El 31/10/13 20:54, Stefan Paetow escribió:
>> I attached the logfile... The last line would repeat forever unless I
>> ctrl-c it.
> Ok, I'll run that by the FreeRADIUS folks, because technically I'd expect it to bomb out once, not loop on forever.
>
>> it works, I can now send the certificate and the key, but...If the cert
>> or key is longer, I am still in trouble.
> Yes, that's the problem...
>
>> Is there a way how to send longer certs and keys, or more attributes
>> after user is authenticated? Ideally set inside of the script. (I
>> originally used my instance of the exec module to run script in which I
>> set SAML-AAA-Assertion and then call the module inside post-auth section
>> on freeradius - need to read different certs and keys).
> Not off-hand, but if you are talking to a SAML authority, you might be able to get those certificates along a different channel.
>
> But, I believe University of Murcia has proposed RADIUS packet fragmentation, which might resolve this. How far along they are with this, I don't know.
Hi Stefan,
currently we are moving forward a draft in the IETF RADEXT WG
(http://tools.ietf.org/html/draft-ietf-radext-radius-fragmentation-01).
If this specification becomes an RFC, we expect it will be implemented
on FreeRADIUS, as Alan DeKok is also a co-author.
Besides, we developed an internal proof of concept of an earlier version
(draft-perez-radext-radius-fragmentation-04) that we did in
collaboration with Telefonica I+D (which is the rightful owner of it).
Although you must note it is not a production implementation, we could
provide it to you or any other interested party.
Regards,
Alejandro
>
> Stefan
>
|