[RADIATOR] How to return multiple VSA efficiently

Hugh Irvine hugh at open.com.au
Sun Jan 3 16:05:16 CST 2010 

Hello Michael -

The short answer is yes Radiator can handle 70 VSA's.

The longer answer is that you are bounded by the size of a UDP packet in your environment (which in this cas shouldn't be a problem).

The final answer is that it is probably easiest to do this in a file and use an AuthBy FILE, probably in conjunction with what you are already doing.

BTW - this is the "cisco-avpair" attribute as defined in the Radiator dictionary.

regards

Hugh


On 4 Jan 2010, at 03:51, Michael Harlow wrote:

> Hi,
> 
> I'm trying to add support to my Radiator server to enable "AAA for Management" to my Cisco WCS server.
> 
> In a typical Cisco fashion, it's a bit odd. To gain full access to all menus and commands in the WCS software, the AAA server needs to return some VSA if the user is successfully authenticated. For complete access, it needs to return SEVENTY (70) VSA pairs. Yes, 70.
> 
> e.g. I need to return the following cisco-av-pairs for complete access.
> 
> Wireless-WCS:role0=SuperUsers
> Wireless-WCS:task0=Users and Groups
> Wireless-WCS:task1=Virtual Domain Management
> Wireless-WCS:task2=Audit Trails
> Wireless-WCS:task3=TACACS+ Servers
> Wireless-WCS:task4=RADIUS Servers
> [
> SNIP
> ]
> Wireless-WCS:task65=Report Launch Pad
> Wireless-WCS:task66=Run Reports List
> Wireless-WCS:task67=Saved Reports List
> Wireless-WCS:task68=Report Run History
> 
> 
> Cisco say this:
> --------------------
> The content of the VSA is as follows: 
> -Type = 26 (IETF VSA number) 
> -Vendor Id = 9 (Cisco vendor ID) 
> -Vendor Type = 1 (Custom attributes) 
> -Vendor Data = Contains the WCS task information
>    (for example Wireless-WCS: task0 = Users and Group) 
> Each line from the WCS RADIUS task list should be sent in its own RADIUS VSA. 
> --------------------
> 
> My questions are:
> 
> Can RADIATOR handle putting 70 VSA in a Authentication Reply?
> 
> What is the most efficient way of putting it in the configuration? I suspect you can only have one AddToReply in each handler, so I'd need to put the 70 attributes into a single line? With lots of "\" perhaps?
> 
> Is there a neater way of doing this? Pull the attributes out of a DB table?
> 
> Your advice on this would be appreciated.
> 
> Regards,
> 
> Michael Harlow.
> University of Tasmania.
> 
> 
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator



NB: 

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets), 
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

More information about the radiator mailing list