[RADIATOR] Reply packet too long

Heikki Vatiainen hvn at open.com.au
Wed Sep 14 07:03:32 CDT 2011 

On 09/14/2011 02:41 PM, Markus Ludwig Grandpre wrote:

Hello Markus,

> I try to send a SAML assertion as an attribute in a Access-Accept
> packet, but packet is too long (when using UDP). Is there a possibility
> to distribute content of Access-Accept packet to several packets?

Try adding three SAML-AAA-Assertion attributes instead of one. Your
attribute seems to be over 600 characters which is way more than the 8
bit attribute length field can carry.

The receiver may be able to concatenate the attributes back into one value.

Related to this: where is SAML-AAA-Assertion defined. The closest thing
I was able to found was this:
http://tools.ietf.org/html/draft-ietf-abfab-aaa-saml-01#section-3

Note that this draft also advises how to cope with long attributes. The
advice here is to split and concatenate too.

Thanks!
Heikki

> Radiator configuration:
> -----------------------
> 
> AddToReply SAML-AAA-Assertion = <saml:Assertion
> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
> IssueInstant="2011-03-19T08:30:00Z" ID="foo"
> Version="2.0"><saml:Issuer>urn:mace:incommon:osu.edu</saml:Issuer><saml:AttributeStatement><saml:Attribute
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
> Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"><saml:AttributeValue>cantor.2 at osu.edu</saml:AttributeValue></saml:Attribute><saml:Attribute
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
> Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7"><saml:AttributeValue>moonshot</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion>
> 
> 
> Radiator log:
> -------------
> 
> Code:       Access-Accept
> Identifier: 14
> Authentic:  ><152><183>`<240>J<203>8F<197><221><198>j<241>cT
> Attributes:
>         User-Name = "user"
>         EAP-Message = <3><7><0><4>
>         Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>         SAML-AAA-Assertion = "<saml:Assertion
> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
> IssueInstant="2011-03-19T08:30:00Z" ID="foo"
> Version="2.0"><saml:Issuer>urn:mace:incommon:osu.edu</saml:Issuer><saml:AttributeStatement><saml:Attribute
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
> Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"><saml:AttributeValue>test</saml:AttributeValue></saml:Attribute><saml:Attribute
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
> Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7"><saml:AttributeValue>test</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion>"
>         MS-MPPE-Send-Key =
> <243>6b<18>$<213><187><18>f<28><199><200><205>y_Y<251><248>?6<141><155><192>1=<159><214><222><203><254>;<186>
>         MS-MPPE-Recv-Key =
> <248><28>pg(<249><212>Mu<244><168><5><246><255><1><200><28><182><251><132>^<7>UZ<169>~<8><152>m<185><147><128>
> 
> Error Message (sshd):
> ---------------------
> 
> sshd[28902]: debug1: Unspecified GSS failure.  Minor code may provide
> more information\ninvalid packet: WARNING: Malformed RADIUS packet from
> host (null): attribute 62 data overflows the packet (udp.c:118)\n
> 
> 
> 
> 
> 
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

More information about the radiator mailing list