radius accounting log to early??

Jouni Malinen jkmaline at cc.hut.fi
Tue Jun 7 23:06:34 EDT 2005


On Tue, Jun 07, 2005 at 04:47:08PM -0300, Beat Meier wrote:

> I've noticed that the radius accounting start message is generated even 
> the client is NOT authenticated.
> Would it not have much more sense to generate this only if the client is 
> successfully authenticated (maybe
> it would make sense to use 1 more messages Acct-Status-Type =Auth-login 
> (and maybe Auth-fail) and
> if succ. authenticated to use the Acct-Status-Type = Start))

In what kind of configuration did you see this happening and with which
version of hostapd? The current implementation seems to be delaying the
accounting session start until IEEE 802.1X authentication has been
completed. In case of WPA, this may mean that accounting is started
after association, i.e., before WPA 4-Way Handshake.

I have not seen Auth-login or Auth-fail values defined for
Acct-Status-Type, nor did I find any references to them, so I don't
think they are useable option for this at the moment.

> BTW: Is there any reason why not to use the ipname or ipadress in 
> User-Name instead of MAC which
> is already in the Calling-Station-Id field?

An access point is mostly a layer 2 device and as such, it does not
really know the IP address of the client. If IEEE 802.1X is used,
User-Name is normally the identity used by the client during EAP
authentication, not the MAC address.

-- 
Jouni Malinen                                            PGP id EFC895FA



More information about the HostAP mailing list