Outstanding RADIUS accounting issues

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



There's a couple of outstanding issues in hostap's RADIUS accounting.

1) The Framed-IP-Address should not be populated using from ARP
information, only from DHCP snooped information.
The implementation is trivially security vulnerable otherwise.

See Cisco's note explaining that they only do this:

"The Framed-IP-Address AV pair (Attribute 8) is sent only if a valid
Dynamic Host Control Protocol (DHCP) binding exists for the host in
the DHCP snooping bindings table."
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_8021x/configuration/15-s/sec-usr-8021x-15-s-book/sec-ieee-802x-rad-account.html#GUID-AA6E5C9F-BEDF-42DE-B76F-968DCC27D08D

2) An Acct-Sesson-Id is missing from Accounting-On and Accounting-Off.
It is, however, mandatory that this be present in the RADIUS RFC.
See: https://tools.ietf.org/html/rfc2866#section-5.13
"1     Acct-Session-Id"

3) The Acct-Delay-Time attribute should be present in the initial
Accounting-Request packets sent, and included and incremented in any
retransmissions. This attribute is presently not sent.
This value must be populated from a monotonic system timer and not the
system clock.
As a relative delay, this is usable where the system clock has not
been set on embedded devices.

In a previous patch that I have submitted, I have corrected the issue
where the Event-Timestamp would previously only be send on
Interim-Update and Stop forms of Accounting-Request packet. I have
corrected the issue where this value would be included with values
around the Unix time epoch.

Cheers,

Nick

_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap



[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux