Solved: max length for passing LDAP URL attribute content via Radius Reply-message

danhamil · ‎01-09-2017

I have a customer wanting to use ISE to authenticate their remote-access VPN connections to their head end.

As part of the access-accept message when it is sending radius attributes, they want to send the contents of the LDAP URL attribute to the head end via the Radius reply-message attribute.

The question they have is if there is a max length or number of characters that they can send via the Radius reply-message attribute to the head end?

The contents of the LDAP URL attribute can be quite large, so they want to make sure they do not run into any limitations.

Thanks,

Timothy Abbott · ‎01-11-2017

Hi,

Per the IETF standard, there is no max length. If there is any limitation, I would imagine it would be on the head end side. I recommend testing in a lab environment first to confirm functionality.

Regards,

-Tim

View solution in original post

Timothy Abbott · ‎01-11-2017

Hi,

Per the IETF standard, there is no max length. If there is any limitation, I would imagine it would be on the head end side. I recommend testing in a lab environment first to confirm functionality.

Regards,

-Tim

danhamil · ‎01-11-2017

Thanks Tim.

Customer is currently doing this with another Radius server that we are looking to replace with ISE. So their head end currently supports the large amount of data in their LDAP URL attribute via the radius reply-message. So I wanted to confirm that ISE would not restrict the amount of data being sent in the reply-message.

Thanks for confirming ISE would not place any restrictions on the reply-message length.