Accounting-On and Accounting-Off being sent on a per-BSS basis not per-NAS

Jouni Malinen j at w1.fi
Mon Feb 29 02:04:47 PST 2016 

On Sun, Feb 28, 2016 at 07:27:44PM +0000, Nick Lowe wrote:
> Not to put words in his mouth, I am sure Alan will say and agree that
> hostapd should -never- be in the position that it does not send a
> NAS-Identifier. Alan?

Wouldn't RADIUS server be able to use NAS-IP-Address for the case where
there is only a single BSS per IP address? Sure, that is a subset of all
possibilities, but I'd assume this was quite a bit more common case at
the early days of RADIUS..

> It is mandatory from the perspective that RADIUS doesn't work reliably
> where this is omitted, nor that it is mandatory in the RFC.

When you say "RADIUS" here, do you really include authentication in
that? I can see the issue related to Accounting-On/Off for RADIUS
accounting, but use of NAS-Identifier seems quite a bit less important
for RADIUS authentication.

> I do think that it is hostapd that should enforce that multiple BSSes
> are not being accounted with, where Accounting-On/Accounting-Off are
> being sent, with the same or no NAS-Identifier. That is the problem
> that we need to solve. Pushing that bad elsewhere seems a mistake to
> me. We won't actually see the problem being resolved.

A single hostapd process cannot enforce this in cases where multiple
hostapd processes are use on the same AP device (one hostapd process per
virtual BSS) and there are such AP designs out there.. That said, I
think I would be fine with hostapd not sending out Accounting-On/Off for
a BSS that does not have nas_identifier configured (which you asked in
another email after this).

It might be fine to filter out "duplicated" Accounting-On/Off messages
also in cases where the same nas_identifier has been configured for
multiple BSSes. Though, this is getting somewhat complex and potentially
confusing since the start and stop times and sequences may be different
and the Accounting-On and Accounting-Off messages may not actually be
for the same BSS if BSS0 is started first, BSS1 after it, followed by
stopping BSS0 and finally BSS1. That could send out Accounting-On with
BSS0 information and Accounting-Off with BSS1 information. Sure,
NAS-Identifier would be same, but other information in the messages
might point to different BSSID and SSID value (Called-Station-Id). This
might be fine for the case where all BSSes are created at the same time
(e.g., hostapd process start) and terminated at the same time (e.g.,
hostapd process end), but it gets problematic with dynamic BSS
addition/removal.

-- 
Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list