On Thu, Feb 25, 2016 at 10:25:49AM +0000, Nick Lowe wrote: > What constitutes the whole NAS is where the NAS-Identifier, > NAS-IP-Address and NAS-IPv6-Address, where present, are the same in > Access-Requests and Accounting-Requests. > > If we ensured that the NAS-Identifier was different on a per-BSS > basis, there shouldn't be such a problem with the > Accounting-On/Accounting-Off behaviour. Any issues would be as a > result of a RADIUS server mishandling the NAS-Identifier. > > Is that something that we could/should consider? Whoever (or whatever) configures hostapd already has an option of doing so with the nas_identifier parameter that is set for each BSS. I don't think hostapd should be modifying this parameter on its own (e.g., the proposal of adding a BSSID into this). This can have unexpected changes when upgrading hostapd without touching configuration. Please note that nas_identifier is used also for other purposes than RADIUS (mainly, FT key holder name). > From RFC 2865: > > "5.32. NAS-Identifier > > Description > > This Attribute contains a string identifying the NAS originating > the Access-Request. It is only used in Access-Request packets. > Either NAS-IP-Address or NAS-Identifier MUST be present in an > Access-Request packet." Whoever configures nas_identifier should take that guidance into account. > I agree with the idea of making this configurable but with the proviso > that the default behaviour be changed so that it doesn't cause the > current problems. In general, it is a bad idea to change default behavior if there is a risk of it breaking something. I do not know what exactly the proposed new default behavior would be, but I find it difficult to see a clean solution for this that could automatically be determined in a manner that would cover all possible use cases. As such, I'd rather keep the current behavior as the default in the future as well. Please note that there are also devices that use multiple hostapd processes (one for each BSS), so the issue you describe is not going to disappear even if the default behavior within a single process would be changed. -- Jouni Malinen PGP id EFC895FA _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap