On Mon, 2018-03-12 at 00:38 +0000, Jibin Han via Freeradius-Users wrote:
Type Length Vendor-Id Vendor- type Vendor-length Value Attr1 26 <length> 3456 100 <len> foo Attr2 26 <length> 3456 200 <len> bar
The goal is we can configure Freeradius server so that in addition to user/password check: - server reads all the VSA; - for any VSA whose Vendor-Id is 3456, - when Vendor-type is "100", the value must be "foo"; "200", "bar". - If all above checks are good, sends back accept message; otherwise reject message.
Our RADIUS client inserts the above to the access request message, currently freeradius debug output does not mention these attributes. I need to somehow configure the server and hence ask the question.
Add your vendor attributes to the dictionary in raddb/dictionary, like VENDOR MyCompany 3456 BEGIN-VENDOR MyCompany ATTRIBUTE MyCompany-AttribA 100 string ATTRIBUTE MyCompany-AttribB 200 string END-VENDOR MyCompany Then just add logic using unlang to check MyCompany-AttribA etc attributes as usual to make sure they have the correct values, such as if (MyCompany-AttribA != "foo") { reject } if (MyCompany-AttribB != "bar") { reject } -- Matthew