search

coova / coova-chilli

CoovaChilli is an open-source software access controller for captive portal hotspots.
Other
516 stars 258 forks source link

RADIUS_PROXYVSA length #262

Open vsidou opened 8 years ago

vsidou commented 8 years ago

Hello,

I've been working on identifying AP using Location functionnalities and mac authentication. The AP are of brand Aruba and i use a Linux Box for Coova Chilli.

The AP location attr is : HS_RADPROXY_LOCATTR=14823,6

Connecting to the AP, mac auth and location are working fine. Roaming to another AP also works fine. But after some retry (5 or 8), i get the following error :

VSAs too long

I've check the code and the only place i could find this message is here : 


      if ((appconn->s_state.redir.vsalen + (size_t) attr->l) >
      RADIUS_PROXYVSA) {
    syslog(LOG_WARNING, "VSAs too long");
    return -1;
      }

It should get no more than RADIUS_PROXYVSA : 256 I modified the code in order to log the length and it is quite dynamic. I sometimes get 261, ..., 522, 534

Strange this is at the beginning it seemed to worked quite well with length < 256. Can this be an unfreed pointer or cache from coovachilli ? Or Aruba side ?

Any clue ?

thanks

vsidou commented 8 years ago

Trying to answer to myself here , i hope there would be some comments on that :

It seems that the VSA attributes is not "recalled" and therefore it "accumulates". I tried to use existing radius.c function :

radius_addvsa

I added on chilli.c after line 3122 in chilli_proxy_radlocation function : 


  } while (attr);

  #ifdef ENABLE_PROXYVSA
    radius_addvsa(pack, &appconn->s_state.redir);
  #endif

In order to recall the VSA attribute and reseted redir->vsalen to 0 in radius_addvsa.

This seems to have solved the issue. I'm not very familiar with internal coovachilli code and i'm quite sure this is not the best practice approach. Could someone comment on that please ?

timri commented 8 years ago

I also have a problem with "VSAs too long", however this patch did not help me either. While debugging this, it seems that the still VSAs accumulate when more RADIUS packages are send. Currently I can login with an unencrypted network, but when trying to use the WAPGuest-Feature, I (often) can't get a connection. After increasing RADIUS_PROXYVSA to 1024 in session.h (I don't know if this is valid, or if this could lead to problems with too large packages or sth. like that), a RADIUS package received by freeradius from chilli look like:

        User-Name = "jcvhvc"
        State = 0x611d539a651b4a69f9dd06301a6266fd
        EAP-Message = 0x020600061900
        CoovaChilli-Config = "allow-wpa-guests"
        Service-Type = Login-User
        Acct-Session-Id = "57dbcb8b00000002"
        State = 0x611d539a651b4a69f9dd06301a6266fd
        Framed-IP-Address = 10.100.0.3
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 2
        NAS-Port-Id = "00000002"
        Calling-Station-Id = "C0-EE-FB-58-B2-A1"
        Called-Station-Id = "00-25-90-AC-07-6D"
        NAS-IP-Address = 10.100.0.1
        Cisco-AVPair = "ssid=testnetz"
        Cisco-AVPair = "service-type=Login"
        Cisco-AVPair = "ssid=testnetz-wpa"
        Cisco-AVPair = "service-type=Login"
        Cisco-AVPair = "ssid=testnetz-wpa"
        Cisco-AVPair = "service-type=Login"
        Cisco-AVPair = "ssid=testnetz-wpa"
        Cisco-AVPair = "service-type=Login"
        Cisco-AVPair = "ssid=testnetz-wpa"
        Cisco-AVPair = "service-type=Login"
        Cisco-AVPair = "ssid=testnetz-wpa"
        Cisco-AVPair = "service-type=Login"
        Cisco-AVPair = "ssid=testnetz-wpa"
        Cisco-AVPair = "service-type=Login"
        Cisco-AVPair = "ssid=testnetz-wpa"
        Cisco-AVPair = "service-type=Login"
        Cisco-AVPair = "ssid=testnetz-wpa"
        Cisco-AVPair = "service-type=Login"
        Cisco-AVPair = "ssid=testnetz-wpa"
        Cisco-AVPair = "service-type=Login"
        Cisco-AVPair = "ssid=testnetz-wpa"
        Cisco-AVPair = "service-type=Login"
        Cisco-AVPair = "ssid=testnetz-wpa"
        Cisco-AVPair = "service-type=Login"
        Cisco-AVPair = "ssid=testnetz"
        Cisco-AVPair = "service-type=Login"
        Cisco-AVPair = "ssid=testnetz-wpa"
        Cisco-AVPair = "service-type=Login"
        Cisco-AVPair = "ssid=testnetz-wpa"
        Cisco-AVPair = "service-type=Login"
        Cisco-AVPair = "ssid=testnetz-wpa"
        Cisco-AVPair = "service-type=Login"
        Cisco-AVPair = "ssid=testnetz-wpa"
        Cisco-AVPair = "service-type=Login"
        Cisco-AVPair = "ssid=testnetz-wpa"
        Cisco-AVPair = "service-type=Login"
        Cisco-AVPair = "ssid=testnetz-wpa"
        Cisco-AVPair = "service-type=Login"
        Cisco-AVPair = "ssid=testnetz-wpa"
        Cisco-AVPair = "service-type=Login"
        CoovaChilli-Location = "ap-test"
        CoovaChilli-Location-Change-Count = 1
        NAS-Identifier = "nas01"
        WISPr-Location-ID = "isocc=,cc=,ac=,network=Coova,"
        WISPr-Location-Name = "My_HotSpot"
        Message-Authenticator = 0x9ff945e428ba0fabb1fa6cc0cd56c6ee

As you can see, I switched between the 2 SSIDs ("testnetz" and "testnetz-wpa") several times. Since WPA needs several packages (request, challenge, reply....) these accumulate quite fast.

(this was done with version 1.3.1.4-15-ga343157 with this patch and the patch from issue #270 )

(I tried to compile chilli without proxyvsa, but location seems to require it ?)