Accounting-On and Accounting-Off being sent on a per-BSS basis not per-NAS
Alan DeKok
aland at deployingradius.com
Mon Feb 29 10:34:05 PST 2016
On Feb 29, 2016, at 5:04 AM, Jouni Malinen <j at w1.fi> wrote:
> Wouldn't RADIUS server be able to use NAS-IP-Address for the case where
> there is only a single BSS per IP address? Sure, that is a subset of all
> possibilities, but I'd assume this was quite a bit more common case at
> the early days of RADIUS..
Yes.
The issue is really what logical unit are we talking about? i.e. when system X reboots, and N users need to re-auth. The RADIUS server needs to see an Accounting-On packet for that system. And that system has to be identified.
Traditionally, "X" was identical to "NAS". With the advent of separate network / radio devices, it's not.
> When you say "RADIUS" here, do you really include authentication in
> that? I can see the issue related to Accounting-On/Off for RADIUS
> accounting, but use of NAS-Identifier seems quite a bit less important
> for RADIUS authentication.
Ideally, the NAS-Identifier / IP / IPv6-Address should be the same across Access-Request and Accounting-Request packets.
Anything else is a bad idea. Because it means that the NAS isn't being consistent about which (sub)system the user is accessing.
> A single hostapd process cannot enforce this in cases where multiple
> hostapd processes are use on the same AP device (one hostapd process per
> virtual BSS) and there are such AP designs out there.. That said, I
> think I would be fine with hostapd not sending out Accounting-On/Off for
> a BSS that does not have nas_identifier configured (which you asked in
> another email after this).
I'd prefer accounting-on/off when a (sub)system reboots, and more than one user has to re-auth. It's just better.
> It might be fine to filter out "duplicated" Accounting-On/Off messages
> also in cases where the same nas_identifier has been configured for
> multiple BSSes.
I would document a suggestion that nat-identifier should be unique.
> Though, this is getting somewhat complex and potentially
> confusing since the start and stop times and sequences may be different
> and the Accounting-On and Accounting-Off messages may not actually be
> for the same BSS if BSS0 is started first, BSS1 after it, followed by
> stopping BSS0 and finally BSS1. That could send out Accounting-On with
> BSS0 information and Accounting-Off with BSS1 information. Sure,
> NAS-Identifier would be same, but other information in the messages
> might point to different BSSID and SSID value (Called-Station-Id). This
> might be fine for the case where all BSSes are created at the same time
> (e.g., hostapd process start) and terminated at the same time (e.g.,
> hostapd process end), but it gets problematic with dynamic BSS
> addition/removal.
Which is why it would be good to treat each BSS as an individual NAS. At least, so far as traditional RADIUS goes.
Alan DeKok.
More information about the Hostap
mailing list