Outstanding RADIUS accounting issues
Nick Lowe
nick.lowe at lugatech.com
Sun Jan 24 03:24:42 PST 2016
There's a couple of outstanding issues in hostap's RADIUS accounting.
1) The Framed-IP-Address should not be populated using from ARP
information, only from DHCP snooped information.
The implementation is trivially security vulnerable otherwise.
See Cisco's note explaining that they only do this:
"The Framed-IP-Address AV pair (Attribute 8) is sent only if a valid
Dynamic Host Control Protocol (DHCP) binding exists for the host in
the DHCP snooping bindings table."
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_8021x/configuration/15-s/sec-usr-8021x-15-s-book/sec-ieee-802x-rad-account.html#GUID-AA6E5C9F-BEDF-42DE-B76F-968DCC27D08D
2) An Acct-Sesson-Id is missing from Accounting-On and Accounting-Off.
It is, however, mandatory that this be present in the RADIUS RFC.
See: https://tools.ietf.org/html/rfc2866#section-5.13
"1 Acct-Session-Id"
3) The Acct-Delay-Time attribute should be present in the initial
Accounting-Request packets sent, and included and incremented in any
retransmissions. This attribute is presently not sent.
This value must be populated from a monotonic system timer and not the
system clock.
As a relative delay, this is usable where the system clock has not
been set on embedded devices.
In a previous patch that I have submitted, I have corrected the issue
where the Event-Timestamp would previously only be send on
Interim-Update and Stop forms of Accounting-Request packet. I have
corrected the issue where this value would be included with values
around the Unix time epoch.
Cheers,
Nick
More information about the Hostap
mailing list