Hi Alex, hi radiator team, Am 14.07.2013 19:48, schrieb Alan Buxey: > Hi > > As an end site you really shouldn't be sending invalid realms to your > national proxy... but there does seem to be something odd gong on here.
I sent it to test this situation. As an eduroam ServiceProvider I don't know if a client is misconfigured. OK, nornmally I reject top-level realms, like the used '@akad' in my test, but some visitors have for example: [email protected] and this has the same result. As an endpoint SP, I can't filter for all wrong @realms, I don't know them all ,-) > . their system should be just sending back a straight access reject. If > radsecproxy doesn't like extended proxy id (or the config doesn't allow > it ) then that would be an issue Yes, this is the issue. I don't see the config of the federation-level-radius-proxy and the admins are not very helpful, they state, thats a problem with Radiator using extended Ids in the proxy-styte, e.g. they respomg with RFC 5997, saying that Status-Server MUST NOT be proxied and therefore the Proxy-State attribut isn't allowed. > > 4.4. Proxy Server Handling of Status-Server > > > Many RADIUS servers can act as proxy servers, and can forward > requests to another RADIUS server. Such servers MUST NOT proxy > Status-Server packets. The purpose of Status-Server as specified > here is to permit the client to query the responsiveness of a server > with which it has a direct relationship. Proxying Status-Server > queries would negate any usefulness that may be gained by > implementing support for them. > > Proxy servers MAY be configured to respond to Status-Server queries > from clients, and they MAY act as clients sending Status-Server > queries to other servers. However, those activities MUST be > independent of one another. What shall I do, Radiators AuthBy RADSEC Identifiers are always based on proxy-State. What does the radiator tesm says about RFC 5997. Best Regards Charly _______________________________________________ radiator mailing list [email protected] http://www.open.com.au/mailman/listinfo/radiator
