[RADIATOR] matching based on one value of an attribute multiple times in request

Hartmaier Alexander alexander.hartmaier at t-systems.at
Thu Jul 13 12:56:59 UTC 2017


On 2017-07-13 14:19, Tuure Vartiainen wrote:
> Hi,
>> On 13 Jul 2017, at 13.59, Hartmaier Alexander <alexander.hartmaier at t-systems.at> wrote:
>> I'm trying to build a solution to authorize users to log into devices
>> based on their group membership in our NMS.
>> We use ClientListSQL to generate the Client config blocks and I've used
>> the OSC-Authorize-Group attribute for add the group id's to the request
>> attributes like:
>> OSC-Authorize-Group-123,OSC-Authorize-Group=456
> should the line above be "OSC-Authorize-Group=123,OSC-Authorize-Group=456"?
Yes, sorry for the typo!
> So OSC-Authorize-Group attributes define group ids which are allowed to login
> to that device?
It's added metadata for the request which includes all groups the device
is member of.
>> A Handler for example matches on OSC-Authorize-Group=123, which works as
>> long as the device is only member of this single group but not if in
>> multiple like in the above example.
> How is mapping to user groups done within a handler?
> One option could be DynamicCheck which can be used for implementing a group check?
> http://www.open.com.au/radiator/ref/DynamicCheck.html#DynamicCheck
One handler per group, the AuthBy SQL only includes users authorized for
that group of devices.
The goal is to allow everybody in our team to modify the group
membership through our NMS without any knowledge of Radiator or config
change there.

<Handler Client-Identifier=radius-proxy-1, OSC-Authorize-Group=123>

>> I haven't found an example how to match on the value of an attribute
>> which occurs multiple times in the authentication request, is it possible?
> Unfortunately not currently. I created a feature request for this.
Thanks! Any idea how long that might take to implement?
>> A workaround would be to make ClientListSQL add
>> OSC-Authorize-Group=123,456 to the request and matching the value with a
>> regex, which would be quite complicated but handle all cases without
>> e.g. allowing access to a device in group 1234 when only 123 should be
>> allowed.
> Check items do allow also alternative values if it helps.
> Specify multiple permitted values, separated by vertical bars (‘|’).
> The check item will pass if at least one of the permitted values is an exact match.
> E.g.
> Calling-Station-Id = 121284|122882
> http://www.open.com.au/radiator/ref/OtherAttributes.html#OtherAttributes
I know, thanks, but I need the opposite, match the request if one value
of a request attribute occurring multiple times.
> BR
Cheers, Alex

T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
Notice: This e-mail contains information that is confidential and may be privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.

More information about the radiator mailing list