-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Marcel,
On 10/30/2013 08:00 PM, Marcel Poul wrote:
> I attached the logfile... The last line would repeat forever unless I ctrl-c it.
>
> I followed your advice to make less and longer SAML-AAA-Assertion
values, I also removed other attributes so as to save some bytes:
> http://pastebin.com/Fyafb0vp
>
> it works, I can now send the certificate and the key, but...If the
cert or key is longer, I am still in trouble.
>
> Is there a way how to send longer certs and keys, or more attributes
after user is authenticated? Ideally set inside of the script. (I
originally used my instance of the exec module to run script in which I
set SAML-AAA-Assertion and then call the module inside post-auth section
on freeradius - need to read different certs and keys).
>
We are working in
http://tools.ietf.org/html/draft-ietf-radext-radius-fragmentation-01
Regards, Gabi.
> Regards
> Marcel
>
> On 10/30/2013 05:33 PM, [log in to unmask] wrote:
>>> I came across a problem when trying to send many SAML assertions in
>>> update reply block of post-auth section in a sites-enabled/default.
>>> If it consists of too many SAML-AAA-Assertion += 'something' ,
>>> freeradius is printing in neverending loop (at least it printed several
>>> minutes before I ctrl-c it.):
>>> WARNING: Failed encoding attribute SAML-AAA-Assertion
>>
>> A RADIUS Access-Accept packet is size-limited. It can only accept
4096 bytes. Your SAML assertion alone is 3,685 bytes, which leaves
around 400 bytes for other stuff (like other attributes in the packet,
headers etc).
>>
>> This might be one of those moments...
>>
>> Can you possibly post a link to a debug log (i.e. running "radius -X"
and capturing the output of an authentication request)? This might be
something to run past the FreeRADIUS folks too to see whether this error
message has something to do with the size.
>>
>> With Regards
>>
>> Stefan
>>
>>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQEcBAEBAgAGBQJSciN3AAoJEMUYqoSNEZFTc90IAJxMca5yArIXi7rsvRF7GHIz
Y0QEbwvlXfI7KGd0Gq6Pd+wHuTh7IdNGDdeePkguhYuaLLztr3eT/PbrOuEcjb84
iK66K22C3+Rgmizl1SUy8rDelHySQCQvIIDdl0Q5dBWk38CsYiY6y4p2K3GIQA9P
nJO0HFM3lQUyMJ/gvwNvW+H+qCUPrvqyVD7cgJ2apM9Xp6VtfOpmftI+twLj0GI+
wJW8nRYm5oP1c023/8gkTTTIIImRDJ+QoooNt9De/0HEZz+nJtNubVt/lZ8ioB6n
Hs4Fo1gI2eTwQrpxrEHwZCQbHlZyb2ZY9ss7wCcMwNDu94Mi2VaGf1SZK4I30EE=
=B3u0
-----END PGP SIGNATURE-----
|