Versions Compared

Old Version 5

changes.mady.by.user Adam Darwin

Saved on

compared with

New Version 6

changes.mady.by.user Adam Darwin

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

For the purpose of VPN access control, it is a common requirement that the VPN server asked the RADIUS server return some specific attributes in an Access-Accept request.to return a user's group memebership in a RADIUS attribute.

A user can belong to more than one group. You have to firstly decide if you want to return all of the group names in an attribute or you want to return only one specific group name.

Return All Groups

The example below demonstrate how to return all of the user's group names in the RADIUS attribute: called "Filter-Id"

First, create a RADIUS attribute (RADIUS > Radius Attribute > Create)

In the field "Maps To:", enter enter "groups?.name.join(',')". Also, check the box "Return Response".

To assign the Radius attribute to a user, navigate to the user's account, select "Radius Settings\Radius Attribute" from the context menu

To assign the Radius attribute to a group, navigate to the group, select "Radius Settings\Radius Attribute" from the context menu

Image Removed

The, select Then, select the Radius attribute, i.e. Filter-Id

Image Removed

Here we use NTRadPing as a radius client to do the test

Image Removed

As you can see the attribute in response Filter-Id=3. You can double confirm it with WireShark.

Image Removed

If you change the mapping as groups?.name.join(','), then the result will be Filter-Id=aaa.

What if this user belongs to two groups, for instance aaa and ccc? The result will be Filter-Id=aaa,ccc.

Furthermore, if you want to return only one group name, e.g 'aaa', then you must assign the attribute on the group 'aaa'  and map the attribute to:

Image Added


Return One Group

The example below demonstrate how to return one specifc group name in the RADIUS attribute: called "Filter-Id"

First, create a RADIUS attribute (RADIUS > Radius Attribute > Create)

Image Added

In the field "Maps To:", enter "nestedGroups?.find{it.radiusAttributes.any{ att-> att.name=='Filter-Id'}}.name". Also, check the box "Return Response".

Now, navigate to the user group from "Directory | Groups", select "Radius Settings\Radius Attribute" from the context menu

Image Added

Then, select the Radius attribute, i.e. Filter-Id

Image Added

Content by Label
showLabelsfalse
showSpacefalse
cqllabel = "radius-attribute"
labelsradius-attribute

...