We use LDAP-groups (from AD, if that matters) to map
radius-reply-items for general network access on switches, routers,
optical gear, etc. Each vendor is their own special flower so needs
its own thing.
The way we're handling this currently is in post-auth where we specify
reply-items per group using if/elseif/else per
https://networkradius.com/doc/3.0.10/unlang/keywords.html.
This works great if things are simple - you're a member of one group
or another. However, we've not yet gotten it to work if one is a
member of multiple groups, and to have each group match and get
reply-items from each.
Example of now:
if (LDAP-Group == "network-administrators") {
update reply {
cisco-avpair = "shell:priv-lvl=15",
Service-Type = "6",
Juniper-Local-User-Name = "superuser",
PaloAlto-Admin-Role = "superuser",
}
}
elsif (LDAP-Group == "network-users") {
update reply {
cisco-avpair = "shell:priv-lvl=1",
Juniper-Local-User-Name = "op",
PaloAlto-Admin-Role = "devicereader",
}
}
else {
reject
}
Note that this will do a single match and bail out of the if
statement. What we'd like to do is to keep matching accumulatively.
The use case is per above it's layer2/3 devices, we'd like to add some
other types of gear to the list where someone in the above groups
shouldnt have access to, but someone in network-administrators AND
$othergroup should have access to.
Per Unlang, it looks like there is a case/switch statement but I
believe we'd be hitting the same limitation there.
tldr; how can we match multiple LDAP-groups and get reply-items from
all that match?
Cheers,
Chris