Re: [RADIATOR] matching based on one value of an attribute multiple times in request
Hi,
> On 13 Jul 2017, at 15.56, Hartmaier Alexander
> wrote:
>
> On 2017-07-13 14:19, Tuure Vartiainen wrote:
>>
>>
>>> On 13 Jul 2017, at 13.59, Hartmaier Alexander
>>> wrote:
>>>
>>> I'm trying to build a solution to authorize users to log into devices
>>> based on their group membership in our NMS.
>>>
>>> We use ClientListSQL to generate the Client config blocks and I've used
>>> the OSC-Authorize-Group attribute for add the group id's to the request
>>> attributes like:
>>>
>>> OSC-Authorize-Group-123,OSC-Authorize-Group=456
>>>
>> should the line above be "OSC-Authorize-Group=123,OSC-Authorize-Group=456"?
> Yes, sorry for the typo!
>>
>> So OSC-Authorize-Group attributes define group ids which are allowed to login
>> to that device?
> It's added metadata for the request which includes all groups the device
> is member of.
>>
>>> A Handler for example matches on OSC-Authorize-Group=123, which works as
>>> long as the device is only member of this single group but not if in
>>> multiple like in the above example.
>>>
>> How is mapping to user groups done within a handler?
>>
>> One option could be DynamicCheck which can be used for implementing a group
>> check?
>>
>> http://www.open.com.au/radiator/ref/DynamicCheck.html#DynamicCheck
> One handler per group, the AuthBy SQL only includes users authorized for
> that group of devices.
> The goal is to allow everybody in our team to modify the group
> membership through our NMS without any knowledge of Radiator or config
> change there.
>
>
>
here’s a bit awkward way to configure a similar kind of a setup but
by using only a one handler and DynamicCheck:
# 1. A pseudo attribute containing allowed groups is added in Client stanza
# 2. An extra AuthBy FILE with DEFAULT user is used to bind the pseudo
attribute to GroupList check item
# 3. Actual AuthBy SQL is used for a group membership query and authentication
# Some client
...
# Allow users belonging to groups 123 and 234
AddToRequest OSC-Authorize-Group="123 234"
# AuthBy FILE for GroupList check item
Identifier AuthBy-FILE-Group-Check
Filename %D/users-groups
# users-groups file contains a following line:
#
DEFAULT Auth-Type=AuthBy-SQL,GroupList=%{OSC-Authorize-Group}
#
# Auth-Type defines a next AuthBy to run and check items following
# will be given as extra check items to that AuthBy
# AuthBy SQL doing group membership query and actual authentication
Identifier AuthBy-SQL
...
DynamicCheck GroupList
NoDefault
# Define a group membership SQL query
GroupMembershipQuery SELECT id FROM usergroups WHERE group=? AND user=?
# group’s name
GroupMembershipQueryParam %1
# username
GroupMembershipQueryParam %0
# a default Handler
Identifier Default-Handler
# Run AuthBy FILE called 'AuthBy-FILE'
AuthBy AuthBy-FILE
...
BR
--
Tuure Vartiainen
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
___
radiator mailing list
radiator@lists.open.com.au
http://lists.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] matching based on one value of an attribute multiple times in request
Hi, > On 13 Jul 2017, at 15.56, Hartmaier Alexander > wrote: > > On 2017-07-13 14:19, Tuure Vartiainen wrote: >> >> >> So OSC-Authorize-Group attributes define group ids which are allowed to login >> to that device? > It's added metadata for the request which includes all groups the device > is member of. >> >>> A Handler for example matches on OSC-Authorize-Group=123, which works as >>> long as the device is only member of this single group but not if in >>> multiple like in the above example. >>> >> How is mapping to user groups done within a handler? >> >> One option could be DynamicCheck which can be used for implementing a group >> check? >> >> http://www.open.com.au/radiator/ref/DynamicCheck.html#DynamicCheck > One handler per group, the AuthBy SQL only includes users authorized for > that group of devices. > The goal is to allow everybody in our team to modify the group > membership through our NMS without any knowledge of Radiator or config > change there. > > > Ok. >> >>> I haven't found an example how to match on the value of an attribute >>> which occurs multiple times in the authentication request, is it possible? >>> >> Unfortunately not currently. I created a feature request for this. > Thanks! Any idea how long that might take to implement? I’ll send you a patch to test. BR -- Tuure Vartiainen Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@lists.open.com.au http://lists.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] matching based on one value of an attribute multiple times in request
Hello, Just throwing out an idea - You could do a pre handler hook that combines all incoming OSC-Authorize-Group values into a single value sorted so you know how they will appear to the handler. I'm not a fan of hooks but in this case it might be a working workaround :) Regards, Patrik Forsberg > -Original Message- > From: radiator [mailto:radiator-boun...@lists.open.com.au] On Behalf Of > Hartmaier Alexander > Sent: den 13 juli 2017 14:57 > To: radiator@lists.open.com.au > Subject: Re: [RADIATOR] matching based on one value of an attribute > multiple times in request > > Hi, > > > On 2017-07-13 14:19, Tuure Vartiainen wrote: > > Hi, > > > >> On 13 Jul 2017, at 13.59, Hartmaier Alexander systems.at> wrote: > >> > >> I'm trying to build a solution to authorize users to log into devices > >> based on their group membership in our NMS. > >> > >> We use ClientListSQL to generate the Client config blocks and I've used > >> the OSC-Authorize-Group attribute for add the group id's to the request > >> attributes like: > >> > >> OSC-Authorize-Group-123,OSC-Authorize-Group=456 > >> > > should the line above be "OSC-Authorize-Group=123,OSC-Authorize- > Group=456"? > Yes, sorry for the typo! > > > > So OSC-Authorize-Group attributes define group ids which are allowed to > login > > to that device? > It's added metadata for the request which includes all groups the device > is member of. > > > >> A Handler for example matches on OSC-Authorize-Group=123, which > works as > >> long as the device is only member of this single group but not if in > >> multiple like in the above example. > >> > > How is mapping to user groups done within a handler? > > > > One option could be DynamicCheck which can be used for implementing a > group check? > > > > > http://www.open.com.au/radiator/ref/DynamicCheck.html#DynamicCheck > One handler per group, the AuthBy SQL only includes users authorized for > that group of devices. > The goal is to allow everybody in our team to modify the group > membership through our NMS without any knowledge of Radiator or config > change there. > > > > > > >> I haven't found an example how to match on the value of an attribute > >> which occurs multiple times in the authentication request, is it possible? > >> > > Unfortunately not currently. I created a feature request for this. > Thanks! Any idea how long that might take to implement? > > > >> A workaround would be to make ClientListSQL add > >> OSC-Authorize-Group=123,456 to the request and matching the value > with a > >> regex, which would be quite complicated but handle all cases without > >> e.g. allowing access to a device in group 1234 when only 123 should be > >> allowed. > >> > > Check items do allow also alternative values if it helps. > > > > Specify multiple permitted values, separated by vertical bars (‘|’). > > The check item will pass if at least one of the permitted values is an exact > match. > > > > E.g. > > > > Calling-Station-Id = 121284|122882 > > > > > http://www.open.com.au/radiator/ref/OtherAttributes.html#OtherAttribut > es > I know, thanks, but I need the opposite, match the request if one value > of a request attribute occurring multiple times. > > > > > > BR > Cheers, Alex > > > *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* > "*"*"*"*"* > T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien > Handelsgericht Wien, FN 79340b > *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* > "*"*"*"*"* > Notice: This e-mail contains information that is confidential and may be > privileged. > If you are not the intended recipient, please notify the sender and then > delete this e-mail immediately. > *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* > "*"*"*"*"* > ___ > radiator mailing list > radiator@lists.open.com.au > http://lists.open.com.au/mailman/listinfo/radiator ___ radiator mailing list radiator@lists.open.com.au http://lists.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] matching based on one value of an attribute multiple times in request
Hi, On 2017-07-13 14:19, Tuure Vartiainen wrote: Hi, On 13 Jul 2017, at 13.59, Hartmaier Alexander wrote: I'm trying to build a solution to authorize users to log into devices based on their group membership in our NMS. We use ClientListSQL to generate the Client config blocks and I've used the OSC-Authorize-Group attribute for add the group id's to the request attributes like: OSC-Authorize-Group-123,OSC-Authorize-Group=456 should the line above be "OSC-Authorize-Group=123,OSC-Authorize-Group=456"? Yes, sorry for the typo! So OSC-Authorize-Group attributes define group ids which are allowed to login to that device? It's added metadata for the request which includes all groups the device is member of. A Handler for example matches on OSC-Authorize-Group=123, which works as long as the device is only member of this single group but not if in multiple like in the above example. How is mapping to user groups done within a handler? One option could be DynamicCheck which can be used for implementing a group check? http://www.open.com.au/radiator/ref/DynamicCheck.html#DynamicCheck One handler per group, the AuthBy SQL only includes users authorized for that group of devices. The goal is to allow everybody in our team to modify the group membership through our NMS without any knowledge of Radiator or config change there. I haven't found an example how to match on the value of an attribute which occurs multiple times in the authentication request, is it possible? Unfortunately not currently. I created a feature request for this. Thanks! Any idea how long that might take to implement? A workaround would be to make ClientListSQL add OSC-Authorize-Group=123,456 to the request and matching the value with a regex, which would be quite complicated but handle all cases without e.g. allowing access to a device in group 1234 when only 123 should be allowed. Check items do allow also alternative values if it helps. Specify multiple permitted values, separated by vertical bars (‘|’). The check item will pass if at least one of the permitted values is an exact match. E.g. Calling-Station-Id = 121284|122882 http://www.open.com.au/radiator/ref/OtherAttributes.html#OtherAttributes I know, thanks, but I need the opposite, match the request if one value of a request attribute occurring multiple times. BR Cheers, Alex *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* ___ radiator mailing list radiator@lists.open.com.au http://lists.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] matching based on one value of an attribute multiple times in request
Hi, > On 13 Jul 2017, at 13.59, Hartmaier Alexander > wrote: > > I'm trying to build a solution to authorize users to log into devices > based on their group membership in our NMS. > > We use ClientListSQL to generate the Client config blocks and I've used > the OSC-Authorize-Group attribute for add the group id's to the request > attributes like: > > OSC-Authorize-Group-123,OSC-Authorize-Group=456 > should the line above be "OSC-Authorize-Group=123,OSC-Authorize-Group=456"? So OSC-Authorize-Group attributes define group ids which are allowed to login to that device? > A Handler for example matches on OSC-Authorize-Group=123, which works as > long as the device is only member of this single group but not if in > multiple like in the above example. > How is mapping to user groups done within a handler? One option could be DynamicCheck which can be used for implementing a group check? http://www.open.com.au/radiator/ref/DynamicCheck.html#DynamicCheck > I haven't found an example how to match on the value of an attribute > which occurs multiple times in the authentication request, is it possible? > Unfortunately not currently. I created a feature request for this. > A workaround would be to make ClientListSQL add > OSC-Authorize-Group=123,456 to the request and matching the value with a > regex, which would be quite complicated but handle all cases without > e.g. allowing access to a device in group 1234 when only 123 should be > allowed. > Check items do allow also alternative values if it helps. Specify multiple permitted values, separated by vertical bars (‘|’). The check item will pass if at least one of the permitted values is an exact match. E.g. Calling-Station-Id = 121284|122882 http://www.open.com.au/radiator/ref/OtherAttributes.html#OtherAttributes BR -- Tuure Vartiainen Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@lists.open.com.au http://lists.open.com.au/mailman/listinfo/radiator
[RADIATOR] matching based on one value of an attribute multiple times in request
Hi, I'm trying to build a solution to authorize users to log into devices based on their group membership in our NMS. We use ClientListSQL to generate the Client config blocks and I've used the OSC-Authorize-Group attribute for add the group id's to the request attributes like: OSC-Authorize-Group-123,OSC-Authorize-Group=456 A Handler for example matches on OSC-Authorize-Group=123, which works as long as the device is only member of this single group but not if in multiple like in the above example. I haven't found an example how to match on the value of an attribute which occurs multiple times in the authentication request, is it possible? A workaround would be to make ClientListSQL add OSC-Authorize-Group=123,456 to the request and matching the value with a regex, which would be quite complicated but handle all cases without e.g. allowing access to a device in group 1234 when only 123 should be allowed. Any hints how to solve this? Thanks! -- Best regards, Alexander Hartmaier T-Systems Austria GesmbH TSS Security Services Network Security & Monitoring Engineer phone: +43(0)676-8642-4320 *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* ___ radiator mailing list radiator@lists.open.com.au http://lists.open.com.au/mailman/listinfo/radiator
