Outstanding RADIUS issues: Framed-IP-Address, NAS-Port, NAS-Port-Id

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



With the recent changes to hostapd, the number of outstanding RADIUS
issues that I have observed is significantly diminished! Hurrah! :-)

I think that we now ought to consider:

1) Ensuring that only DHCP-snooped information is used to populate the
value of the Framed-IP-Address attribute in RADIUS accounting so that
the value accounted with is more reliable and better protected against
spoofing.

2) Implementing an asynchronous Interim-Update when the IP address
becomes known or changes. Otherwise the interval has to be waited out
before the client's address becomes known, which breaks SSO systems
that depend on this value.

For context and to understand why this is necessary, I suggest
referring to the following thread:

https://community.aerohive.com/aerohive/topics/use_the_framed_ip_address_avp_containing_a_clients_ip_address_correctly_in_radius_accounting

Other aspects I think still should be looked at is:

3) Making NAS-Port contain the ifindex rather than the aid, which will
nearly always be 0.
4) Adding support for the NAS-Port-Id attribute and making this
contain the ifname.

Both the NAS-Port and NAS-Port-Id can be sent. This is perfectly legal
and good practice.

-or-

5) Removing the NAS-Port attribute so that it doesn't always contain a
value of 0 and then don't add support for the NAS-Port-Id attribute.

Cheers,

Nick

_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap



[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux