On Sun, Feb 28, 2016 at 04:54:13PM +0000, Nick Lowe wrote: > Define and implement nas-identifier-use-bssid config option > to include the BSSID in the NAS-Identifier attribute value of RADIUS packets. > This value defaults to 0, maintaining backwards compatibility, and is set to > the value 1 in the supplied hostapd.conf > > This new configuration option works in combination with the > nas-identifier option. I don't see enough justification to add additional parameters for modifying the nas_identifier parameter when that can already be set to an arbitrary value. IMHO, the correct place to do this is in the application (or administrator) that generates the hostapd configuration. Please also note that there is no guarantee that the same BSS will get the same BSSID every time it is added to hostapd. I would expect there to be desire for the NAS-Identifier to remain same between AP restarts and reconfigurations that leave a specific network with the same configuration while potentially modifying other BSSes in the same AP. As such, I don't think I would recommend using BSSID as a part of NAS-Identifier as a general solution for the need to have unique NAS-Identifier values. It would make sense to provide more guidance and recommendations on how the nas_identifier should be set in most cases and something along the lines of the following text might very well be a good start for such guidance (obviously modified to talk about the value set in nas_identifier and not mentioned nas_identifier_use_bssid or concatenation of strings). Though, with that note about BSSID potentially changing, it would be good to cover that as well or remove all comments about BSSID being a good unique part of NAS-Identifier and just point out that the administrator needs to set a unique value for each BSS for many RADIUS use cases to work well on the server side. > Where the nas-identifier is unset, the default in hostapd.conf, the > BSSID will be used to populate this value in the form > “00-10-A4-23-19-C0” in all cases, irrespective of the value of > nas-identifier-use-bssid. > Omitting the NAS-Identifier in RADIUS packets causes significant > problems in the RADIUS protocol so this is not allowed to ever occur. > (Accounting-On and Accounting-Off forms of RADIUS accounting packets > are allowed to be sent in this case.) > > Where the nas-identifier is set and the nas-identifier-use-bssid is > set to 1, the BSSID will be included in the value used for the > NAS-Identifier in the form “00-10-A4-23-19-C0:ap.example.com”. > (Accounting-On and Accounting-Off forms of RADIUS accounting packets > are allowed to be sent in this case.) > > Where the nas-identifier is set and the nas-identifier-use-bssid is > set to 0, the BSSID will not be included in the value used for the > NAS-Identifier. > (Accounting-On and Accounting-Off forms of RADIUS accounting packets > will not be sent in this case.) > > Range checks for nas-identifier now require this string value to be, > inclusive, between 3 and 104 characters in length. Where does this 3..104 range come from? The actual implementation used 1..104 (inclusive), but RADIUS attributes would allow longer strings to be used. When FT is enabled, there is a tighter constraint (48 octets) since nas_identifier is also used within FT messages. -- Jouni Malinen PGP id EFC895FA _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap