How to configure freeradius server to authenticate VSA attribute

[Matthew Newton]

On Mon, 2018-03-12 at 00:38 +0000, Jibin Han via Freeradius-Users
wrote:
>               Type        Length      Vendor-Id      Vendor-
> type    Vendor-length    Value
> Attr1       26         <length>       3456                 100       
>              <len>                 foo
> Attr2       26         <length>       3456                 200       
>              <len>                 bar
> 
> The goal is we can configure Freeradius server so that in addition to
> user/password check:
> - server reads all the VSA;
> - for any VSA whose Vendor-Id is 3456,
> - when Vendor-type is "100", the value must be "foo"; "200", "bar".
> - If all above checks are good, sends back accept message; otherwise
> reject message.
> 
> Our RADIUS client inserts the above to the access request message,
> currently freeradius debug output does not mention these attributes.
> I need to somehow configure the server and hence ask the question.

Add your vendor attributes to the dictionary in raddb/dictionary, like

VENDOR  MyCompany  3456
BEGIN-VENDOR MyCompany
ATTRIBUTE   MyCompany-AttribA  100  string
ATTRIBUTE   MyCompany-AttribB  200  string
END-VENDOR MyCompany

Then just add logic using unlang to check MyCompany-AttribA etc
attributes as usual to make sure they have the correct values, such as

if (MyCompany-AttribA != "foo") {
	reject
}

if (MyCompany-AttribB != "bar") {
	reject
}

-- 
Matthew