[RADIATOR] Multiple Users in a Flat File

Wed Jan 31 08:45:29 UTC 2018

Hi,

> On 17 Jan 2018, at 1.00, Johnson, Neil M <neil-johnson at uiowa.edu> wrote:
> 
> The problem is I have 16 different types of equipment that require different RADIUS attribute values returned, depending on the user.
> 
> i.e A user may get read-only access to equipment type A, but need full-access to equipment type B.
> 
> Am I going to have to setup 16 different handlers, and 16 different flat files?
> 
> Any suggestions on a better way to do that? 
> 

one solution could be to use AuthBy SQL with SQLite database file to select 
and return wanted attributes.

E.g.

# Assume that users have been already authenticated by some previous AuthBy
# Return per user/device reply attributes
<AuthBy SQL>
    Identifier AuthBy-SQL-Local-SQLite

    # Do not authenticate users anymore
    NoCheckPassword

    # Ignore accounting
    IgnoreAccounting

    # SQLite db file location
    DBSource dbi:SQLite:dbname=/etc/radiator/reply_items.db

    # SQL select query to get reply attributes based on <Client> stanza’s Identifier and User-Name
    # REPLYATTRS column contains a list of reply attributes separated by a comma
    # E.g. Attribute1=100,Attribute2=“some value”,...
    AuthSelect select REPLYATTRS from USERS where CLIENT_ID=%{Client:Identifier} and USERNAME=%0
    AuthColumnDef 0, GENERIC, reply    
</AuthBy>

Example SQLite schema

create table USERS (
    CLIENT_ID    varchar(50),
    USERNAME     varchar(50),
    REPLYATTRS   varchar(200)
);

create index idx_client_id_username on USERS (CLIENT_ID, USERNAME);

-- example user mikem
insert into USERS (
    CLIENT_ID, 
    USERNAME, 
    REPLYATTRS
    ) 
    values (
    'Cisco-routers', 
    'mikem', 
    'cisco-avpair= "shell:priv-lvl=15"'
);

Group memberships could be implemented by having multiple tables and joining them in AuthSelect query.

BR
-- 
Tuure Vartiainen <vartiait at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.