Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

For the purpose of VPN access control, it is a common requirement that the RADIUS server sends back some specific attributes in an Access-Accept request.VPN server asked the RADIUS server to return a user's group membership in a RADIUS attribute.

A user can belong to more than one group. You have to firstly decide if you want to return all of the group names in an attribute or you want to return only one specific group name.

Return All Groups

The example below demonstrate how to send back return all of the user's Group ID or Name as a group names in the RADIUS attribute: called "Filter-Id"

First, create a RADIUS attribute (RADIUS > Radius Attribute > Create)

Image RemovedImage Added

In the field "Maps To:", write groups.id.join(','). If you are in favour of name, you can use groupsenter the following expression. Also, check the box "Return Response".

Code Block
groups?.name.join(',')

...

Now, add Radius attributes to a specified group(or user).

Image Removed

For example, we use (check) the one we just created.

Image Removed

Here we use NTRadPing as a radius client to do the test

Image Removed

As you can see the attribute in response Filter-Id=3. You can double confirm it with WireShark.

Image Removed

If you change the mapping as groups.name.join(','), then the result will be Filter-Id=aaa.

What if this user belongs to two groups, for instance aaa and ccc? The result will be Filter-Id=aaa,ccc.

Furthermore, if you only add the attribute on group aaa (not on ccc) and you want to only return group name aaa, then use the following syntax.

...

To assign the Radius attribute to a user, navigate to the user's account, select "Radius Settings\Radius Attribute" from the context menu

Image Added

Then, select the Radius attribute, i.e. Filter-Id

Image Added


Return One Group

The example below demonstrate how to return one specific group name in the RADIUS attribute: called "Filter-Id"

First, create a RADIUS attribute (RADIUS > Radius Attribute > Create)

Image Added

In the field "Maps To:", enter the following expression. Also, check the box "Return Response".

Code Block
nestedGroups?.find{it.radiusAttributes.any{ att-> att.name=='Filter-Id'}}?.name

...

 

...

Now, navigate to the user group from "Directory | Groups", select "Radius Settings\Radius Attribute" from the context menu

Image Added

Then, select the Radius attribute, i.e. Filter-Id

Image Added

Content by Label
showLabelsfalse
showSpacefalse
cqllabel = "radius-attribute"
labelsradius-attribute