[RADIATOR] matching based on one value of an attribute multiple times in request

Thu Jul 13 13:05:59 UTC 2017

Hello,

Just throwing out an idea -

You could do a pre handler hook that combines all incoming OSC-Authorize-Group values into a single value sorted so you know how they will appear to the handler.
I'm not a fan of hooks but in this case it might be a working workaround :)

Regards,
Patrik Forsberg

> -----Original Message-----
> From: radiator [mailto:radiator-bounces at lists.open.com.au] On Behalf Of
> Hartmaier Alexander
> Sent: den 13 juli 2017 14:57
> To: radiator at lists.open.com.au
> Subject: Re: [RADIATOR] matching based on one value of an attribute
> multiple times in request
> 
> Hi,
> 
> 
> On 2017-07-13 14:19, Tuure Vartiainen wrote:
> > Hi,
> >
> >> On 13 Jul 2017, at 13.59, Hartmaier Alexander <alexander.hartmaier at t-
> systems.at> wrote:
> >>
> >> I'm trying to build a solution to authorize users to log into devices
> >> based on their group membership in our NMS.
> >>
> >> We use ClientListSQL to generate the Client config blocks and I've used
> >> the OSC-Authorize-Group attribute for add the group id's to the request
> >> attributes like:
> >>
> >> OSC-Authorize-Group-123,OSC-Authorize-Group=456
> >>
> > should the line above be "OSC-Authorize-Group=123,OSC-Authorize-
> Group=456"?
> Yes, sorry for the typo!
> >
> > So OSC-Authorize-Group attributes define group ids which are allowed to
> login
> > to that device?
> It's added metadata for the request which includes all groups the device
> is member of.
> >
> >> A Handler for example matches on OSC-Authorize-Group=123, which
> works as
> >> long as the device is only member of this single group but not if in
> >> multiple like in the above example.
> >>
> > How is mapping to user groups done within a handler?
> >
> > One option could be DynamicCheck which can be used for implementing a
> group check?
> >
> >
> http://www.open.com.au/radiator/ref/DynamicCheck.html#DynamicCheck
> One handler per group, the AuthBy SQL only includes users authorized for
> that group of devices.
> The goal is to allow everybody in our team to modify the group
> membership through our NMS without any knowledge of Radiator or config
> change there.
> 
> <Handler Client-Identifier=radius-proxy-1, OSC-Authorize-Group=123>
> 
> >
> >> I haven't found an example how to match on the value of an attribute
> >> which occurs multiple times in the authentication request, is it possible?
> >>
> > Unfortunately not currently. I created a feature request for this.
> Thanks! Any idea how long that might take to implement?
> >
> >> A workaround would be to make ClientListSQL add
> >> OSC-Authorize-Group=123,456 to the request and matching the value
> with a
> >> regex, which would be quite complicated but handle all cases without
> >> e.g. allowing access to a device in group 1234 when only 123 should be
> >> allowed.
> >>
> > Check items do allow also alternative values if it helps.
> >
> > Specify multiple permitted values, separated by vertical bars (‘|’).
> > The check item will pass if at least one of the permitted values is an exact
> match.
> >
> > E.g.
> >
> > Calling-Station-Id = 121284|122882
> >
> >
> http://www.open.com.au/radiator/ref/OtherAttributes.html#OtherAttribut
> es
> I know, thanks, but I need the opposite, match the request if one value
> of a request attribute occurring multiple times.
> >
> >
> > BR
> Cheers, Alex
> 
> 
> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
> "*"*"*"*"*
> T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
> Handelsgericht Wien, FN 79340b
> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
> "*"*"*"*"*
> Notice: This e-mail contains information that is confidential and may be
> privileged.
> If you are not the intended recipient, please notify the sender and then
> delete this e-mail immediately.
> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
> "*"*"*"*"*
> _______________________________________________
> radiator mailing list
> radiator at lists.open.com.au
> http://lists.open.com.au/mailman/listinfo/radiator