On Feb 29, 2016, at 5:04 AM, Jouni Malinen <j@xxxxx> wrote: > Wouldn't RADIUS server be able to use NAS-IP-Address for the case where > there is only a single BSS per IP address? Sure, that is a subset of all > possibilities, but I'd assume this was quite a bit more common case at > the early days of RADIUS.. Yes. The issue is really what logical unit are we talking about? i.e. when system X reboots, and N users need to re-auth. The RADIUS server needs to see an Accounting-On packet for that system. And that system has to be identified. Traditionally, "X" was identical to "NAS". With the advent of separate network / radio devices, it's not. > When you say "RADIUS" here, do you really include authentication in > that? I can see the issue related to Accounting-On/Off for RADIUS > accounting, but use of NAS-Identifier seems quite a bit less important > for RADIUS authentication. Ideally, the NAS-Identifier / IP / IPv6-Address should be the same across Access-Request and Accounting-Request packets. Anything else is a bad idea. Because it means that the NAS isn't being consistent about which (sub)system the user is accessing. > A single hostapd process cannot enforce this in cases where multiple > hostapd processes are use on the same AP device (one hostapd process per > virtual BSS) and there are such AP designs out there.. That said, I > think I would be fine with hostapd not sending out Accounting-On/Off for > a BSS that does not have nas_identifier configured (which you asked in > another email after this). I'd prefer accounting-on/off when a (sub)system reboots, and more than one user has to re-auth. It's just better. > It might be fine to filter out "duplicated" Accounting-On/Off messages > also in cases where the same nas_identifier has been configured for > multiple BSSes. I would document a suggestion that nat-identifier should be unique. > Though, this is getting somewhat complex and potentially > confusing since the start and stop times and sequences may be different > and the Accounting-On and Accounting-Off messages may not actually be > for the same BSS if BSS0 is started first, BSS1 after it, followed by > stopping BSS0 and finally BSS1. That could send out Accounting-On with > BSS0 information and Accounting-Off with BSS1 information. Sure, > NAS-Identifier would be same, but other information in the messages > might point to different BSSID and SSID value (Called-Station-Id). This > might be fine for the case where all BSSes are created at the same time > (e.g., hostapd process start) and terminated at the same time (e.g., > hostapd process end), but it gets problematic with dynamic BSS > addition/removal. Which is why it would be good to treat each BSS as an individual NAS. At least, so far as traditional RADIUS goes. Alan DeKok. _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
