Ah, I was a bit confused. That makes sense now.
This begs a necessity for a method that retrieves all groups a user belongs to
into a multi-value attribute that is checked against with
%{RequestOr:<attribute>}="Group1|Group2". At least for LDAP.
Thanks.
-----Original Message-----
From: radiator-boun...@open.com.au [mailto:radiator-boun...@open.com.au] On
Behalf Of Heikki Vatiainen
Sent: Wednesday, September 18, 2013 9:33 AM
To: 'radiator@open.com.au'
Subject: Re: [RADIATOR] AuthAttrDef for multi-value Radius attribute check
On 09/18/2013 02:51 PM, Garry Shtern wrote:
> I was under the impression that RquestOr is already supported if one
> lists values separated by a space. Are you proposing to change the
> separator character to pipe and offering explicit method?
I was thinking the case below. Here the request has two OSC-AVPAIR attributes.
If you have a check item OSC-AVPAIR=attrname1=value1, it will match since
Radiator currently takes just the first named attribute. However, if you need
to check that OSC-AVPAIR=attrname2=value2, then it fails since the check is
once again done against the first attribute.
For example, with flat user file syntax, this will match:
mikem User-Password=fred, OSC-AVPAIR="attrname1=value1"
but this will not match:
mikem User-Password=fred, OSC-AVPAIR="attrname2=value2"
I think this would be useful for customisation, such as private attributes
added for policy checks, cisco-avpair and other attributes that may be present
multiple times in a request.
Code: Access-Request
Identifier: 103
Authentic: P<136><15><223>\|K<30><184>?<30><201><212><20>|4
Attributes:
User-Name = "mikem"
Service-Type = Framed-User
NAS-IP-Address = 203.63.154.1
NAS-Identifier = "203.63.154.1"
NAS-Port = 1234
Called-Station-Id = "123456789"
Calling-Station-Id = "987654321"
NAS-Port-Type = Async
User-Password = ~<152><183><5><253>~+Rc<25>+<137><196>><164>d
OSC-AVPAIR = "attrname1=value1"
OSC-AVPAIR = "attrname2=value2"
With pipe you can match a request like this:
Code: Access-Request
Identifier: 103
Authentic: P<136><15><223>\|K<30><184>?<30><201><212><20>|4
Attributes:
User-Name = "mikem"
Service-Type = Framed-User
NAS-IP-Address = 203.63.154.1
NAS-Identifier = "203.63.154.1"
NAS-Port = 1234
Called-Station-Id = "123456789"
Calling-Station-Id = "987654321"
NAS-Port-Type = Async
User-Password = ~<152><183><5><253>~+Rc<25>+<137><196>><164>d
OSC-AVPAIR = "attrname1=value1"
with a user file like this:
mikem User-Password=fred, OSC-AVPAIR="attrname1=value1|attrname2=value2"
This will allow OSC-AVPAIR to be either attrname1=value1 or attrname2=value2
If you still think space can be used, please provide an example. I'm interested
to see if I have missed something :)
Thanks,
Heikki
--
Heikki Vatiainen <h...@open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server anywhere.
SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside,
TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX,
RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix,
Windows, MacOSX, Solaris, VMS, NetWare etc.
_______________________________________________
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
_______________________________________________
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
