli at coova.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.coova.org/pipermail/chilli/attachments/20120322/12458bfc/attachment.html>

More information about the Chilli mailing list