Hello, Just throwing out an idea -
You could do a pre handler hook that combines all incoming OSC-Authorize-Group values into a single value sorted so you know how they will appear to the handler. I'm not a fan of hooks but in this case it might be a working workaround :) Regards, Patrik Forsberg > -----Original Message----- > From: radiator [mailto:[email protected]] On Behalf Of > Hartmaier Alexander > Sent: den 13 juli 2017 14:57 > To: [email protected] > Subject: Re: [RADIATOR] matching based on one value of an attribute > multiple times in request > > Hi, > > > On 2017-07-13 14:19, Tuure Vartiainen wrote: > > Hi, > > > >> On 13 Jul 2017, at 13.59, Hartmaier Alexander <alexander.hartmaier@t- > systems.at> wrote: > >> > >> I'm trying to build a solution to authorize users to log into devices > >> based on their group membership in our NMS. > >> > >> We use ClientListSQL to generate the Client config blocks and I've used > >> the OSC-Authorize-Group attribute for add the group id's to the request > >> attributes like: > >> > >> OSC-Authorize-Group-123,OSC-Authorize-Group=456 > >> > > should the line above be "OSC-Authorize-Group=123,OSC-Authorize- > Group=456"? > Yes, sorry for the typo! > > > > So OSC-Authorize-Group attributes define group ids which are allowed to > login > > to that device? > It's added metadata for the request which includes all groups the device > is member of. > > > >> A Handler for example matches on OSC-Authorize-Group=123, which > works as > >> long as the device is only member of this single group but not if in > >> multiple like in the above example. > >> > > How is mapping to user groups done within a handler? > > > > One option could be DynamicCheck which can be used for implementing a > group check? > > > > > http://www.open.com.au/radiator/ref/DynamicCheck.html#DynamicCheck > One handler per group, the AuthBy SQL only includes users authorized for > that group of devices. > The goal is to allow everybody in our team to modify the group > membership through our NMS without any knowledge of Radiator or config > change there. > > <Handler Client-Identifier=radius-proxy-1, OSC-Authorize-Group=123> > > > > >> I haven't found an example how to match on the value of an attribute > >> which occurs multiple times in the authentication request, is it possible? > >> > > Unfortunately not currently. I created a feature request for this. > Thanks! Any idea how long that might take to implement? > > > >> A workaround would be to make ClientListSQL add > >> OSC-Authorize-Group=123,456 to the request and matching the value > with a > >> regex, which would be quite complicated but handle all cases without > >> e.g. allowing access to a device in group 1234 when only 123 should be > >> allowed. > >> > > Check items do allow also alternative values if it helps. > > > > Specify multiple permitted values, separated by vertical bars (‘|’). > > The check item will pass if at least one of the permitted values is an exact > match. > > > > E.g. > > > > Calling-Station-Id = 121284|122882 > > > > > http://www.open.com.au/radiator/ref/OtherAttributes.html#OtherAttribut > es > I know, thanks, but I need the opposite, match the request if one value > of a request attribute occurring multiple times. > > > > > > BR > Cheers, Alex > > > *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* > "*"*"*"*"* > T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien > Handelsgericht Wien, FN 79340b > *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* > "*"*"*"*"* > Notice: This e-mail contains information that is confidential and may be > privileged. > If you are not the intended recipient, please notify the sender and then > delete this e-mail immediately. > *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* > "*"*"*"*"* > _______________________________________________ > radiator mailing list > [email protected] > http://lists.open.com.au/mailman/listinfo/radiator _______________________________________________ radiator mailing list [email protected] http://lists.open.com.au/mailman/listinfo/radiator
