Accounting-On and Accounting-Off being sent on a per-BSS basis not per-NAS

Nick Lowe nick.lowe at lugatech.com
Thu Feb 25 08:22:54 PST 2016 

I did mean:

1) Introduce code that automatically appends the BSSID to the
NAS-Identifier. Where you would otherwise have ap-foobar-01, something
like ap-foobar-01_00-10-A4-23-19-C0 would instead be placed in to the
attribute value.
2) Implement a new config flag to toggle this behaviour on or off.
3) Put this flag in to the configuration appropriately so that it is
enabled by default going forward for new deployments. Old deployments
would largely retain the current behaviour with their existing
configuration.
4) When this flag is not specified, Accounting-On and Accounting-Off
would always suppressed as they are not RFC compliant* as currently
sent. An approach that just changed the configuration today would not
achieve this, bad Accounting-On and Accounting-Off Accounting-Request
packets would still be generated. This is why I favour a config flag.

*The RFC errata process exists to correct issues like this, it has
effectively amended the RFC removing the ambiguity by being marked
Verified.

>From hostapd's perspective, it should never be in the position that
the NAS-Identifier is not sent in Access-Requests and
Accounting-Requests. It should never be possible to be in this
position. This can break other things too if it is ever omitted,
practically it doesn't happen. There shouldn't be a concern here in
relation to hostapd therefore.

RADIUS clients and their shared secret are configured in RADIUS
servers on the basis of the IP address/host name/DNS name that the
request is coming in off of, so there's likely to be little by the way
of compatibility implications of the change there.

There would be a compatibility implication for those who expect and
look for a particular value of the NAS-Identifier who would need to
amend their RADIUS server configuration.
This shouldn't be seen as a problem as the behaviour wouldn't change
in this area for existing deployments of hostapd without a
configuration change.

You say whoever designs RADIUS should be aware of this type of thing,
yet this issue with Accounting-On/Accounting-Off has remained in
hostapd for years and has been an overlooked problem previously with
commercial AP vendors too.

Cheers,

Nick

More information about the Hostap mailing list