[RADIATOR] matching based on one value of an attribute multiple times in request

Tuure Vartiainen vartiait at open.com.au
Thu Jul 13 12:19:28 UTC 2017


> On 13 Jul 2017, at 13.59, Hartmaier Alexander <alexander.hartmaier at t-systems.at> wrote:
> I'm trying to build a solution to authorize users to log into devices
> based on their group membership in our NMS.
> We use ClientListSQL to generate the Client config blocks and I've used
> the OSC-Authorize-Group attribute for add the group id's to the request
> attributes like:
> OSC-Authorize-Group-123,OSC-Authorize-Group=456

should the line above be "OSC-Authorize-Group=123,OSC-Authorize-Group=456"?

So OSC-Authorize-Group attributes define group ids which are allowed to login 
to that device?

> A Handler for example matches on OSC-Authorize-Group=123, which works as
> long as the device is only member of this single group but not if in
> multiple like in the above example.

How is mapping to user groups done within a handler?

One option could be DynamicCheck which can be used for implementing a group check?


> I haven't found an example how to match on the value of an attribute
> which occurs multiple times in the authentication request, is it possible?

Unfortunately not currently. I created a feature request for this.

> A workaround would be to make ClientListSQL add
> OSC-Authorize-Group=123,456 to the request and matching the value with a
> regex, which would be quite complicated but handle all cases without
> e.g. allowing access to a device in group 1234 when only 123 should be
> allowed.

Check items do allow also alternative values if it helps.

Specify multiple permitted values, separated by vertical bars (‘|’). 
The check item will pass if at least one of the permitted values is an exact match.


Calling-Station-Id = 121284|122882


Tuure Vartiainen <vartiait at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

More information about the radiator mailing list