1

(3 replies, posted in UAM Configuration)

We gave up on solving the openvpn issue; it's not been a high priority, but one thing we're considering is a vlan for the wireless side.

2

(3 replies, posted in UAM Configuration)

Got the radius issues worked out, but still would like to find out process details, and particular, help with the openvpn issues...

I'm picking up support of our cs gateways from someone who left for greener pastures and trying to setup a new one based on the existing gw configs and some limited docs he left.  It's not working, and it would help troubleshooting if I understood what it was doing.  This is what I see, and mostly I'd like confirmation of my expectations and any pointers as to where to focus attention that someone might have:

client pc connects to network, sends dhcp request
chilli replies with ip address/nameserver/gateway
pc issues some web request
chilli intercepts and replies with http redirect to uam
pc fetches uam page, user enters login info
uam replies with redirect to chillispot 3990 port with encrypted login credentials for auth

It's at this point it seems to be breaking down.  I *think* chilli is supposed to issue a radius request at this point to do the auth, but I'm not seeing any thing coming out.  Just a "login failed" redirecting the pc back to the uam.  Although the uam says "unknown error", the xml in the redirect says "invalid password", though it never tried to verify the password.

I assume that what is supposed to happen is:
chilli issues radius auth query
if successful
    turn on normal routing for ip address (or does it continue as a transparent proxy?)
    issue redirect to originally requested page
else
    issue redirect to uam with failure code (as it's doing)

when auth time runs out or user logs out, routing is turned off for ip address
all along appropriate radius accounting packets are issued


I'm also curious about how chilli hooks into the network layer to do its connection hijacking.  I want to be able to setup an openvpn tunnel to the wireless side of the gw for testing and troubleshooting from the office.  I was able to do this with with the airmarshal portal that this system is to replace, but that wasn't too hard as airmarshal is able to link into the primary interface somehow.  In chilli's case however, since both chilli and openvpn use tunnels, I'm not quite sure what to link to what and where.