On Fri, Feb 26, 2016 at 11:08:55AM +0000, Nick Lowe wrote: > We ought, strongly, to consider making the NAS-Identifier mandatory, > presently it is not in hostapd which is poor practice. > While it is not mandatory in the RADIUS RFCs, the presence of this > attribute is necessary for the proper operation of RADIUS. > Hostapd should make it mandatory therefore. I don't want to make an optional RADIUS attribute mandatory in a way where the implementation enforces this. This would break existing configurations (and no, I don't want to set the value to BSSID in such case either taken into account BSSID can change and as far as I've understood RADIUS use cases, that would not be ideal). I have no issues with documenting this in hostapd.conf and recommending a unique nas_identifier value to be configured for all BSSes. > > I suggest that we consider changing hosapd.conf to contain something like this: > > # Mandatory NAS-Identifier, containing a string base value used to identify I would not call an optional RADIUS attribute "mandatory", i.e., this should really be a strong recommendation rather than incorrect claim of what is mandatory in the protocol. That "base value" would need to go away as well unless someone manages to provide convincing justification for a design that would somehow modify nas_identifier value before transmitting it. > # the NAS originating RADIUS packets. This must be unique to the NAS within the > # scope of a RADIUS server. For example, a fully qualified domain name can be > # used here appended with the . > # When using IEEE 802.11r, nas_identifier must be between 1 and 48 octets long. > nas_identifier=ap.example.com > > # Whether to append the BSSID to the NAS-Identifier sent in RADIUS packets. > # For example, where the nas_identifier base is configured as ap.example.com, a > # value of the form ap.example.com_00-10-A4-23-19-C0 will be used. > # Where mutiple BSSes are offered by a NAS, each BSS for which RADIUS accounting > # is occuring must be presented as being an individual NAS for Accounting-On and > # Accounting-Off to be handled correctly by a RADIUS server. > nas_identifier_append_bssid=1 And this text for nas_identifier_append_bssid could be worded as an example in the documentation for nas_identifier. If the BSSID value on the actual nas_identifier field is set in the configuration, that actually makes it remain fixed even if the actual BSSID would change due to dynamic BSS changes on the AP. Anyway, I see no real value in encoding BSSID here, i.e., anything other value that could be claimed to be unique would be as good, if not better, example. One more thing regarding BSSIDs is that there are quite a few APs out there that generated locally administered MAC addresses for multi-BSS configurations. Those are not guaranteed to be unique. -- Jouni Malinen PGP id EFC895FA _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap