[Chilli] CoovaChilli uam secret / RADIUS secret causing
james at purple.so
james at purple.so
Tue Apr 29 21:29:13 UTC 2014
Hi Luis
Thanks very much for your reply.
Yes, I had thought this may be the issue, but I assumed that coova does not
re-generate a new challenge for every HTTP request a client makes. To test,
I opened 10 tabs in my browser, and 5 tabs in another browser, and the
"challenge" value in the URL was the same across them all. We notice the
challenge does change after around 10 minutes though (it must time out)...
We've recently modified the coova code to generate the challenge based on
something more unique to the user (their mac address, plus a secret, then
hashed), rather than what coova uses by default (a 16 character string from
/dev/random), so now, the challenge is unique per client MAC, and therefore
no matter what sessions they have open it will always be the same
"challenge". Does that make sense? Even if they return in 1 hour, the
challenge is the same, and only we know what the challenge is made up from
on our external splash page side.
But, I think coova should ensure that the same challenge is given to the
same client MAC, as without it, it's near impossible to know which challenge
to use at the correct one when encrypting the password to send back to coova
for the login (we use an external splash page).
What are your thoughts?
Thanks
James
More information about the Chilli
mailing list