On Thu, Feb 25, 2016 at 11:43:12AM +0000, Nick Lowe wrote: > I think that hostapd should append the BSSID to the end of the > NAS-Identifier, by default, if this is deemed a viable way forward so > that the default behaviour becomes compliant to RFC 2866. I'm not fond of the idea of hostapd changing its behavior here. Whoever/Whatever writes the configuration file can add a BSSID to the end of nas_identifier. It's fine for the hostapd/hostapd.conf file to recommend that as well, but not sending out the exact value configured there (which has been the behavior for 12 years) sounds dubious to me. How would we know that the changes NAS-Identifier would continue to work with whatever RADIUS servers that may be deployed today? What if they reject messages from unknown NAS-Identifier values? It looks clear to me that the safest option is not to change hostapd behavior for the contents of NAS-Identifier and do changes to NAS-Identifier based on configuration file changes. hostapd upgrades are not supposed to result in unexpected behavior and potentially breaking something. The configuration update can even be done today without any need to change hostapd binary on the device at all.. > There could be a configuration option to use standards compliant > RADIUS, disabled by default when undefined retaining the current > behaviour, but enabled by default in the default configuration. > This would ensure that there are no unexpected changes when upgrading > hostapd with an existing configuration. I'm not sure you'd get an agreement on standards compliant vs. non-compliant in this area taken into account the language in the current RFC.. Anyway, I'm not sure I understand what you mean with this being "disabled by default" and "enabled by default" simultaneously.. Either the default is to disable this or it is to enable this; you cannot get both. Or are you referring to hostapd/hostapd.conf file as the "default configuration"? It is certainly not that; it is documentation on various configuration parameters. > If the BSSID were to be appended by default to the NAS-Identifier via > configuration going forward for new configurations, this would apply > to both single and multiprocess deployments and solve this > Accounting-On/Accounting-Off issue. > > We shouldn't and it is in my view unrealistic to expect everyday > people to understand the nuance of RADIUS to configure this in a way > that avoids this problem. Whoever designs a system to use RADIUS should be aware of this type of things. It is not like "everyday people" would be expected to be writing hostapd.conf files.. By the way, NAS-Identifier is an optional attribute. What about the cases where it is not included? -- Jouni Malinen PGP id EFC895FA _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap