The chilli_proxy server, built in the CoovaChilli distribution, is a light-weight (though it does use libcurl) proxy server that converts RADIUS to/from a HTTP based protocol. The proxy server takes the same configuration as chilli and becomes the RADIUS server that chilli talks to. The proxy then takes the RADIUS and performs HTTP requests for authentication, authorization, and accounting (AAA). The protocol itself is intentionally similar to that of WiFiDog, though with some obvious differences to take advantage of the features of chilli.
To build CoovaChilli with the chilli_proxy server:
./configure --enable-chilliproxy [--with-curl] make sudo make installCurrently, you should use --with-curl, but a non-curl version will also be available.
The HTTP URL is of the format:
http://hostname/script?query-string-parametersThe URL is specified to chilli_proxy using the chilli option uamaaaurl.
All HTTP requests by the proxy have a User-Agent HTTP header of "CoovaChilli (version)".
Query string parameters:
When not authenticated, sessions are always in the login stage.
Values for the service parameter are:
The md parameter is the HEX encoded MD5 Message Digest over the URL and it's query string parameters (minus the md paramater) and the UAM secret. This signature is to help prevent anyone from sending bogus data to the script.
HTTP access-accept response:
Auth: 1 (Optional RADIUS Attributes)HTTP access-reject response:
Auth: 0 (Optional RADIUS Attributes)
Query string parameters:
The values for status are:
HTTP accounting response:
Ack: 1 (Optional RADIUS Attributes)
To help better facilitate integration between a captive portal and the AAA back-end, the chilli_proxy program can be used to register resources into the back-end. How it is actually implemented depends on the back-end script. However, this utility provides a way to securely use the HTTP proxy mechanism for provisioning. By using the command:
chilli_proxy --register name1 value1 name2 value2 ...a HTTP POST request is sent to the configured uamaaaurl with the query string parameters of stage= register and with ap= and nasid= also set (see above for descriptions). In addition, the arguments after the --register are encoded into the URL as well (note: any command line options before --register are considered as chilli options) and any data from standard input is delivered to the URL in the POST. At the end of the URL, the standard md= signature is added for authenticity.
As an example, the following might be used to create an access code into the back-end system:
echo "Session-Timeout: 3600" | chilli_proxy --register status new_code user xxxxx pass yyyyywhich would result into the Session-Timeout attribute being POSTed in the HTTP request to:
http://remote-site/script.php?stage=register&ap=00-XX-XX-XX-XX-XX&nasid=nas01& status=new_code&user=xxxxx&pass=yyyyyy&md=B4E11CB550BDCFD4965DFDC1CFA6F7AFthe script is then able to verify the request came from chilli by verifying the md parameter using the UAM secret before creating the access code.
In the HTTP responses, after the initial protocol response, session parameters can be set by using one or more of the following attributes, one per line.
Standard Login Authentication
http://localhost/script.php?stage=login&service=login&user=test&pass=test &ap=00-XX-XX-XX-XX-XX&mac=00-XX-XX-XX-XX-XX&ip=10.1.0.2&sessionid=4adb5f4000000001 &nasid=nas01&md=A9EA5F98B104F41FC330CFE44B2681ADReply (success):
Auth: 1 Idle-Timeout: 300 Session-Timeout: 3600 Acct-Interim-Interval: 300Reply (reject):
Auth: 0MAC Address Authentication (DHCP)
http://localhost/script.php?stage=login&service=framed&user=00-XX-XX-XX-XX-XX&pass=00-XX-XX-XX-XX-XX &ap=00-XX-XX-XX-XX-XX&mac=00-XX-XX-XX-XX-XX&sessionid=4adb5f4000000001&nasid=nas01 &md=A9EA5F98B104F41FC330CFE44B2681ADReply (success), with optional bandwidth limitations (80 kilobits per second = 10 kilobyte per second):
Auth: 1 Idle-Timeout: 300 Session-Timeout: 3600 Acct-Interim-Interval: 300 ChilliSpot-Bandwidth-Max-Up: 80 ChilliSpot-Bandwidth-Max-Down: 80Reply (reject), with optional Redirection URL:
Auth: 0 WISPr-Redirection-URL: http://remote-site/YouAreBanned.