Re: [RADIATOR] AuthRADSEC and radsecproxy are incompatible!

Mon, 15 Jul 2013 01:13:55 -0700 

Hi,

anyway it's a bit proprietary that Radiator ignores the correct identifier in 
an Access-Reject packet.

The Identifier is also part of RFC2865:
Identifier
      The Identifier field is one octet, and aids in matching requests
      and replies.  The RADIUS server can detect a duplicate request if
      it has the same client source IP address and source UDP port and
      Identifier within a short span of time.

Freeradius has never complained about these Access-Reject packets generated by 
radsecproxy. 
Because these packages can be matched by the identifier. 

Also there is no doubt that radsexcproxy might violate RFC 2865 and Radiator 
violates RFC5997, 
it is always not very useful ignoring part of a standard header and insist on a 
Ext-Id to match an 
Access-Reject.

Best wishes
  Ralf
On Jul 15, 2013, at 9:35 AM, Karl Gaissmaier <karl.gaissma...@uni-ulm.de> wrote:

> Hello,
> 
> Am 15.07.2013 09:27, schrieb Stefan Winter:
>> Hi,
>> 
>>> this may be true for Status-Server but not for the Access-Rejects
>>> generated by the radsecproxy. This has to be corrected by radsecproxy.
>>> 
>>> And yes, Radiator AuthRADSEC has to fix the problem with Status-Server.
>>> Both together are incompatible but often used together in eduroam.
>> 
>> Yes, the lack of returning Proxy-State when radsecproxy crafts its own
>> Rejects is definitely a problem of radsecproxy; it violates RFC2865,
>> section 5.33:
>> 
>> "     This Attribute is available to be sent by a proxy server to
>>       another server when forwarding an Access-Request and MUST be
>>       returned unmodified in the Access-Accept, Access-Reject or
>>       Access-Challenge."
>> 
>> I've sent a notice to the radsecproxy mailing list, notifying them of
>> the problem. I'm hoping to see a next release with a proper fix.
> 
> Thanks, you got the point and saved my day!
> 
> Best Regards
>     Charly
> -- 
> Karl Gaissmaier
> Universität Ulm / Germany
> 
> _______________________________________________
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator

--
Verein zur Förderung eines Deutschen Forschungsnetzes e.V.
Alexanderplatz 1, D - 10178 Berlin
Tel.: 030 88 42 99 23
Fax: 030 88 42 99 70
http://www.dfn.de

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Reply via email to