• MaUrI
  • New member
  • Offline
  • Registered: 2007-11-06
  • Posts: 1

Topic: Chillispot and DHCP Relay

Hi to all members, i'm an Italian engineer, and i'd like to post a question on this forum. I've set and been using a sort of gateway for wired and wireless clients, based on chillispot, freeradius, postgresql and apache in a Gentoo environment. I have also configured freeradius-dialupadmin for the web management of the AAA part. All sounds good for the wired part. Every PC or Laptop ask and acquire IP address, and pass through the captive portal to the Internet, after getting authenticated. The problem is that i can't get IP address from chilli for the wireless clients. I use a Cisco Lightweight 1000 series AP and a Cisco WLAN Controller 4402 series. I think the matter is, just like the title of the post, that the WLAN Controller acts like a DHCP relay for the wireless client's requests, and chillispot doesn't reply because of this fact. Starting chillispot in debug mode makes me understand that after a request (received with IP address = WLAN controller management port's IP address and MAC address = my wifi card mac) chilli just say that request "did not come from known client", and the requests are repeated without answer till the DHCP timeout time.
I have chillispot version 1.1. Maybe there is a kind of patch to apply, or it would be better for me to start thinking an alternative solution to this problem? Is there a way to support DHCP relay?
Thanks to you all for the precious help, if you want other info, i'm here, hopeful. Bye smile
MaUrI

PS I post also the output from chillispot (only interesting parts of course):

Wireless connection request (before i start changing some parameters on the WLAN controller):
(...)
next 0, first -1, last -1
radius_timeout
next 0, first -1, last -1
ARP Packet Received!
Address not found
DHCP newconn: 00:1b:53:64:18:c0
New DHCP connection established
ARP request did not come from known client!
ARP Packet Received!
ARP request did not come from known client!
radius_timeout 1194358073   802324
next 0, first -1, last -1
(...)


Wireless connection request (after changing some parameters on the WLAN controller, it appears also this part, i don't know why):
(...)
radius_timeout
next 2, first -1, last -1
DHCP packet received
DHCP packet received
Address found
Sending IP packet
cb_dhcp_data_ind. Packet received. DHCP authstate: 2
Received packet with spoofed source!!!
DHCP packet received
DHCP packet received
Address found
Sending IP packet
cb_dhcp_data_ind. Packet received. DHCP authstate: 2
Received packet with spoofed source!!!
ARP Packet Received!
Did not ask for router address: 01b6a8c0 - c0a8b6b8
radius_timeout 1194358084   303120
next 2, first -1, last -1
radius_timeout
(...)

  • From: Norway
  • Registered: 2007-10-09
  • Posts: 27

Re: Chillispot and DHCP Relay

Hi,

I am not sure that I understood all of this, but keep the following in mind:

- Chillispot uses MAC authentication and therefore must use level 2 bridging or wireless WDS to make sure that it always sees the client MAC addresses. If you have another DHCP-server, NAT or router with different IP addressing schemes in your network before Chillispot, Chillispot will not authenticate properly because the MAC addresses will be 'hidden'.

- Chillispot has its own DHCP-server and therefore reports on all IP-addresses that it has not assigned itself.


I think you should try to reconfigure your router so you brdige your wired and wireless interfaces on the VLAN level. In this way Chillispot should be able to see all MAC addresses, both wired and wireless.


BR

Arne-J.

  • Registered: 2008-12-30
  • Posts: 2

Re: Chillispot and DHCP Relay

Arne / all,

Do you know if it's possible to turn off MAC authentication and allow DHCP to function? I've been debugging my setup, and basically what it comes down to is that it seems Chillispot (running on DD-WRT) is rejecting the DHCP Discovery because the Source MAC doesn't match the Client MAC.

We have a relatively old bridge infrastructure that is a bit time consuming to replace, so I'm trying to make this work without replacing the bridge network.

Thanks,
Tony