[RADIATOR] How to return multiple VSA efficiently

Michael Harlow Michael.Harlow at utas.edu.au
Sun Jan 3 10:51:15 CST 2010


Hi,

I'm trying to add support to my Radiator server to enable "AAA for Management" to my Cisco WCS server.

In a typical Cisco fashion, it's a bit odd. To gain full access to all menus and commands in the WCS software, the AAA server needs to return some VSA if the user is successfully authenticated. For complete access, it needs to return SEVENTY (70) VSA pairs. Yes, 70.

e.g. I need to return the following cisco-av-pairs for complete access.

Wireless-WCS:role0=SuperUsers
Wireless-WCS:task0=Users and Groups
Wireless-WCS:task1=Virtual Domain Management
Wireless-WCS:task2=Audit Trails
Wireless-WCS:task3=TACACS+ Servers
Wireless-WCS:task4=RADIUS Servers
[
SNIP
]
Wireless-WCS:task65=Report Launch Pad
Wireless-WCS:task66=Run Reports List
Wireless-WCS:task67=Saved Reports List
Wireless-WCS:task68=Report Run History


Cisco say this:
--------------------
The content of the VSA is as follows: 
-Type = 26 (IETF VSA number) 
-Vendor Id = 9 (Cisco vendor ID) 
-Vendor Type = 1 (Custom attributes) 
-Vendor Data = Contains the WCS task information
    (for example Wireless-WCS: task0 = Users and Group) 
Each line from the WCS RADIUS task list should be sent in its own RADIUS VSA. 
--------------------

My questions are:

Can RADIATOR handle putting 70 VSA in a Authentication Reply?

What is the most efficient way of putting it in the configuration? I suspect you can only have one AddToReply in each handler, so I'd need to put the 70 attributes into a single line? With lots of "\" perhaps?

Is there a neater way of doing this? Pull the attributes out of a DB table?

Your advice on this would be appreciated.

Regards,

Michael Harlow.
University of Tasmania.




More information about the radiator mailing list