El 15/03/12 15:33, Gabriel López escribió:
El 15/03/12 15:28, Sam Hartman escribió:
"Alejandro" == Alejandro Perez Mendez<[email protected]> writes:
I think we're in general agreement.
Alejandro> I mean, we are using RADIUS to transport both EAP and
Alejandro> SAML. If the conjunction of a SAML failure and a EAP
Alejandro> success should have the result of denial of access
Alejandro> (because of the failure in the authorization), then an
Alejandro> Access-Reject should be sent. Now, I have to admint that
Alejandro> I don't really know if it is possible to send an
Alejandro> EAP-Success packet within an Access-Reject RADIUS
Alejandro> message. But tricking the EAP stack to force the EAP
Alejandro> method to fail even when the method was actually
Alejandro> successful does not sound very well either. What do you
Alejandro> think?
In this case my preference would be to send no EAP message back at all
but only to send an access-reject possibly with the SAML failure.
I agree
I think that is a reasonable solution.
Regards, Gabi.
--Sam
_______________________________________________
abfab mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/abfab
_______________________________________________
abfab mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/abfab
