On Sat, Feb 06, 2016 at 11:54:03AM +0000, Nick Lowe wrote: > There is then a need to, subsequently, add code to actually send this > attribute in Access-Request and Accounting-Request packets, populated > with the ifname. What would be the use for NAS-Port-Id? RFC 2869 seems to imply that either NAS-Port or NAS-Port-Id would be included, but not both. There is already code to add NAS-Port.. Furthermore, NAS-Port-Id seems to be described as a fallback option if the "ports" cannot be numbered. > Correction is also needed for the NAS-Port attribute at this is > presently included with a value of 0 where the association id is not > available. Either the attribute should not be present when that occurs > (which is most of the time), or it should contain the ifindex (better) > for the virtual interface. The current implementation does not comply > with RFC 3580 by sending 0. With drivers that use hostapd for AP SME, the AID should always be known for the normal association case. For RSN pre-authentication, there is no AID and it would probably make sense to drop NAS-Port completely since that authentication is not for an immediate data connection. With drivers that implement AP SME internally, the AID may not be known to hostapd. Since this can be determined when starting the AP, all NAS-Port values from such an AP could be changed to use the ifindex of the wlan# interface or port number of the bridge if that interface is in a bridge. That said, neither of these are necessarily fixed values, i.e., they may change for each restart of hostapd.. As such, I'm not sure what value these would have for the RADIUS server. Then again, that would also apply for Association ID. I don't see how the RADIUS server would behave any differently based on the exact NAS-Port value with a NAS that is an IEEE 802.11 AP.. > We need to continue to ensure and be careful that the NAS-Port value > is consistent in Access-Request and subsequent Accounting-Request > packets. That is not the case with IEEE 802.11.. The Association ID can change for each re-association and a single EAP authentication can be shared between multiple re-associations. In other words, NAS-Port used in Accounting-Request for a specific session that uses the same Acct-Multi-Session-Id with a single authentication exchange can be different. -- Jouni Malinen PGP id EFC895FA _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
