[RADIATOR] Additional radius attributes for particular users on shared realm :: how to?!!
Hugh Irvine
hugh at open.com.au
Thu Jan 29 15:19:43 CST 2015
Hi -
In that case I would use a separate AuthBy FILE something like this:
…..
<AuthBy FILE>
Identifier prefixforciscoavpair
Filename %D/PrefixForCiscoAVPair
</AuthBy>
<Handler Realm=/^(512|1024|2048)\.itc\.net\.sa$/>
<AuthBy GROUP>
AuthByPolicy ContinueWhileAccept
<AuthBy GROUP>
AuthByPolicy ContinueWhileReject
AuthBy dpool
AuthBy flat
PostAuthHook file:"%D/FixedIP"
PacketTrace
</AuthBy>
AuthBy prefixforciscoavpair
</AuthBy>
</Handler>
…..
The contents of the file PrefixForCiscoAVPair would look something like this:
# PrefixForCiscoAVPair
# Add reply attributes only for certain usernames
DEFAULT User-Name = /^pizza/
AddToReply cisco-avpair = ip:sub-qos-policy-in=ISP_1024_UpStream,
cisco-avpair = ip:sub-qos-policy-out=ISP_1024_DownStream,
cisco-avpair = "lcp:interface-config=description *******> PizzaHut <*******”,
cisco-avpair = "lcp:interface-config=ip vrf forwarding PizzaHut”,
cisco-avpair = "lcp:interface-config=ip unnumbered loopback 99”
DEFAULT Auth-Type = Accept
hope that helps
regards
Hugh
> On 29 Jan 2015, at 23:42, Mohammed Alhaj Ali <m.alhaj at itc.sa> wrote:
>
> Hi Hugh,
>
> Thank you for your reply,
>
> Please note that this user share one realm with other subscribers, and also maybe other realms start with same user name, what I need to do is to configure this parameter under responding realm, kindly check the below realm configuration and how we can add additional attribute for some subscribers which their accounts started with specific characters..
>
>
> I need to include this configuration under the below handler:
>
> <Handler Realm=/^(512|1024|2048)\.itc\.net\.sa$/>
> AuthByPolicy ContinueWhileReject
> AuthBy dpool
> AuthBy flat
> PostAuthHook file:"%D/FixedIP"
> PacketTrace
> </Handler>
>
>
> Suppose that user name is 'pizzahut37 at 1024.itc.net.sa', which's share same realm, whenever you find 'pizza*' on user name just add other additional attribute to reply.
>
> AddToReply cisco-avpair = ip:sub-qos-policy-in=ISP_1024_UpStream, cisco-avpair = ip:sub-qos-policy-out=ISP_1024_DownStream, cisco-avpair = "lcp:interface-config=description *******> PizzaHut <*******", cisco-avpair = "lcp:interface-config=ip vrf forwarding PizzaHut", cisco-avpair = "lcp:interface-config=ip unnumbered loopback 99"
>
>
>
> Thank you!
>
>
> Regards,
>
>
>
>
>
>
>
> -----Original Message-----
> From: Hugh Irvine [mailto:hugh at open.com.au]
> Sent: Thursday, January 29, 2015 1:25 AM
> To: Mohammed Alhaj Ali
> Cc: radiator at open.com.au
> Subject: Re: [RADIATOR] Additional radius attributes for particular users on shared realm :: how to?!!
>
>
> Hello -
>
> The answer to this depends on what else you are doing in your configuration file.
>
> The simplest way to do it is with Handlers (not Realms) like this:
>
>
> …….
>
> <Handler User-Name = /^xyz/>
> <AuthBy ….>
> …..
> AddToReply cisco-avpair = ip:sub-qos-policy-in=ISP_1024_UpStream,
> cisco-avpair = ip:sub-qos-policy-out=ISP_1024_DownStream,
> cisco-avpair = "lcp:interface-config=description *******> XYZ <*******”,
> cisco-avpair = "lcp:interface-config=ip vrf forwarding xyz”,
> cisco-avpair = "lcp:interface-config=ip unnumbered loopback 99”,
> Framed-MTU = 1492,
> Framed-Protocol = PPP,
> Service-Type = Framed-User
> </AuthBy>
> </Handler>
>
> <Handler>
> <AuthBy ….>
> …..
> </AuthBy>
> </Handler>
>
> …..
>
>
> There are many other possibilities depending on your exact requirements.
>
> regards
>
> Hugh
>
>
>> On 29 Jan 2015, at 00:32, Mohammed Alhaj Ali <m.alhaj at itc.sa> wrote:
>>
>> Hi,
>>
>> I'd asking how to use AddToReply to add additional radius attributes
>> for particular users on shared realm, for example if I've user name start with 'xyz' then reply with additional radius attribute to requested NAS, We already this configuration on Cisco AAA (car), and now we trying to migrate on radiator, below script were applied on CAR please let me know how to translate this to radiator configuration file.
>>
>>
>> (tcl script)...
>> if { [ string match "xyz*" $userName ] } {
>> $response addProfile "PPPoEProfile-XYZ-$realm"
>>
>> } else {
>> $response addProfile "PPPoEProfile-$realm"
>>
>>
>> Attribute profile for any user start with 'xyz'
>>
>> --> ls
>>
>> [ //localhost/Radius/Profiles/PPPoEProfile-XYZ-1024.example.com/Attributes ]
>> Cisco-AVPair = ip:sub-qos-policy-in=ISP_1024_UpStream
>> Cisco-AVPair = ip:sub-qos-policy-out=ISP_1024_DownStream
>> Cisco-AVPair = "lcp:interface-config=description *******> XYZ <*******"
>> Cisco-AVPair = "lcp:interface-config=ip vrf forwarding xyz"
>> Cisco-AVPair = "lcp:interface-config=ip unnumbered loopback 99"
>> Framed-MTU = 1492
>> Framed-Protocol = PPP
>> Service-Type = Framed
>>
>>
>>
>>
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>
>
> --
>
> Hugh Irvine
> hugh at open.com.au
>
> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER, SIM, etc.
> Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.
>
--
Hugh Irvine
hugh at open.com.au
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc.
Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.
More information about the radiator
mailing list