Re: Accounting-On and Accounting-Off being sent on a per-BSS basis not per-NAS

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Feb 29, 2016, at 5:04 AM, Jouni Malinen <j@xxxxx> wrote:
> Wouldn't RADIUS server be able to use NAS-IP-Address for the case where
> there is only a single BSS per IP address? Sure, that is a subset of all
> possibilities, but I'd assume this was quite a bit more common case at
> the early days of RADIUS..

  Yes.

  The issue is really what logical unit are we talking about?  i.e. when system X reboots, and N users need to re-auth.  The RADIUS server needs to see an Accounting-On packet for that system.  And that system has to be identified.

  Traditionally, "X" was identical to "NAS".  With the advent of separate network / radio devices, it's not.

> When you say "RADIUS" here, do you really include authentication in
> that? I can see the issue related to Accounting-On/Off for RADIUS
> accounting, but use of NAS-Identifier seems quite a bit less important
> for RADIUS authentication.

  Ideally, the NAS-Identifier / IP / IPv6-Address should be the same across Access-Request and Accounting-Request packets.

  Anything else is a bad idea.  Because it means that the NAS isn't being consistent about which (sub)system the user is accessing.

> A single hostapd process cannot enforce this in cases where multiple
> hostapd processes are use on the same AP device (one hostapd process per
> virtual BSS) and there are such AP designs out there.. That said, I
> think I would be fine with hostapd not sending out Accounting-On/Off for
> a BSS that does not have nas_identifier configured (which you asked in
> another email after this).

  I'd prefer accounting-on/off when a (sub)system reboots, and more than one user has to re-auth.  It's just better.

> It might be fine to filter out "duplicated" Accounting-On/Off messages
> also in cases where the same nas_identifier has been configured for
> multiple BSSes.

  I would document a suggestion that nat-identifier should be unique.

> Though, this is getting somewhat complex and potentially
> confusing since the start and stop times and sequences may be different
> and the Accounting-On and Accounting-Off messages may not actually be
> for the same BSS if BSS0 is started first, BSS1 after it, followed by
> stopping BSS0 and finally BSS1. That could send out Accounting-On with
> BSS0 information and Accounting-Off with BSS1 information. Sure,
> NAS-Identifier would be same, but other information in the messages
> might point to different BSSID and SSID value (Called-Station-Id). This
> might be fine for the case where all BSSes are created at the same time
> (e.g., hostapd process start) and terminated at the same time (e.g.,
> hostapd process end), but it gets problematic with dynamic BSS
> addition/removal.

  Which is why it would be good to treat each BSS as an individual NAS. At least, so far as traditional RADIUS goes.

  Alan DeKok.


_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap



[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux