El 15/03/12 15:28, Sam Hartman escribió: >>>>>> "Alejandro" == Alejandro Perez Mendez <[email protected]> writes: > > I think we're in general agreement. > > Alejandro> I mean, we are using RADIUS to transport both EAP and > Alejandro> SAML. If the conjunction of a SAML failure and a EAP > Alejandro> success should have the result of denial of access > Alejandro> (because of the failure in the authorization), then an > Alejandro> Access-Reject should be sent. Now, I have to admint that > Alejandro> I don't really know if it is possible to send an > Alejandro> EAP-Success packet within an Access-Reject RADIUS > Alejandro> message. But tricking the EAP stack to force the EAP > Alejandro> method to fail even when the method was actually > Alejandro> successful does not sound very well either. What do you > Alejandro> think? > > > In this case my preference would be to send no EAP message back at all > but only to send an access-reject possibly with the SAML failure. I agree
Regards, Gabi. > > --Sam > _______________________________________________ > abfab mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/abfab -- ---------------------------------------------------------------- Gabriel Lpez Milln Departamento de Ingeniera de la Informacin y las Comunicaciones University of Murcia Spain Tel: +34 868888504 Fax: +34 868884151 email: [email protected] _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
