On 2017-07-13 14:19, Tuure Vartiainen wrote:

On 13 Jul 2017, at 13.59, Hartmaier Alexander 
<alexander.hartma...@t-systems.at> wrote:

I'm trying to build a solution to authorize users to log into devices
based on their group membership in our NMS.

We use ClientListSQL to generate the Client config blocks and I've used
the OSC-Authorize-Group attribute for add the group id's to the request
attributes like:


should the line above be "OSC-Authorize-Group=123,OSC-Authorize-Group=456"?
Yes, sorry for the typo!

So OSC-Authorize-Group attributes define group ids which are allowed to login
to that device?
It's added metadata for the request which includes all groups the device
is member of.

A Handler for example matches on OSC-Authorize-Group=123, which works as
long as the device is only member of this single group but not if in
multiple like in the above example.

How is mapping to user groups done within a handler?

One option could be DynamicCheck which can be used for implementing a group 

One handler per group, the AuthBy SQL only includes users authorized for
that group of devices.
The goal is to allow everybody in our team to modify the group
membership through our NMS without any knowledge of Radiator or config
change there.

<Handler Client-Identifier=radius-proxy-1, OSC-Authorize-Group=123>

I haven't found an example how to match on the value of an attribute
which occurs multiple times in the authentication request, is it possible?

Unfortunately not currently. I created a feature request for this.
Thanks! Any idea how long that might take to implement?

A workaround would be to make ClientListSQL add
OSC-Authorize-Group=123,456 to the request and matching the value with a
regex, which would be quite complicated but handle all cases without
e.g. allowing access to a device in group 1234 when only 123 should be

Check items do allow also alternative values if it helps.

Specify multiple permitted values, separated by vertical bars (‘|’).
The check item will pass if at least one of the permitted values is an exact 


Calling-Station-Id = 121284|122882

I know, thanks, but I need the opposite, match the request if one value
of a request attribute occurring multiple times.

Cheers, Alex

T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
Notice: This e-mail contains information that is confidential and may be 
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
radiator mailing list

Reply via email to