Accounting-On and Accounting-Off being sent on a per-BSS basis not per-NAS

[Jouni Malinen]

On Thu, Feb 25, 2016 at 11:43:12AM +0000, Nick Lowe wrote:
> I think that hostapd should append the BSSID to the end of the
> NAS-Identifier, by default, if this is deemed a viable way forward so
> that the default behaviour becomes compliant to RFC 2866.

I'm not fond of the idea of hostapd changing its behavior here.
Whoever/Whatever writes the configuration file can add a BSSID to the
end of nas_identifier. It's fine for the hostapd/hostapd.conf file to
recommend that as well, but not sending out the exact value configured
there (which has been the behavior for 12 years) sounds dubious to me.
How would we know that the changes NAS-Identifier would continue to work
with whatever RADIUS servers that may be deployed today? What if they
reject messages from unknown NAS-Identifier values?

It looks clear to me that the safest option is not to change hostapd
behavior for the contents of NAS-Identifier and do changes to
NAS-Identifier based on configuration file changes. hostapd upgrades are
not supposed to result in unexpected behavior and potentially breaking
something. The configuration update can even be done today without any
need to change hostapd binary on the device at all..

> There could be a configuration option to use standards compliant
> RADIUS, disabled by default when undefined retaining the current
> behaviour, but enabled by default in the default configuration.
> This would ensure that there are no unexpected changes when upgrading
> hostapd with an existing configuration.

I'm not sure you'd get an agreement on standards compliant vs.
non-compliant in this area taken into account the language in the
current RFC.. Anyway, I'm not sure I understand what you mean with this
being "disabled by default" and "enabled by default" simultaneously..
Either the default is to disable this or it is to enable this; you
cannot get both. Or are you referring to hostapd/hostapd.conf file as
the "default configuration"? It is certainly not that; it is
documentation on various configuration parameters.

> If the BSSID were to be appended by default to the NAS-Identifier via
> configuration going forward for new configurations, this would apply
> to both single and multiprocess deployments and solve this
> Accounting-On/Accounting-Off issue.
> 
> We shouldn't and it is in my view unrealistic to expect everyday
> people to understand the nuance of RADIUS to configure this in a way
> that avoids this problem.

Whoever designs a system to use RADIUS should be aware of this type of
things. It is not like "everyday people" would be expected to be writing
hostapd.conf files..


By the way, NAS-Identifier is an optional attribute. What about the
cases where it is not included?

-- 
Jouni Malinen                                            PGP id EFC895FA