>>>>> "Alejandro" == Alejandro Perez Mendez <[email protected]> writes:
I think we're in general agreement.
Alejandro> I mean, we are using RADIUS to transport both EAP and
Alejandro> SAML. If the conjunction of a SAML failure and a EAP
Alejandro> success should have the result of denial of access
Alejandro> (because of the failure in the authorization), then an
Alejandro> Access-Reject should be sent. Now, I have to admint that
Alejandro> I don't really know if it is possible to send an
Alejandro> EAP-Success packet within an Access-Reject RADIUS
Alejandro> message. But tricking the EAP stack to force the EAP
Alejandro> method to fail even when the method was actually
Alejandro> successful does not sound very well either. What do you
Alejandro> think?
In this case my preference would be to send no EAP message back at all
but only to send an access-reject possibly with the SAML failure.
--Sam
_______________________________________________
abfab mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/abfab
