Re: [RADIATOR] AuthAttrDef for multi-value Radius attribute check

Wed, 18 Sep 2013 06:33:55 -0700 

On 09/18/2013 02:51 PM, Garry Shtern wrote:

> I was under the impression that RquestOr is already supported if one
> lists values separated by a space. Are you proposing to change the
> separator character to pipe and offering explicit method?

I was thinking the case below. Here the request has two OSC-AVPAIR
attributes. If you have a check item OSC-AVPAIR=attrname1=value1, it
will match since Radiator currently takes just the first named
attribute. However, if you need to check that
OSC-AVPAIR=attrname2=value2, then it fails since the check is once again
done against the first attribute.

For example, with flat user file syntax, this will match:

  mikem User-Password=fred, OSC-AVPAIR="attrname1=value1"

but this will not match:

  mikem User-Password=fred, OSC-AVPAIR="attrname2=value2"

I think this would be useful for customisation, such as private
attributes added for policy checks, cisco-avpair and other attributes
that may be present multiple times in a request.

Code:       Access-Request
Identifier: 103
Authentic:  P<136><15><223>\|K<30><184>?<30><201><212><20>|4
Attributes:
        User-Name = "mikem"
        Service-Type = Framed-User
        NAS-IP-Address = 203.63.154.1
        NAS-Identifier = "203.63.154.1"
        NAS-Port = 1234
        Called-Station-Id = "123456789"
        Calling-Station-Id = "987654321"
        NAS-Port-Type = Async
        User-Password = ~<152><183><5><253>~+Rc<25>+<137><196>><164>d
        OSC-AVPAIR = "attrname1=value1"
        OSC-AVPAIR = "attrname2=value2"



With pipe you can match a request like this:

Code:       Access-Request
Identifier: 103
Authentic:  P<136><15><223>\|K<30><184>?<30><201><212><20>|4
Attributes:
        User-Name = "mikem"
        Service-Type = Framed-User
        NAS-IP-Address = 203.63.154.1
        NAS-Identifier = "203.63.154.1"
        NAS-Port = 1234
        Called-Station-Id = "123456789"
        Calling-Station-Id = "987654321"
        NAS-Port-Type = Async
        User-Password = ~<152><183><5><253>~+Rc<25>+<137><196>><164>d
        OSC-AVPAIR = "attrname1=value1"

with a user file like this:

  mikem User-Password=fred, OSC-AVPAIR="attrname1=value1|attrname2=value2"

This will allow OSC-AVPAIR to be either attrname1=value1 or attrname2=value2

If you still think space can be used, please provide an example. I'm
interested to see if I have missed something :)

Thanks,
Heikki

-- 
Heikki Vatiainen <[email protected]>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
_______________________________________________
radiator mailing list
[email protected]
http://www.open.com.au/mailman/listinfo/radiator

Reply via email to