[PATCH] Define the NAS-Port-Id RADIUS attribute.

Jouni Malinen j at w1.fi
Sun Feb 7 02:19:14 PST 2016


On Sat, Feb 06, 2016 at 11:54:03AM +0000, Nick Lowe wrote:
> There is then a need to, subsequently, add code to actually send this
> attribute in Access-Request and Accounting-Request packets, populated
> with the ifname.

What would be the use for NAS-Port-Id? RFC 2869 seems to imply that
either NAS-Port or NAS-Port-Id would be included, but not both. There is
already code to add NAS-Port.. Furthermore, NAS-Port-Id seems to be
described as a fallback option if the "ports" cannot be numbered.

> Correction is also needed for the NAS-Port attribute at this is
> presently included with a value of 0 where the association id is not
> available. Either the attribute should not be present when that occurs
> (which is most of the time), or it should contain the ifindex (better)
> for the virtual interface. The current implementation does not comply
> with RFC 3580 by sending 0.

With drivers that use hostapd for AP SME, the AID should always be known
for the normal association case. For RSN pre-authentication, there is no
AID and it would probably make sense to drop NAS-Port completely since
that authentication is not for an immediate data connection.

With drivers that implement AP SME internally, the AID may not be known
to hostapd. Since this can be determined when starting the AP, all
NAS-Port values from such an AP could be changed to use the ifindex of
the wlan# interface or port number of the bridge if that interface is in
a bridge. That said, neither of these are necessarily fixed values,
i.e., they may change for each restart of hostapd.. As such, I'm not
sure what value these would have for the RADIUS server. Then again, that
would also apply for Association ID. I don't see how the RADIUS server
would behave any differently based on the exact NAS-Port value with a
NAS that is an IEEE 802.11 AP..

> We need to continue to ensure and be careful that the NAS-Port value
> is consistent in Access-Request and subsequent Accounting-Request
> packets.

That is not the case with IEEE 802.11.. The Association ID can change
for each re-association and a single EAP authentication can be shared
between multiple re-associations. In other words, NAS-Port used in
Accounting-Request for a specific session that uses the same
Acct-Multi-Session-Id with a single authentication exchange can be
different.

-- 
Jouni Malinen                                            PGP id EFC895FA



More information about the Hostap mailing list