Outstanding RADIUS issues: Framed-IP-Address, NAS-Port, NAS-Port-Id

Nick Lowe nick.lowe at lugatech.com
Tue Mar 1 02:24:12 PST 2016


With the recent changes to hostapd, the number of outstanding RADIUS
issues that I have observed is significantly diminished! Hurrah! :-)

I think that we now ought to consider:

1) Ensuring that only DHCP-snooped information is used to populate the
value of the Framed-IP-Address attribute in RADIUS accounting so that
the value accounted with is more reliable and better protected against
spoofing.

2) Implementing an asynchronous Interim-Update when the IP address
becomes known or changes. Otherwise the interval has to be waited out
before the client's address becomes known, which breaks SSO systems
that depend on this value.

For context and to understand why this is necessary, I suggest
referring to the following thread:

https://community.aerohive.com/aerohive/topics/use_the_framed_ip_address_avp_containing_a_clients_ip_address_correctly_in_radius_accounting

Other aspects I think still should be looked at is:

3) Making NAS-Port contain the ifindex rather than the aid, which will
nearly always be 0.
4) Adding support for the NAS-Port-Id attribute and making this
contain the ifname.

Both the NAS-Port and NAS-Port-Id can be sent. This is perfectly legal
and good practice.

-or-

5) Removing the NAS-Port attribute so that it doesn't always contain a
value of 0 and then don't add support for the NAS-Port-Id attribute.

Cheers,

Nick



More information about the Hostap mailing list