Accounting-On and Accounting-Off being sent on a per-BSS basis not per-NAS

Jouni Malinen j at w1.fi
Sun Feb 28 11:06:10 PST 2016


On Fri, Feb 26, 2016 at 11:08:55AM +0000, Nick Lowe wrote:
> We ought, strongly, to consider making the NAS-Identifier mandatory,
> presently it is not in hostapd which is poor practice.
> While it is not mandatory in the RADIUS RFCs, the presence of this
> attribute is necessary for the proper operation of RADIUS.
> Hostapd should make it mandatory therefore.

I don't want to make an optional RADIUS attribute mandatory in a way
where the implementation enforces this. This would break existing
configurations (and no, I don't want to set the value to BSSID in such
case either taken into account BSSID can change and as far as I've
understood RADIUS use cases, that would not be ideal). I have no issues
with documenting this in hostapd.conf and recommending a unique
nas_identifier value to be configured for all BSSes.

> 
> I suggest that we consider changing hosapd.conf to contain something like this:
> 
> # Mandatory NAS-Identifier, containing a string base value used to identify

I would not call an optional RADIUS attribute "mandatory", i.e., this
should really be a strong recommendation rather than incorrect claim of
what is mandatory in the protocol. That "base value" would need to go
away as well unless someone manages to provide convincing justification
for a design that would somehow modify nas_identifier value before
transmitting it.

> # the NAS originating RADIUS packets. This must be unique to the NAS within the
> # scope of a RADIUS server. For example, a fully qualified domain name can be
> # used here appended with the .
> # When using IEEE 802.11r, nas_identifier must be between 1 and 48 octets long.
> nas_identifier=ap.example.com
> 
> # Whether to append the BSSID to the NAS-Identifier sent in RADIUS packets.
> # For example, where the nas_identifier base is configured as ap.example.com, a
> # value of the form ap.example.com_00-10-A4-23-19-C0 will be used.
> # Where mutiple BSSes are offered by a NAS, each BSS for which RADIUS accounting
> # is occuring must be presented as being an individual NAS for Accounting-On and
> # Accounting-Off to be handled correctly by a RADIUS server.
> nas_identifier_append_bssid=1

And this text for nas_identifier_append_bssid could be worded as an
example in the documentation for nas_identifier. If the BSSID value on
the actual nas_identifier field is set in the configuration, that
actually makes it remain fixed even if the actual BSSID would change due
to dynamic BSS changes on the AP. Anyway, I see no real value in
encoding BSSID here, i.e., anything other value that could be claimed to
be unique would be as good, if not better, example.

One more thing regarding BSSIDs is that there are quite a few APs out
there that generated locally administered MAC addresses for multi-BSS
configurations. Those are not guaranteed to be unique.

-- 
Jouni Malinen                                            PGP id EFC895FA



More information about the Hostap mailing list