[PATCH v4] Define and implement a nas-identifier-use-bssid config option

Sun Feb 28 10:54:07 PST 2016

On Sun, Feb 28, 2016 at 04:54:13PM +0000, Nick Lowe wrote:
>  Define and implement nas-identifier-use-bssid config option
>  to include the BSSID in the NAS-Identifier attribute value of RADIUS packets.
>  This value defaults to 0, maintaining backwards compatibility, and is set to
>  the value 1 in the supplied hostapd.conf
> 
> This new configuration option works in combination with the
> nas-identifier option.

I don't see enough justification to add additional parameters for
modifying the nas_identifier parameter when that can already be set to
an arbitrary value. IMHO, the correct place to do this is in the
application (or administrator) that generates the hostapd configuration.

Please also note that there is no guarantee that the same BSS will get
the same BSSID every time it is added to hostapd. I would expect there
to be desire for the NAS-Identifier to remain same between AP restarts
and reconfigurations that leave a specific network with the same
configuration while potentially modifying other BSSes in the same AP. As
such, I don't think I would recommend using BSSID as a part of
NAS-Identifier as a general solution for the need to have unique
NAS-Identifier values.

It would make sense to provide more guidance and recommendations on how
the nas_identifier should be set in most cases and something along the
lines of the following text might very well be a good start for such
guidance (obviously modified to talk about the value set in
nas_identifier and not mentioned nas_identifier_use_bssid or
concatenation of strings). Though, with that note about BSSID
potentially changing, it would be good to cover that as well or remove
all comments about BSSID being a good unique part of NAS-Identifier and
just point out that the administrator needs to set a unique value for
each BSS for many RADIUS use cases to work well on the server side.

> Where the nas-identifier is unset, the default in hostapd.conf, the
> BSSID will be used to populate this value in the form
> “00-10-A4-23-19-C0” in all cases, irrespective of the value of
> nas-identifier-use-bssid.
> Omitting the NAS-Identifier in RADIUS packets causes significant
> problems in the RADIUS protocol so this is not allowed to ever occur.
> (Accounting-On and Accounting-Off forms of RADIUS accounting packets
> are allowed to be sent in this case.)
> 
> Where the nas-identifier is set and the nas-identifier-use-bssid is
> set to 1, the BSSID will be included in the value used for the
> NAS-Identifier in the form “00-10-A4-23-19-C0:ap.example.com”.
> (Accounting-On and Accounting-Off forms of RADIUS accounting packets
> are allowed to be sent in this case.)
> 
> Where the nas-identifier is set and the nas-identifier-use-bssid is
> set to 0, the BSSID will not be included in the value used for the
> NAS-Identifier.
> (Accounting-On and Accounting-Off forms of RADIUS accounting packets
> will not be sent in this case.)
> 
> Range checks for nas-identifier now require this string value to be,
> inclusive, between 3 and 104 characters in length.

Where does this 3..104 range come from? The actual implementation used
1..104 (inclusive), but RADIUS attributes would allow longer strings to
be used. When FT is enabled, there is a tighter constraint (48 octets)
since nas_identifier is also used within FT messages.

-- 
Jouni Malinen                                            PGP id EFC895FA