Accounting-On and Accounting-Off being sent on a per-BSS basis not per-NAS

Jouni Malinen j at w1.fi
Thu Feb 25 02:41:53 PST 2016


On Thu, Feb 25, 2016 at 10:25:49AM +0000, Nick Lowe wrote:
> What constitutes the whole NAS is where the NAS-Identifier,
> NAS-IP-Address and NAS-IPv6-Address, where present, are the same in
> Access-Requests and Accounting-Requests.
> 
> If we ensured that the NAS-Identifier was different on a per-BSS
> basis, there shouldn't be such a problem with the
> Accounting-On/Accounting-Off behaviour. Any issues would be as a
> result of a RADIUS server mishandling the NAS-Identifier.
> 
> Is that something that we could/should consider?

Whoever (or whatever) configures hostapd already has an option of doing
so with the nas_identifier parameter that is set for each BSS. I don't
think hostapd should be modifying this parameter on its own (e.g., the
proposal of adding a BSSID into this). This can have unexpected changes
when upgrading hostapd without touching configuration. Please note that
nas_identifier is used also for other purposes than RADIUS (mainly, FT
key holder name).

> From RFC 2865:
> 
> "5.32.  NAS-Identifier
> 
>    Description
> 
>       This Attribute contains a string identifying the NAS originating
>       the Access-Request.  It is only used in Access-Request packets.
>       Either NAS-IP-Address or NAS-Identifier MUST be present in an
>       Access-Request packet."

Whoever configures nas_identifier should take that guidance into
account.

> I agree with the idea of making this configurable but with the proviso
> that the default behaviour be changed so that it doesn't cause the
> current problems.

In general, it is a bad idea to change default behavior if there is a
risk of it breaking something. I do not know what exactly the proposed
new default behavior would be, but I find it difficult to see a clean
solution for this that could automatically be determined in a manner
that would cover all possible use cases. As such, I'd rather keep the
current behavior as the default in the future as well.

Please note that there are also devices that use multiple hostapd
processes (one for each BSS), so the issue you describe is not going to
disappear even if the default behavior within a single process would be
changed.

-- 
Jouni Malinen                                            PGP id EFC895FA



More information about the Hostap mailing list