[Chilli] using coovachilli with wpa

David Bird david at coova.com
Wed Jul 24 20:40:44 UTC 2013


Hi,

First, you can send the RADIUS from the WPA2 Enterprise AP/Authenticator
to chilli after configuring the following:

      --proxylisten=STRING      Proxy IP address to listen on
      --proxyport=INT           Proxy UDP port to listen on (0 is off)  
      --proxyclient=STRING      IP address of proxy client(s)
      --proxysecret=STRING      Radius proxy shared secret

These settings control what IP and port chilli will listen for RADIUS on
and who can send to it. Chilli will then proxy this RADIUS through to
it's configured RADIUS servers. When clients are authenticated for
802.1x, that is then known to chilli and they are authenticated in
chilli. The "WPA Guests" feature allows you do program your RADIUS
server such that it will return Access-Accept even for client stations
that did not successfully authenticate. The Access-Accept is needed for
them to pass the 802.1x/EAP phase and to be able to interact with chilli
and the captive portal. Adding the RADIUS attribute:

ChilliSpotConfig=require-uam-auth

to the Access-Accept which didn't really succeed will prompt chilli to
treat the client as unauthorized and sent to the captive portal. 

See
http://coova.org/CoovaChilli/WPACaptivePortal

David



On Wed, 2013-07-24 at 19:41 +0200, Tekán Dávid wrote:
> Hi all!
> 
> I set up a coovachilli + freeradius + mysql combo at my dorm. It's
> working great with the wired network. Now we want to extend it to the
> wireless as well. Installed an access point configured to wpa2
> enterprise (with the same radius server) and connected to the
> coovachillis's lan side. It can authenticate users and do the process
> fine, but when i want to connect to the internet, i get redirected to
> the coovachilli's captive portal.
> I've read about the wpa guest config parameter, but i don't want to
> let users without sufficient credentials to connect, and reach any of
> my device (neither the captive portal nor the webpages which I allowed
> with uam_allow).
> 
> So is there a way, that the users, who authenticated successfully
> through wpa2 (peap + mschapv2) do not need to reauthenticate at the
> captive portal page (and not let users who failed at wpa2 to try to
> authenticate themselves on the captive portal).
> 
> Thanks for all the reply, all the best
> 
> Dávid
> _______________________________________________
> Chilli mailing list
> Chilli at coova.org
> http://lists.coova.org/cgi-bin/mailman/listinfo/chilli

-- 
--
David Bird
http://www.linkedin.com/in/dwbird/



More information about the Chilli mailing list