[Chilli] Comunication Issues

David Bird david at coova.com
Wed Feb 27 18:00:22 UTC 2013 

Hi,

I don't think using a tap with OpenVPN will help much. Are you wanting
to put the OpenVPN link into a bridge? 

Do you have an idea where your RADIUS might be being dropped? Are you
relying on CoA RADIUS being sent *to* chilli? If so, then the VPN will
help with that (and have the side effect of a more secure RADIUS path,
suitable for iPass integration, etc). 

Not sure this is your issue, but having your RADIUS server clean up
active sessions when there is an Accounting-On (startup) packet from
chilli may help. 

The risk of someone resuming/assuming the IP of an authorized station is
an inherent risk of using Layer3 mode -- similarly in layer2 people can
hijack an authorized MAC address, however the former case in layer3 mode
is more likely to happen just by accident. 

David



On Tue, 2013-02-26 at 09:21 -0100, Luis Ferreira wrote:
> Greeting to all,
> 
>  
> 
> I would like you help with an issue that I’m getting. First I’ll just
> expose a couple of my problems:
> 
>  
> 
> Every time to time, I found in the list of current sessions on the
> RADIUS, users online that do not have login done on Chilli. That cause
> the radius to not allow the login because there is already someone
> using the account.
> 
> Also, I’ve notice that some users disappear from the online users, but
> chilli still has them on and working. That has a very bad side effect.
> Someone connect to the wifi, and if it catch the same ip (lease is for
> 8 hours) it will get free internet, because radius as already close
> the session of the original one.
> 
>                 Other thing is Chilli disconnect clients, but they
> still appear on RADIUS.
> 
>  
> 
> All of that seems to me failures in communication between RADIUS
> (Central Server on different country with dedicated IP), and Chilli
> Box’s (Couple of them spread around with dynamic DNS)
> 
>  
> 
> What I thought it could help me, was implementing openvpn with TAP
> device on the machines, to improve the reliability of the
> communications.
> 
>  
> 
> So, my questions are:
> 
>  
> 
> 1º Is this a practical approach (tell RADIUS to use fixed IP address
> to disconnect packets, instead of dyndns address)?
> 
> 2º Will this cause a lot of overhead (low bandwidth)
> 
> 3º Will this help on the issue 
> 
> 4º Is there a better approach for this kind of implementation (RADIUS
> at remote location and chilli with dynamic dns)?
> 
> 5º Will openVPN work good with Chilli (Chilli IP
> 10.1.10.0/255.255.255.0 | OpenVPN 192.168.100.0/255.255.255.0)
> 
>  
> 
> Thoughts appreciated
> 
>  
> 
> Chilli 1.2.9
> 
> Layer 3
> 
> VLAN
> 
>  
> 
> Regards,
> 
> Luis
> 
> 
> _______________________________________________
> Chilli mailing list
> Chilli at coova.org
> http://lists.coova.org/cgi-bin/mailman/listinfo/chilli

-- 
--
David Bird
http://www.linkedin.com/in/dwbird
https://twitter.com/wlanmac

More information about the Chilli mailing list