Accounting-On and Accounting-Off being sent on a per-BSS basis not per-NAS

Nick Lowe nick.lowe at lugatech.com
Sun Feb 28 03:21:58 PST 2016 

Hi Jouni,

Respectfully ask you to reconsider.

There is very much a significant point to doing this, I definitely
feel that it is necessary and proportionate.

Yes, hostapd can be configured so that each NAS-Identifier is
different for each BSS, but nobody -ever- does this, people typically
consider the NAS as being the same thing as the RADIUS client in this
regard and use a constant value. That is what we need to correct.
Hostapd itself currently has no means to ensure that the
NAS-Identifier ends up being unique, pushing the problem elsewhere. We
shouldn't do that.

This adds negligible complexity to hostapd, stopping people from
hanging themselves if they use Accounting-On and Accounting-Off. (The
issue often presents itself as a subtle, hard to isolate bug.)

At the moment, we let people hang themselves. Not correcting this
status quo in hostapd is therefore a bad idea.

We, today, see Accounting-On and Accounting-Off nearly always being
sent on a per-BSS basis but with the same NAS-Identifier.

Therefore we either nee to:

a) Get a Subsystem-On and Subsystem-Off defined so that the
NAS-Identifier can be the same (which is likely going to take years to
sort).

-or-

b) We need to ensure that the NAS-Identifier is unique per-BSS going
forward (unless somebody goes out of their way to configure things
otherwise).

hostapd should be doing this by default for new deployments. For
compatibility purposes, older configurations that do not define
nas_identifier_use_bssid should continue to behave as today where they
have set a nas-identifier.

Hostapd currently allows no NAS-Identifier to be sent, the default
behaviour, which needs to be corrected so that this isn't possible as
it breaks RADIUS in many cases where this is missing. Using the BSSID
in that case seems the best fix.

I was thinking of something along the lines of:

if (!hostapd_config_get_radius_attr(req_attr,
                    RADIUS_ATTR_NAS_IDENTIFIER)) {
    if (hapd->conf->nas_identifier_base) {
        if (hapd->conf->nas_identifier_use_bssid == 1) {
            len = os_snprintf(buf, sizeof(buf),
                RADIUS_802_1X_ADDR_FORMAT ":",
                MAC2STR(hapd->own_addr));
            os_memcpy(&buf[len], hapd->conf->nas_identifier_base,
                hapd->conf->nas_identifier_base_len);
            len += hapd->conf->nas_identifier_base_len;
        }
        else {
            os_memcpy(&buf[len], hapd->conf->nas_identifier_base,
                hapd->conf->nas_identifier_base_len);
            len = hapd->conf->nas_identifier_base_len;
        }
    }
    else {
        len = os_snprintf(buf, sizeof(buf), RADIUS_802_1X_ADDR_FORMAT,
            MAC2STR(hapd->own_addr));
    }

    if (!radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IDENTIFIER,
              (u8 *) buf, len)) {
        wpa_printf(MSG_ERROR, "Could not add NAS-Identifier");
        return -1;
    }
}

This code, and similar logic in one or two other places, really isn't
undue complexity.

The change to hostapd.conf is understandable, not unduly complex and
is backwards compatible.

# Optional NAS-Identifier, containing a string value used to identify the NAS
# originating RADIUS packets.  This must be unique to the NAS within the
# scope of a RADIUS server.  For example, a fully qualified domain name can be
# used here appended with the .
# Where nas_identifier has not been set, the BSSID will used.
# This will be of the form "00-10-A4-23-19-C0".
# When using IEEE 802.11r, nas_identifier must be set and be between 1 and
# 48 octets long.
#nas_identifier=ap.example.com

# Whether to use the BSSID in the NAS-Identifier sent in RADIUS packets.
# For example, where the nas_identifier is configured as ap.example.com, a
# value of the form "00-10-A4-23-19-C0:ap.example.com" will be used.
# Where mutiple BSSes are offered by a NAS, each BSS for which RADIUS accounting
# is occuring must be presented as being an individual NAS for Accounting-On and
# Accounting-Off to be handled correctly by a RADIUS server.
# This option has no effect where the nas_identifier has not been set.
# Where this is the case, the BSSID will always be sent.
# This will be of the form "00-10-A4-23-19-C0".
# 0 = disabled (default, for backwards compatiblity)
# 1 = enabled (best practice)
nas_identifier_use_bssid=1

Cheers,

Nick

More information about the Hostap mailing list