Professional Documents
Culture Documents
NicoNetWLSEC
NikolayVernyayev
[WIFIACCESSCONTROL:PARTI]
RADIUSUsersAttributesVerificationforWiFiaccesscontrol.DDWRT,ChilliSpot,FreeRADIUS,MySQL
basedsolution.AppliedforFreeBSDOS.
WiFiAccessControl:RADIUSUsers
AttributesVerification
Contents
Preface................................................................................................................................................................3
HardwareandSoftwarerequirements...............................................................................................................3
Databasedescription..........................................................................................................................................3
RADIUSCheckAttributes.....................................................................................................................................3
MACaddressbasedAuthentication....................................................................................................................3
ChilliSpotconfiguration...................................................................................................................................3
ClientAccessRequestattributeslist...............................................................................................................4
ClientAccessControl.......................................................................................................................................4
RADIUSAuthentication/Checkattributes...................................................................................................5
RADIUSReplyAttributes.............................................................................................................................6
SandBox:Transparentunlimitednetworkaccessforregisteredclients.......................................................9
SolutionOverview.......................................................................................................................................9
SystemConfiguration..................................................................................................................................9
SharedProfiledefinition.............................................................................................................................9
UserProfileDefinition...............................................................................................................................10
AssociatingUserwithGroup.....................................................................................................................10
Verification................................................................................................................................................10
AppendixA:RadiusAttributes..........................................................................................................................12
Preface
HardwareandSoftwarerequirements
NAS(NetworkAccessSystem):
o Hardware:WRT54GLv1.1
o Software:DDWRTSTDv24Finalw/ChilliHotSpot
RADIUSServer:
o Hardware:AnyFreeBSDsupportedPC
o Software:FreeRADIUSw/MySQL
Databasedescription
RADIUSCheckAttributes
Location:radchecktable
Propose:listofattributesthatmustbecheckedbyRADIUSServerduringauthorization.
MACaddressbasedAuthentication
PermanentandtransparentaccesstonetworkbasedonMACaddressauthenticationisdescribedinthis
chapter.AlsohereissolutionprovidedforunlimitedclientaccesstonetworkbasedonMACaddress
authenticationandcombinationofChilliSpotconfigurationparametersandspecifiedreplyattributes,and
canbeusableforaccesstonetworkbypermanentusers(simplescenario).
ChilliSpotconfiguration
macauth
SetMACaddressbased
authenticationoptionenabled
macsuffix
SuffixtoaddtotheMAC
addressinordertoformthe
UserName,whichissenttothe
radiusserver
ListofallowedMACaddresses
Default:notdefinedallofMACsareallowed
separatedbycoma(,)
Passwordusedwhen
Default:password
performingMAC
authentication.
macallowed
macpasswd
Default:disabled
IfthisoptionisgivenChilliSpotwilltrytoauthenticate
allusersbasedontheirmacaddressalone.TheUser
NamesenttotheradiusserverwillconsistoftheMAC
addressandanoptionalsuffixwhichisspecifiedbythe
macsuffixoption.Ifthemacauthoptionisspecifiedthe
macallowedoptionisignored.
Default:notdefined
ClientAccessRequestattributeslist
PacketType
UserName
AccessRequest
ClientMACaddress
UserPassword
CallingStationId
Passwordusedwhenperforming
MACauthentication.(default=
password)
ClientMACaddress
CalledStationId
NASPort
NASMACaddress
NASport
NASIPAddress
NASIPAddress
ServiceType
NASIdentifier
LoginUser
NASname
AcctSessionId
NASPortType
MessageAuthenticator
AccountingsessionIDinHEX
Wireless802.11
Accessrequestauthenticatorin
HEX
ifmacsuffixdefinedinChilliSpot,
@defined_suffixwillbeafterMAC
address.
Configurablebymacpasswd
parameterinChilliSpot
CleanclientMACaddressin
formatXXXXXXXXXXXX
NASportwhichusedbyNASto
provideservices
IncaseofWDSorotherrepeating
addresswillbe0.0.0.0
NASnameisdefinedinChilliSpot
configuration
WiFiservicesonly
AccessRequestExample:
Packet-Type = Access-Request
User-Name = "XX-XX-XX-XX-XX-XX"
User-Password = "password"
Calling-Station-Id = "XX-XX-XX-XX-XX-XX"
Called-Station-Id = "YY-YY-YY-YY-YY-YY"
NAS-Port = PP
NAS-IP-Address = 0.0.0.0
Service-Type = Login-User
NAS-Identifier = "NASname"
Acct-Session-Id = "48382e1a0000000b"
NAS-Port-Type = Wireless-802.11
Message-Authenticator = 0x7c20751e7afce2000e9702e30c8486be
ClientAccessControl
ClientAccesscontrolbasedonMACauthenticationisusablefortransparentaccessofpermanentnetwork
clients.IfclientsMACaddressorMAC@suffix(dependsofimplementation)isnotinradchecktablein
RADIUSdatabase,loginforaccessingclientwillbefailed,andclientwillberedirectedtohotspotloginpage
duringfirstattempttobrowseInternet.ThatwillbedisabledalloffaccessbyChilliSpotacceptSkype,which
canbeusedwithnosuccessfulauthentication(thiscasehastobeplacedintodolistasaccessleakissue).
Bydescribedmethodsfollowingaccessverificationscanbeprovided:
UseraccessverificationbyMACaddresswithorwithnospecifiedbymacsuffix@suffix
NASuseraccessverificationbyconfiguredmacpasswdincouplewithuseraccessverificationby
MACorMAC@suffix
NASuseraccessverificationbyNASMACaddresspersonal(perclient)andgrouped
NASuseraccessverificationbyNASname(identifier)personal(perclient)andgrouped
AccessServiceverificationtoprovideonlyWiFiServicespersonal(perclient)andgrouped
AllofdescribedmethodscanbeutilizedinNetworkAccessSolutiontoprovideaccesstonetworkby
followingscenario:
ProvidetransparentaccesstoWiFinetworkswithnohotspotwebloginutilization
RestrictaccessfromnonWiFinetworks
GrantaccessfromspecifiedNASsforspecifieduserorgroupofuserstoseparateaccessnetworkby
segments.
GeographicalseparatedaccessbyprovidingaccesstoclientonlyfromspecifiedNASorspecified
groupofNASs.
RADIUSAuthentication/Checkattributes
RADIUScheckattributeshastobeverifiedbyRADIUSServerbeforegrantaccesstonetworkforuser.In
case,faultofverificationofattributes,orjustuserisnotlistedinRADIUSdatabase,loginwillbefailed.To
avoidconfusioninradcheck/radgroupcheckverificationandmeaningofgroupcheckprocessin
FreeRADIUS,forconcreteresultisrecommendedtouselistedattributesinradchecktable.
NASServiceverification
SolutionsprovidedareapplicableforWireless802.11NASPortTypeWiFiaccessservicesonly.Eachuser
canbeverifiedforvalidaccessfromvalidnetworktypepersonallybyplacingfollowingattributecheckin
radchecktableofRADIUSServer:
XXXXXXXXXXXX
Optional:
XXXXXXXXXXXX@suffix
Attribute
NASPortType
Operation
==
Value
Wireless802.11
ThistypeofverificationwillinsurethatuserhasaccessfromWiFinetwork,otherwiseloginwillbefailed.
Username
ClientMACAddress
NASpasswordmatchverification
ClientMACandMACpasswordmatchprovidesisolationofclientaccesswithspecifiedMACaddressfrom
specifiedNASbypasswordverification,whichisdefinedinNASChilliSpot.
Username
ClientMACAddress
Attribute
Operation
Value
Password
==
Password
XXXXXXXXXXXX
Optional:
XXXXXXXXXXXX@suffix
Possibleutilization:OnespecifiedgroupofNASscanbeconfiguredwithsamemacpasswdparameterand
anothergroupofNASswithdifferentmacpasswdparameter.Inthiscase,canbeconfiguredgroupofusers
whichwillbevalidatedbyMACaddressandpasswordforonegroupofNASsandanothergroupofusersto
otherNASs,separatedbydifferentpasswordmatch.
Example:NAS1andNAS2areconfiguredwithmacpasswd=nas_group1;NAS3isconfiguredwith
macpasswd=nas_group2.TwoclientswithMAC1andMAC2areconfiguredinradchecktomatchpassword
nas_group2,andclientwithMAC3isconfiguredtomatchpasswordnas_group1.Inthisscenario,MAC1and
MAC2willhaveaccesstonetworkonlywhenconnectingtoNAS3,andMAC3willbeallowedtoaccessin
NAS1andNAS2,ifclientswillbenotauthorizedtoaccess,thentheywillberedirectedtoChilliSpotlogin
page,otherwise,accesstonetworkwillbegranteddependsofreplymessageattributesconfigurationfor
thoseclients.
NASverification
ClientcanbeverifiedtobeaccessedfromspecifiedNASbyverificationofNASMACaddresswhichisCalled
StationIdattributeinAccessRequestorbyNASnamewhichisNASIdentifierattributeinAccessRequest.
NASMACisdefinedbyhardwareorfirmwareandcanbeusedforexactmatchingverificationmethod,NAS
NameisconfigurableNASoptionandcanbeusedforverificationtoaccessbygroupofNASincasethose
NASshassameNASidentifier(name).
FollowingverificationcanbeplacedinradchecktableofRADIUSServerdatabasetoverifyspecifiedclient
accessfromspecifiedNAS:
Username
ClientMACAddress
Attribute
Operation
Value
CalledStationId
==
NASMACAddress
XXXXXXXXXXXX
Optional:
XXXXXXXXXXXX@suffix
InformatXXXXXXXXXXXX
RADIUSReplyAttributes
AftersucceedAccessRequestattributesverification,RADIUSServerhastoprovideReplyAttributestoNAS
forspecifiedclientsession.ManipulatingbyReplyAttributescanbeprovideadditionalaccesslimitationsor
reverselyaccessgrantingtoclientssession,aswell,sessionaccountingandfailovercontrolcanbe
provided.
SessionAccountingControlReplyAttributes
Numbersofreplyattributesareinchargetoimprovethebillingfraudprotection.Themaintaskis
determinateisclientstillonlineandusesnetworkoralreadydisconnectedbysomeofreasonsdifferentof
normaldisconnectionsuchusclientdisconnection/logoutfromnetwork.
ProvingChilliSpotAuthorization
ThemandatoryattributethatMUSTbeusedinReplyAttributeswhenChilliSpotinchargeofauthorization
controlmustbeServiceType=ChilliSpotAuthorizeOnly.Thisattributeinsuresthatsessionwillbe
controlledbyChilliSpotafterRADIUSauthenticationandChilliSpotwillprovidecorrectlyaccountingdatato
RADIUSServercorrectly.ThisattributebettertoplaceinradgroupreplaytableofRADIUSServerdatabase:
Groupname
UsersGroupname
Attribute
ServiceType
Operation
=
Value
ChilliSpotAuthorizeOnly
Note:IfChilliSpotattributesdictionarywillnotbeincludedinFreeRADIUSdictionary,thenany
authenticationforanysessionswithuseofthisattributewillberejectedwithattributeocteterror.
SessionTerminationcontrolbyidletimeout
Also,sessionterminationtimeoutshastobeprovidedforspecifiedclientsessionstoreducebillingfraud.
HereisinchargeIdleTimeoutattributewhichisdefinesclientssessiontimeoutinsecondsspecifies
amountoftimewhatclientdidnotuseconnection(notraffic)andafterwhatsessionhastobeterminated.
Regularvalueofthisparameteris600sec.(10min.):IdleTimeout=600.Thisattributecanbeplacedasin
radreplyasinradgroupreplytable,asforpersonalconfiguration,asforgroupedconfigurationofuser
sessionsreplyattributes.Incaseofgroupedconfigurationthisattributehastobeimplementedasfollow:
Groupname
UsersGroupname
Attribute
IdleTimeout
Operation
=
Value
XXX
XXXisamountoftimeinseconds
IfIdleTimeoutisdefinedforuserinradreplyandforgroupwhereuserisamemberinradgroupreply,then
valuefromradreplywillbeoverridden.
AccountingIntervalControl
AcctInterimIntervalattributedefinesperiodoftimewhenChilliSpotwillprovideaccountingdatato
RADIUSServer.Asfewerthisinterval(inseconds)asshaperbillingcanbe.Regularvalueisdefinedfor60
sec.(eachminuteaccountingdatatransmission):AcctInterimInterval=60.Decreasingofthisparameteris
causeofnetworkandRADIUSServerdatabaseloading,butasbonussharperaccountingdata,whichcanbe
utilizedforprepaidscenarioforexample.Theoptimizedwayistodefinethisreplyattributein
radgroupreplytable(butcanbedefinedindividuallyforspecifieduser):
Groupname
Attribute
Operation
Value
UsersGroupname
AcctInterimInterval
=
XXX
XXXisamountoftimeinseconds
Mandatoryacceptingtheauthorizedsession
AuthTypeattributemustbeequalAcceptforeachauthorizedclientsession:AuthType=Accept.
Otherwise,RADIUSserverwillprovideAuthorizationRejectaccordingwithdefaultfilesconfiguration.
Alloflistedattributescanbespecifiedasperuseraspergroup.Theoptimizedsolutionistoplaceallofthis
attributesinradgroupreplytableofRADIUSserverdatabaseforallofgroupedclientsreplyattributes.
Groupname
Attribute
Operation
Value
UsersGroupname
AuthType
=
Accept
SessionLimitationControlReplyAttributes
ReplyAttributesmaycontrolnumberoflimitationsofclientssessionsuchususagetimelimitation,access
tospecifiednetworkarearestrictionorgranting,etc.Hereispossibletobuilddifferentscenariosfor
networkaccessbasedoncombinationofReplyAttributes.
Sessiondurationlimitation
GenericlimitationreplyattributeisSessionTimeoutwhichislimitingcontinuationofsessionbyspecified
amountoftime(insec.).IfSessionTimeout=3600thensessionwillnotbedisconnectedbyAccessSystem
during3600sec.(1hr.).ButincaseofMACauthentication,userwillbereconnectedfornext1hourtime
slice.Inthiscase,justSessionTimeoutattributecannotbeusedaloneasmandatorytimelimitation
attribute.PossibleusageofthisattributecanbeappliedtogetherwithFreeRADIUScounterfunctionality
whatallowtomakelogictoverifyspecifiedusageoftimeorupload/downloadvaluesorenddate,to
determinaterejectorgrantaccessforclientinnexttimeslice.Thisscenariocanbequalifiedaspseudo
prepaidmechanismforpublicaccessnetworks.Incaseofpseudoprepaidscenario,SessionTimeoutshould
bedefinedinradgroupreplyforprepaidgroupofusers.
Accesslimitationtospecifiednetworkarea
ChilliSpotUAMAllowedreplyattributeoverridesuamallowedconfigurationparameterofChilliSpotsystem.
ValueofthisattributecancontainlistofIPaddresses,subnets,URLsthatareallowedtobeaccessedby
client.Innormalaccesscontrolscenario,ChilliSpothastobeconfiguredtograndaccessonlytonetwork
hotspotloginpage/sitefornonauthorizedusers,butincaseclientpassedMACauthenticationandloginhas
beenacceptedbyRADIUSServer,thenRADIUSServerhastonotifyChilliSpottoprovideaccesstospecified
sitesorallofnetwork.Incase,clientaccessedtonetworkbyhotspotloginpage,ChilliSpotwillgrantaccess
tonetworkautomatically.Herecanbefollowingconfiguration:
ChilliSpotserver:
macauth=enable
uamallowed=x.x.x.x,y.y.y.y,www.mynet.com/info
wherex.x.x.xisIPaddressofwebserverwhereislocatedhotspotloginscript,y.y.y.yisIPaddressofDNS
serverthatmustbeaccessiblebyunauthorizedclients,andshownURLissomeinformationsitethatcanbe
providedtogetmoreinformationaboutyournetwork.
RADIUSServer:
Groupname
Attribute
Operation
Value
UsersGroupname
ChilliSpotUAMAllowed
=
*
Star(*)meansthataccesswillbe
grantedtoallofnetwork.
Inthisconfiguration,ifclientregisteredinRADIUSServerdatabaseforMACauthentication(asdescribed
before),anddefinedforgroupwhereChilliUAMAllowedreplyattributeisconfigured,thenuserwillpass
transparentlyauthorization,ChilliSpotuamallowedparameterwillbeoverriddenbyChilliSpotUAM
Allowedreplyattribute,anduserwillgetaccesstoallofnetwork.
SandBox:Transparentunlimitednetworkaccessforregisteredclients
Thisisexampleofplanningtheconfigurationofcheckattributesforrequestmessageandformingreply
attributestoprovidetransparentauthenticationandunlimitedaccesstonetworkforpermanentuser
(PermanentUnlimitedNetworkAccess)simplifiedscenario.
SolutionOverview
Weneedtoprovideunlimitedaccesstoregisteredclientsforpostpaidbilling.Clienthastobeauthenticated
byMACaddressandfullunlimitednetworkaccessmustbegruntedaftersucceededauthentication.
Collectedaccountingdatamustbeusedforpostpaidinvoicesprovidedtoclient.
SystemConfiguration
NASconfiguredwithNASnameasNicoNetWLS0
ChilliSpotmacauthisenabled
ChilliSpotmacpasswdisdefault(password)
ChilliSpotmacsuffixisempty
UsersGroupNameisPIAR(fromSpanishPermanenteeIlimitadoAccesoalaRed)
SharedProfiledefinition
SharedProfilemeansnumberreplyRADIUSattributesthatmustbeappliedtoclients
authentication/accountingprocessonRADIUSServer.
Definingreplygroupattributes
Attributesforradgroupreplyreplytable:
Service-Type = ChilliSpot-Authorize-Only
Idle-Timeout = 600
Acct-Interim-Interval = 60
ChilliSpot-UAM-Allowed = *
Auth-Type = Accept
CreatingSharedProfilebyMySQLCommands
INSERT INTO
Only);
INSERT INTO
INSERT INTO
INSERT INTO
INSERT INTO
(groupname,attribute,value)
(groupname,attribute,value)
(groupname,attribute,value)
(groupname,attribute,value)
VALUES
VALUES
VALUES
VALUES
(PIAR,Idle-Timeout,600);
(PIAR,Acct-Interim-Interval,60);
(PIAR,ChilliSpot-UAM-Allowed,*);
(PIAR,Auth-Type,Accept);
ResultofSELECT*FROMradgroupreplyWHEREgroupname=PIAR;shouldbeasfollow:
Id
1
2
3
4
5
Groupname
PIAR
PIAR
PIAR
PIAR
PIAR
attribute
AcctInterimInterval
IdleTimeout
ChilliSpotUAMAllowed
AuthType
ServiceType
op
=
=
=
=
=
Value
60
600
*
Accept
ChilliSpotAuthorizeOnly
UserProfileDefinition
UserProfilemeansnumberofcheckingaccessrequestattributesandreplyattributesthatmustbedefined
personallyforeachspecifieduser.InthisscenarioallweneedisonlyverifyclientsMACaddressand
providedpassword.IfclientsMACaddressdefinedasUserNameattributeinradchecktablethatwillbe
itselfsignofregistereduser.WecanuseNASpasswordverificationmethodtomakeclientsMACaddress
registered(MACaddressprovidedasexample):
INSERT INTO radcheck (username,attribute,value) VALUES (00-13-02-A2-5C-B9,Password,password);
Buttoimproveaccesssecurity,userhastobecheckedforcorrectServiceTypeandvalidNASwhichusedfor
connectionalso:
NAS-Port-Type == Wireless-802.11
NAS-Identifier == NicoNetWLS0
SQLcommandswillbeasbelow:
INSERT INTO radcheck (username,attribute,value) VALUES (00-13-02-A2-5C-B9,NAS-Port-Type,Wireless802.11);
INSERT INTO radcheck (username,attribute,value) VALUES (00-13-02-A2-5C-B9,NASIdentifier,NicoNetWLS0);
ResultofSELECT*FROMradcheckWHEREusername="001302A25CB9";shouldbeasfollow:
Id
1
2
3
Username
001302A25CB9
001302A25CB9
001302A25CB9
attribute
Password
NASPortType
NASIdentifier
op
==
==
==
Value
password
Wireless802.11
NicoNetWLS0
AssociatingUserwithGroup
TomakethisschemeworkingweneedtoassociatecreatedusertogroupPIARinradusergrouptable:
INSERRT INTO radusergroup (username, groupname, priority) VALUES (00-13-02-A2-5C-B9,PIAR,1);
ResultofSELECT*FROMradusergroupWHEREusername="001302A25CB9";shouldbeasfollow:
id
1
Username
001302A25CB9
Griupname
PIAR
Verification
AfterfollowingAuthRequest:
User-Name = "00-13-02-A2-5C-B9"
User-Password = "password"
Calling-Station-Id = "00-13-02-A2-5C-B9"
Called-Station-Id = "00-1E-E5-57-62-61"
NAS-Port = 1
NAS-IP-Address = 0.0.0.0
Service-Type = Login-User
NAS-Identifier = "NicoNetWLS0"
Acct-Session-Id = "4838967200000001"
NAS-Port-Type = Wireless-802.11
Message-Authenticator = 0xdffcee5c46f3f9f69d018ccd64d488a9
Priority
1
RADIUSshouldreply:
Idle-Timeout = 600
Acct-Interim-Interval = 60
ChilliSpot-UAM-Allowed = "*"
Service-Type = ChilliSpot-Authorize-Only
AndChilliSpotwillsendfirstaccountingmessagetoRADIUSServer:
Acct-Status-Type = Start
User-Name = "00-13-02-A2-5C-B9"
Class = 0x30373032333435363738
Calling-Station-Id = "00-13-02-A2-5C-B9"
Called-Station-Id = "00-1E-E5-57-62-61"
NAS-Port-Type = Wireless-802.11
NAS-Port = 1
NAS-Port-Id = "00000001"
NAS-IP-Address = 0.0.0.0
NAS-Identifier = "NicoNetWLS0"
Framed-IP-Address = 10.5.0.45
Acct-Session-Id = "4838967200000001"
AppendixA:RadiusAttributes
ChilliSpotsupportsthefollowingradiusattributes:
Attribute
Type
Username
String
UserPassword 2
String
CHAP
Password
String
CHAP
Challenge
60
String
UsedforUAM
EAPMessage
79
String
UsedforWPA
NASIP
Address
IPaddr
IPaddressofChilli(setbytheradiusnasiporradiuslistenoption).Ifneitherradiuslistennor
nasipaddressaresetNASIPAddressissetto"0.0.0.0".
ServiceType
Integer
SettoLogin(1)fornormalauthenticationrequests.ForRFC2882styleconfiguration
managementAccessRequestmessagestotheradiusserverthisissettoChilliSpot
AuthorizeOnly(0x38df0001).TheAccessAcceptmessagefromtheradiusserverfor
configurationmanagementmessagesmustalsobesettoChilliSpotAuthorizeOnly
(0x38df0001).
FramedIP
Address
IPaddr
IPaddressoftheuser.
ReplyMessage 18
String
State
24
String
SenttochilliinAccessAcceptorAccessChallenge.UsedtransparentlyinsubsequentAccess
Request.
Class
25
String
CopiedtransparentlybychillifromAccessAccepttoAccountingRequest.
Session
Timeout
27
Integer
Logoutoncesessiontimeoutisreached(seconds)
IdleTimeout
28
Integer
Logoutonceidletimeoutisreached(seconds)
CalledStation 30
ID
String
SettotheradiuscalledcommandlineoptionortheMACaddressofChilliSpotifnotpresent.
31
String
MACaddressofclient
Calling
StationID
Fullusernameasenteredbytheuser.
UsedforUAMasalternativetoCHAPPasswordandCHAPChallenge.
UsedforUAM
Reasonofrejectifpresent.
NASID
32
String
Settoradiusnasidoptionifpresent.
AcctStatus
Type
40
Integer
1=Start,2=Stop,3=InterimUpdate
AcctInput
Octets
42
Integer
Numberofoctetsreceivedfromclient.
AcctOutput
Octets
43
Integer
Numberofoctetstransmittedtoclient.
AcctSession
ID
44
String
UniqueIDtolinkAccessRequestandAccountingRequestmessages.
AcctSession
Time
46
Integer
Sessiondurationinseconds.
AcctInput
Packets
47
Integer
Numberofpacketsreceivedfromclient.
AcctOutput
Packets
48
Integer
Numberofpacketstransmittedtoclient.
Acct
Terminate
Cause
49
Integer
1=UserRequest,2=LostCarrier,4=IdleTimeout,5=SessionTimeout,11=NASReboot
AcctInput
Gigawords
52
Integer
NumberoftimestheAcctInputOctetscounterhaswrappedaround.
AcctOutput
Gigawords
53
Integer
NumberoftimestheAcctOutputOctetscounterhaswrappedaround.
19=WirelessIEEE802.11
NASPortType 61
Integer
IsalwaysincludedinAccessRequest.IfpresentinAccessAccept,AccessChallengeor
AccessrejectchilliwillvalidatethattheMessageAuthenticatoriscorrect.
IfpresentinAccessAcceptchilliwillgenerateinterimaccountingrecordswiththespecified
interval(seconds).
Message
Authenticator
80
String
AcctInterim
Interval
85
Integer
WISPr
LocationID
14122, String
1
LocationIDissettotheradiuslocationidoptionifpresent.Shouldbeintheformat:
isocc=<ISO_Country_Code>,
cc=<E.164_Country_Code>,ac=<E.164_Area_Code>,network=<ssid/ZONE>
WISPr
Location
Name
14122, String
2
LocationNameissettotheradiuslocationnameoptionifpresent.Shouldbeintheformat:
<HOTSPOT_OPERATOR_NAME>,<LOCATION>
WISPrLogoff
URL
14122, String
3
ChilliincludesthisattributeinAccessRequestmessagesinordertonotifytheoperatorof
thelogoffURLtouseforloggingoffclients.Defaultsto"http://192.168.182.1:3990/logoff".
WISPr
Redirection
URL
14122, String
4
WISPr
Bandwidth
MaxUp
14122, Integer
7
WISPr
Bandwidth
MaxDown
14122, Integer
8
IfpresenttheclientwillberedirectedtothisURLonceauthenticated.ThisURLshould
includealinktoWISPrLogoffURLinordertoenabletheclienttologoff.
Maximumtransmitrate(b/s).Limitsthebandwidthoftheconnection.Notethatthis
attributeisspecifiedinbitspersecond.
Maximumreceiverate(b/s).Limitsthebandwidthoftheconnection.Notethatthisattribute
isspecifiedinbitspersecond.
ThetimewhentheusershouldbedisconnectedinISO8601format(YYYYMM
DDThh:mm:ssTZD).IfTZDisnotspecifiedlocaltimeisassumed.Forexampleadisconnecton
18December2001at7:00PMUTCwouldbespecifiedas20011218T19:00:00+00:00.
ChilliSpot
MaxInput
Octets
14559, Integer
1
Maximumnumberofoctetstheuserisallowedtotransmit.Afterthislimithasbeenreached
theuserwillbedisconnected.
ChilliSpot
MaxOutput
Octets
14559, Integer
2
Maximumnumberofoctetstheuserisallowedtoreceive.Afterthislimithasbeenreached
theuserwillbedisconnected.
ChilliSpot
MaxTotal
Octets
14559,
3
Maximumnumberofoctetstheuserisallowedtotransfer(sumofoctetstransmittedand
received).Afterthislimithasbeenreachedtheuserwillbedisconnected.
ChilliSpot
UAMAllowed
WhenreceivedfromtheradiusserverinanRFC2882styleconfigurationmanagement
messagethisattributewilloverridetheuamallowedcommandlineoption.
ChilliSpot
MACAllowed
WhenreceivedfromtheradiusserverinanRFC2882styleconfigurationmanagement
messagethisattributewilloverridethemacallowedcommandlineoption.
ChilliSpot
MACInterval
WhenreceivedfromtheradiusserverinanRFC2882styleconfigurationmanagement
messagethisattributewilloverridetheintervalcommandlineoption.
MSMPPE
SendKey
311,16 String
UsedforWPA
MSMPPE
RecvKey
311,17 String
UsedforWPA