[Chilli] Multiple chilli instances on the same network

David Bird david at coova.com
Thu Jan 24 17:28:06 UTC 2013

On Thu, 2013-01-24 at 11:52 +0100, Petr Štetiar wrote:
> David Bird <david at coova.com> [2013-01-21 10:37:41]:
> > You could also have roaming between APs where the same chilli session is
> > maintained where the APs bridge into the same network.
> Can you please tell me, how could I setup the chilli to have a same session
> shared/maintained?

By running a single instance of chilli. I wouldn't run it on an AP,
rather on a PC (appliance) where you have all your APs bridge into. This
way, you can use unmodified standard AP hardware/firmware and
subscribers will even maintain their same IP across APs. 

> Ok, my scenario: 5 APs in the area, connected to the same LAN, remote AAA,
> chilli running on every AP. Now if the client gets authenticated via UAM on
> say AP1 and roams(losts coverage from AP1) to the AP2, then coova-chilli
> instance running on AP2 doesn't have this user amongst authenticated users, so
> user has to authenticate in UAM again.  Which is quite cumbersome.

Using MAC authentication, with the appropriate logic in your RADIUS
server, you can have subscribers automatically logged into chilli when
they move to a new chilli instance. 

> One of the solutions(also proposed by the Emanuele) is to have only one chilli
> instance, which would be common for the rest of the APs in the network, but
> this has the drawback, that it's a single point of failure. So if this AP with
> coova-chilli instance running goes down, whole network is inaccessible.
> As I see the "cluster" feature in my use case, if the user gets authenticated
> via UAM on AP1, AP1 would broadcast this event, say by NEW_AUTH_USER command
> to other coova-chilli instances running on the network (with same shared
> secret + session information) and if the user then roams(moves away from
> coverage of AP1) to say AP2 in the network, then AP2 would already have this
> user's session information and would just allow him to use the network. So in
> this scenario, there's no single point of failure. It's kind of the
> poor-mans's failover.

The problem there is that if each AP is running chilli, they are not
really on the same broadcast network -- each chilli has it's own local

> Thanks.
> -- ynezz

David Bird

More information about the Chilli mailing list