[Chilli] Repeated, apid-fire mac-auth requests received by the RADIUS server
Mike Puchol
puchol at me.com
Thu Mar 22 12:26:57 UTC 2012
Hi David,
Thanks for the proposed solution, I think that's the best way to make macauth work, gives scaled flexibility as required.
Cheers,
Mike
On Thursday, March 22, 2012 at 12:00 PM, Adam Hammond wrote:
> Great, thanks David.
>
> I'll be happy to help test any of this functionality if/when you implement it in the future.
>
> Adam
>
> On 22 Mar 2012, at 05:45, David Bird wrote:
>
> > Using strictmacauth (with macauth) should limit some radius requests. Chilli used to always be 'strict' in that it would not respond to the first dhcp request (instead sends radius which may return setting the IP to use). This made dhcp 'slow' even though most people do not probably use the IP setting feature. I will look into why chilli is sending too many macauth quickly. Though, it may be good for it to not just do it once and never again for the session (may seem to use macauth as primary auth mechanism after adding visitor Macs to database. Maybe I offer a new option for 'dhcpmacauth' that will continue to send auth for dhcp requests, with the default being only one Mac auth at first dhcp association (after IP was assigned) , and strictmacauth will have the one (or two) auths - one before IP assignment and possibly one after chilli had assigned an IP (if not otherwise assigned by first radius response).
> >
> >
> > -------- Original message --------
> > Subject: Re: [Chilli] Repeated, rapid-fire mac-auth requests received by the RADIUS server
> > From: Adam Hammond <adam at freerunr.com (mailto:adam at freerunr.com)>
> > To: Mike Puchol <puchol at me.com (mailto:puchol at me.com)>
> > CC: chilli at coova.org (mailto:chilli at coova.org)
> >
> >
> > Hi Mike,
> >
> > If my understanding is correct coova-chilli implements basic mac-auth functionality by sending an authentication packet every time is receives a DHCPREQUEST. If you look at your debug output you'll probably see that devices actually ask for all sorts of ip addresses when talking to dhcp servers and receiving an ip address (self signed, old addresses, the address that are given etc etc). Each request results in an auth attempt.
> >
> > I was looking into this the other day as I wanted a system where I only get one access request per device. There is an option that changes the way the macauth process works in chilli:
> >
> > --strictmacauth Be strict about MAC Auth (no DHCP reply until we get RADIUS reply) (default=off)
> >
> > ... which implements macauth functionality how it should be (IMO).
> >
> > Unfortunately I can't get it to work on 1.2.9 (I haven't tried older versions). When added as an additional option to --macauth I still see lots of auth packets flying around. When I replace --macauth with --strictmacauth then mac auth functionality is un-enabled. I don't see any reference to this 'strictmacauth' in the 'functions' file so I'm not even sure it's implemented any more.
> >
> > Hopefully David can clear this up and it's a feature I'd really like to use.
> >
> > cheers,
> > Adam
> >
> >
> >
> >
> > On 21 Mar 2012, at 12:51, Mike Puchol wrote:
> >
> > > Hi all,
> > >
> > > I'm having an odd problem with my setup, involving Ubiquiti routers and a Radiator server, with MAC authentication against RADIUS enabled. The server will receive a seemingly random number of access-request packets, in rapid succession (even less than 1 second between them), usually between one and six packets.
> > >
> > > My first thought is that chilli is sending out requests without a reply wait timer, or a timer set too low, and so it fires away until it gets a reply from the server.
> > >
> > > Has anyone else come across this?
> > >
> > > Cheers,
> > >
> > > Mike
> > > _______________________________________________
> > > Chilli mailing list
> > > Chilli at coova.org (mailto:Chilli at coova.org)
> > > http://lists.coova.org/cgi-bin/mailman/listinfo/chilli
> > >
> >
> >
> > _______________________________________________
> > Chilli mailing list
> > Chilli at coova.org (mailto:Chilli at coova.org)
> > http://lists.coova.org/cgi-bin/mailman/listinfo/chilli
> >
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.coova.org/pipermail/chilli/attachments/20120322/0b70690b/attachment-0001.html>
More information about the Chilli
mailing list