There's a couple of outstanding issues in hostap's RADIUS accounting. 1) The Framed-IP-Address should not be populated using from ARP information, only from DHCP snooped information. The implementation is trivially security vulnerable otherwise. See Cisco's note explaining that they only do this: "The Framed-IP-Address AV pair (Attribute 8) is sent only if a valid Dynamic Host Control Protocol (DHCP) binding exists for the host in the DHCP snooping bindings table." http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_8021x/configuration/15-s/sec-usr-8021x-15-s-book/sec-ieee-802x-rad-account.html#GUID-AA6E5C9F-BEDF-42DE-B76F-968DCC27D08D 2) An Acct-Sesson-Id is missing from Accounting-On and Accounting-Off. It is, however, mandatory that this be present in the RADIUS RFC. See: https://tools.ietf.org/html/rfc2866#section-5.13 "1 Acct-Session-Id" 3) The Acct-Delay-Time attribute should be present in the initial Accounting-Request packets sent, and included and incremented in any retransmissions. This attribute is presently not sent. This value must be populated from a monotonic system timer and not the system clock. As a relative delay, this is usable where the system clock has not been set on embedded devices. In a previous patch that I have submitted, I have corrected the issue where the Event-Timestamp would previously only be send on Interim-Update and Stop forms of Accounting-Request packet. I have corrected the issue where this value would be included with values around the Unix time epoch. Cheers, Nick _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
