[Chilli] using coovachilli with wpa

Tekán Dávid tek.david at gmail.com
Thu Jul 25 11:06:38 UTC 2013 

Hi David!

Thanks for the solution, it works, i should've thought about it by myself.

If i understand correctly i can not use different radius secret on
each and every access points. If is the situation, is there any way to
get to know, which session is through which access point (the initial
access point is enough, if there is roaming between the aps).

Thanks again

Dávid


On Wed, Jul 24, 2013 at 10:40 PM, David Bird <david at coova.com> wrote:
> Hi,
>
> First, you can send the RADIUS from the WPA2 Enterprise AP/Authenticator
> to chilli after configuring the following:
>
>       --proxylisten=STRING      Proxy IP address to listen on
>       --proxyport=INT           Proxy UDP port to listen on (0 is off)
>       --proxyclient=STRING      IP address of proxy client(s)
>       --proxysecret=STRING      Radius proxy shared secret
>
> These settings control what IP and port chilli will listen for RADIUS on
> and who can send to it. Chilli will then proxy this RADIUS through to
> it's configured RADIUS servers. When clients are authenticated for
> 802.1x, that is then known to chilli and they are authenticated in
> chilli. The "WPA Guests" feature allows you do program your RADIUS
> server such that it will return Access-Accept even for client stations
> that did not successfully authenticate. The Access-Accept is needed for
> them to pass the 802.1x/EAP phase and to be able to interact with chilli
> and the captive portal. Adding the RADIUS attribute:
>
> ChilliSpotConfig=require-uam-auth
>
> to the Access-Accept which didn't really succeed will prompt chilli to
> treat the client as unauthorized and sent to the captive portal.
>
> See
> http://coova.org/CoovaChilli/WPACaptivePortal
>
> David
>
>
>
> On Wed, 2013-07-24 at 19:41 +0200, Tekán Dávid wrote:
>> Hi all!
>>
>> I set up a coovachilli + freeradius + mysql combo at my dorm. It's
>> working great with the wired network. Now we want to extend it to the
>> wireless as well. Installed an access point configured to wpa2
>> enterprise (with the same radius server) and connected to the
>> coovachillis's lan side. It can authenticate users and do the process
>> fine, but when i want to connect to the internet, i get redirected to
>> the coovachilli's captive portal.
>> I've read about the wpa guest config parameter, but i don't want to
>> let users without sufficient credentials to connect, and reach any of
>> my device (neither the captive portal nor the webpages which I allowed
>> with uam_allow).
>>
>> So is there a way, that the users, who authenticated successfully
>> through wpa2 (peap + mschapv2) do not need to reauthenticate at the
>> captive portal page (and not let users who failed at wpa2 to try to
>> authenticate themselves on the captive portal).
>>
>> Thanks for all the reply, all the best
>>
>> Dávid
>> _______________________________________________
>> Chilli mailing list
>> Chilli at coova.org
>> http://lists.coova.org/cgi-bin/mailman/listinfo/chilli
>
> --
> --
> David Bird
> http://www.linkedin.com/in/dwbird/
>

More information about the Chilli mailing list