[RADIATOR] AuthAttrDef for multi-value Radius attribute check

Heikki Vatiainen hvn at open.com.au
Wed Sep 18 08:33:06 CDT 2013 

On 09/18/2013 02:51 PM, Garry Shtern wrote:

> I was under the impression that RquestOr is already supported if one
> lists values separated by a space. Are you proposing to change the
> separator character to pipe and offering explicit method?

I was thinking the case below. Here the request has two OSC-AVPAIR
attributes. If you have a check item OSC-AVPAIR=attrname1=value1, it
will match since Radiator currently takes just the first named
attribute. However, if you need to check that
OSC-AVPAIR=attrname2=value2, then it fails since the check is once again
done against the first attribute.

For example, with flat user file syntax, this will match:

  mikem User-Password=fred, OSC-AVPAIR="attrname1=value1"

but this will not match:

  mikem User-Password=fred, OSC-AVPAIR="attrname2=value2"

I think this would be useful for customisation, such as private
attributes added for policy checks, cisco-avpair and other attributes
that may be present multiple times in a request.

Code:       Access-Request
Identifier: 103
Authentic:  P<136><15><223>\|K<30><184>?<30><201><212><20>|4
Attributes:
	User-Name = "mikem"
	Service-Type = Framed-User
	NAS-IP-Address = 203.63.154.1
	NAS-Identifier = "203.63.154.1"
	NAS-Port = 1234
	Called-Station-Id = "123456789"
	Calling-Station-Id = "987654321"
	NAS-Port-Type = Async
	User-Password = ~<152><183><5><253>~+Rc<25>+<137><196>><164>d
	OSC-AVPAIR = "attrname1=value1"
	OSC-AVPAIR = "attrname2=value2"



With pipe you can match a request like this:

Code:       Access-Request
Identifier: 103
Authentic:  P<136><15><223>\|K<30><184>?<30><201><212><20>|4
Attributes:
	User-Name = "mikem"
	Service-Type = Framed-User
	NAS-IP-Address = 203.63.154.1
	NAS-Identifier = "203.63.154.1"
	NAS-Port = 1234
	Called-Station-Id = "123456789"
	Calling-Station-Id = "987654321"
	NAS-Port-Type = Async
	User-Password = ~<152><183><5><253>~+Rc<25>+<137><196>><164>d
	OSC-AVPAIR = "attrname1=value1"

with a user file like this:

  mikem User-Password=fred, OSC-AVPAIR="attrname1=value1|attrname2=value2"

This will allow OSC-AVPAIR to be either attrname1=value1 or attrname2=value2

If you still think space can be used, please provide an example. I'm
interested to see if I have missed something :)

Thanks,
Heikki

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

More information about the radiator mailing list