"policy":[]

This section is optional. It allows the conditional addition of attributes to the Access-Accept response packet from the IBM RADIUS server to RADIUS clients (NAS). It also allows the conditional immediate acceptance or rejection of an Access-Request authorization request. The policies are evaluated in the order that they are defined.

Format

“policy”:[
  {
    “name”:”policy1”,
    “match”:{
      “client-ip”:”???”,
      “attr”:{
        “compare”:”??”,
        “name”:”???”,
         …
      },
      “user-group”:{
        “compare”:”??”,
        “name”: “???”
      },
      “apply-before-authenticate”:????
    },
    “return-attrs”:[
      {
        “name”:”???”,
        “value”:”???”,
        …
      },
      …
    ],
    “action”:”???”,
  },
  {
    “name”:”policy2”,
    …
  },
  …
]

Values

"match":{}
This subsection is optional and if not present the policy matches all Access-Request packets.

Under this section, are the following subitems:

"client-ip":"192.168.0.129"
Matches the address of the RADIUS client (NAS) that sent the packet.
"apply-before-authenticate":"false"
Deprecated. Defaults to false. If true, the policy is matched and applied before the user password or OTP is validated. This is equivalent to "apply": "before_mfa".
"apply": "before-mfa" | "after-mfa-success" | "after-pwd-success" | "before-each-response"
This option is preferred over the deprecated "apply-before-authenticate" configuration option.
"before-mfa"
The policy matches this before it validates the 1FA (password) or 2FA.
"after-mfa-success"
The policy matches this after 2FA is validated successfully.
"after-pwd-success"
The policy matches after a successful 1FA (password) validate, before 2FA.
"before-each-response"
The policy matches this before it is to send each response.
Examples of using "apply" in policy might be:
  1. To bypass 2FA for any user in a group named "risky":
     {
                "name": "risk_policy",
                "match": {
                    "apply": "after-pwd-success",
                    "user-group": { "compare": "=", "name": "risky" }
                },
                "return-attrs":[
                    {
                        "name": "Reply-Message",
                        "value": "Success: Bypassed 2FA"
                    }
                ],
                "action": "accept"
            }, 
  2. To support a RADIUS proxy between the client/NAS and the RADIUS server where the incoming Proxy-State attribute to the RADIUS server must be returned to the RADIUS proxy:
     {
                "name":"proxy_policy",
                "match":{
                    "apply": "before-each-response"
                },
                "return-attrs":[
                    {
                        "name":"Proxy-State",
                        "value":"{{reflect}}",
                        "value-type":"text"
                    }
                ],
                "action":"continue"
            } 
"attr":{}

This section allows matching a single attributes value in the Access-Request. Under this section, are the following subitems:

"compare":"="
Defaults to "=". This item must be either "=" or "!=".
"case-ignore":false
Defaults to false. Values are compared based on a byte-by-byte comparison against the RADIUS attribute value. The exception is when "case-ignore" is set to true. For that case, a UTF-8 case-insensitive character string compare is done, which can be useful for comparing the "User-Name" attribute value.
"regex":false
Defaults to false. When set to true the "value" is interpreted as an extended regular expression when it matches the attribute value. For example,
"value": ".*ibm\\.com"
matches any value that ends with ibm.com such as testibm.com. For a definition of extended regular expressions, see https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap09.html,
"name":"User-Name"

The attribute in the Access-Request to compare to. This value can either be a string, such as a name for the RADIUS attribute, or the attribute number. For example, User-Name has the number 1. See the output of the IbmRadius.exe -attributes command for a list of RADIUS attributes.

"value":"Administrator"
The attribute value to compare with. See the following "value-type" table for the JSON format of the value. The default value type of the attribute depends on the attribute itself. The output of the command
"IbmRadius.exe
      -attributes"
shows the value-type of each RADIUS attribute.
"value-type":"text"
Overrides how the “value” is converted into a RADIUS attribute value. The default depends on the RADIUS attribute as each has its own default value-type. See the output of the IbmRadius.exe -attributes command to see the value-type of each RADIUS attribute. This parameter allows overriding of the type for ease of input. For example, a text string can be placed in a binary string attribute.
Table 1. Value mapping
Name JSON value format RADIUS Value
integer
  • number: for example, 1234.
  • string: hex number, for example "0xa2b3ff".
4 bytes, MSB first
enum
  • string: enum name string appropriate for the attribute. For example, "Login" for the "Service-Type" attribute. See the output of the IbmRadius.exe -attributes command for a list of acceptable enum value strings.
  • number: for example, 5.
4 bytes, MSB first
time
  • number: number of seconds since 1970-01-01 00:00:00 UTC
  • string: "YYYYMMDDHHMMSS" UTC
4 bytes, MSB first
text
  • string: UTF-8 characters
UTF-8 bytes not terminated by 0x00
integer64
  • number: for example, 12345
  • string: hex number, for example."0xdeadbeaf"
8 bytes, MSB first
ipv4addr
  • string: IPv4 formatted string, for example. ,"192.168.0.1"
4 bytes, network order, MSB first
ipv6addr
  • string: IPv6 formatted string, for example. "192.168.0.fe80::df3c:99dd:8a4a:16f1"
8 bytes, network order, MSB first

string

ifid

ipv6prefix

ipv4prefix

tlv

vsa

extended

long_extended

evs

  • string: Base64 encoded binary data.
Bytes.
Note: The format for each type varies, see the RADIUS RFCs.
"user-group":{}
This section allows matching a single group to the list of groups that a user belongs to. This parameter can only be used when "apply-before-authenticate" == false. Under this section are the following subitems:
compare":"="

Defaults to "=". This item must be either "=" or "!=".

"name":"{{group-name}}"
The group that is named "{{group-name}}" is checked against the user's group memberships.
"return-attrs":[]
If this is not present, no attributes are added to the returned RADIUS packet. The "return-attrs" are only added if the policy match is true.
Each element of the "return-attrs" array is formatted:
{
  "name":"xxxx",
  "value":"xxxx",
  "value-type":"xxxx"
},
The descriptions of "name", "value", and "value-type" are defined in the previous "match":{} > "attr":{} section. One exception is that "value" can be one of the following attributes.
  • "{{group-name}}" : insert the attribute multiple times once for each group that the user belongs to.
  • "{{group-list}}" : insert the attribute once with all groups that the user belongs to, separated by commas.
In both exceptions, the "value-type" is forced to "text".
A "value" of "{{group-name:vsa:<vendorid>:<vendortype>}}" can be used to add each group as a Vendor-Specific Attribute (VSA). The default VSA value-type of binary must be overridden so that the formatting string is interpreted as text. Replace <vendorid> with the Vendor's ID as a decimal number and replace the <vendortype> with the Vendor's value type as a decimal number. For example,
     "return-attrs":[
        {
            "name": "Vendor-Specific",
            "value": "{{group-name:vsa:12356:1}}",
            "value-type": "text"
        }
     ],

A "value" of "{{reflect}}" copies the request value of the same name into the response. Typically, it is used to return the Proxy-State value that was received. Also, specify the "value-type": "text" setting for this attribute.

"action":"continue"
Defaults to "continue". The "action" applies only if the policy match is true. The "action" item can be one of three values:
  • "continue": Add any "return-attrs" and continue on with processing.
  • "reject": Add any "return-attrs" , send back a RADIUS Access-Reject packet, and end the processing of this RADIUS client (NAS) request.
  • "accept": Add any "return-attrs" , send back a RADIUS Access-Accept packet, and end the processing of this RADIUS client (NAS) request.