[RADIATOR] matching based on one value of an attribute multiple times in request

Tuure Vartiainen vartiait at open.com.au
Thu Jul 13 12:19:28 UTC 2017


Hi,

> On 13 Jul 2017, at 13.59, Hartmaier Alexander <alexander.hartmaier at t-systems.at> wrote:
> 
> I'm trying to build a solution to authorize users to log into devices
> based on their group membership in our NMS.
> 
> We use ClientListSQL to generate the Client config blocks and I've used
> the OSC-Authorize-Group attribute for add the group id's to the request
> attributes like:
> 
> OSC-Authorize-Group-123,OSC-Authorize-Group=456
> 

should the line above be "OSC-Authorize-Group=123,OSC-Authorize-Group=456"?

So OSC-Authorize-Group attributes define group ids which are allowed to login 
to that device?

> A Handler for example matches on OSC-Authorize-Group=123, which works as
> long as the device is only member of this single group but not if in
> multiple like in the above example.
> 

How is mapping to user groups done within a handler?

One option could be DynamicCheck which can be used for implementing a group check?

http://www.open.com.au/radiator/ref/DynamicCheck.html#DynamicCheck

> I haven't found an example how to match on the value of an attribute
> which occurs multiple times in the authentication request, is it possible?
> 

Unfortunately not currently. I created a feature request for this.

> A workaround would be to make ClientListSQL add
> OSC-Authorize-Group=123,456 to the request and matching the value with a
> regex, which would be quite complicated but handle all cases without
> e.g. allowing access to a device in group 1234 when only 123 should be
> allowed.
> 

Check items do allow also alternative values if it helps.

Specify multiple permitted values, separated by vertical bars (‘|’). 
The check item will pass if at least one of the permitted values is an exact match.

E.g.

Calling-Station-Id = 121284|122882

http://www.open.com.au/radiator/ref/OtherAttributes.html#OtherAttributes


BR
-- 
Tuure Vartiainen <vartiait at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.



More information about the radiator mailing list