Ok,
Thanks for that, Alan. I'll have a dig around in the "older" CentOS FreeRADIUS package and double-check that the .illegal dictionaries are disabled and manually update dictionary.ukerna with the new attribute numbers (v3.0.0 will probably have all this fixed, but the CentOS folks who are still on 2.1.12/2.2.0 won't have it - yet).
More documentation fun and games on Tuesday! *rubs hands with glee*
Stefan
-------- Original message --------
Subject: Re: Configurability of the RADIUS request from Moonshot GSS
From: Alan Buxey <[log in to unmask]>
Reply-To: Alan Buxey <[log in to unmask]>
Date: Fri, 24 May 2013 22:17:36 +0100
Hi,
> I was thinking more of an identifier so I don't have to send a SAML assertion to every local RADIUS request (I'm narrowing down when I send the SAML assertion).
moonshot queries will have some extra attibutes present
> Unless of course it's this attribute that I have noticed (which remains the same for every request): X-Ascend-FR-DCE-N393, which appears to be an 'illegal' attribute from Ascend (it's in the .illegal dictionary). I searched for that attribute online and it appears there's a clash between the old Ascend and the new GSS-Acceptor attributes in dictionary.ukerna?
thats a dictionary clash - you shouldnt be using the illegal dictionaries unless you REALLY REALLY
need to - eg you actually have Ascend kit and still use those attributes
> When I search around for these attributes, I find a JISCMail post from Sam mentioning a FR dictionary patch (once a casing issue is resolved). Is that patch mentioned here https://www.jiscmail.ac.uk/cgi-bin/webadmin?A2=MOONSHOT-COMMUNITY;4a29ccef.1209 for dictionary.ukerna?
there is now an official IANA ID for the moonshot stuff:
ATTRIBUTE GSS-Acceptor-Service-Name 164 string
ATTRIBUTE GSS-Acceptor-Host-Name 165 string
ATTRIBUTE GSS-Acceptor-Service-Specifics 166 string
ATTRIBUTE GSS-Acceptor-Realm-Name 167 string
(as that posting noted) - I'll need to dig out the proper IANA doc
> If that is the case, does SAML-AAA-Assertion keep the attribute number it currently has?
I'll double check (and MS-Windows-Auth-Data)
alan
|