Hi, > On 13 Jul 2017, at 13.59, Hartmaier Alexander > <[email protected]> wrote: > > I'm trying to build a solution to authorize users to log into devices > based on their group membership in our NMS. > > We use ClientListSQL to generate the Client config blocks and I've used > the OSC-Authorize-Group attribute for add the group id's to the request > attributes like: > > OSC-Authorize-Group-123,OSC-Authorize-Group=456 >
should the line above be "OSC-Authorize-Group=123,OSC-Authorize-Group=456"? So OSC-Authorize-Group attributes define group ids which are allowed to login to that device? > A Handler for example matches on OSC-Authorize-Group=123, which works as > long as the device is only member of this single group but not if in > multiple like in the above example. > How is mapping to user groups done within a handler? One option could be DynamicCheck which can be used for implementing a group check? http://www.open.com.au/radiator/ref/DynamicCheck.html#DynamicCheck > I haven't found an example how to match on the value of an attribute > which occurs multiple times in the authentication request, is it possible? > Unfortunately not currently. I created a feature request for this. > A workaround would be to make ClientListSQL add > OSC-Authorize-Group=123,456 to the request and matching the value with a > regex, which would be quite complicated but handle all cases without > e.g. allowing access to a device in group 1234 when only 123 should be > allowed. > Check items do allow also alternative values if it helps. Specify multiple permitted values, separated by vertical bars (‘|’). The check item will pass if at least one of the permitted values is an exact match. E.g. Calling-Station-Id = 121284|122882 http://www.open.com.au/radiator/ref/OtherAttributes.html#OtherAttributes BR -- Tuure Vartiainen <[email protected]> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list [email protected] http://lists.open.com.au/mailman/listinfo/radiator
