"policy":[]
This section is optional. It allows the conditional addition of attributes to the Access-Accept response packet from the IBM RADIUS server to RADIUS clients (NAS). It also allows the conditional immediate acceptance or rejection of an Access-Request authorization request. The policies are evaluated in the order that they are defined.
Format
“policy”:[
{
“name”:”policy1”,
“match”:{
“client-ip”:”???”,
“attr”:{
“compare”:”??”,
“name”:”???”,
…
},
“user-group”:{
“compare”:”??”,
“name”: “???”
},
“apply-before-authenticate”:????
},
“return-attrs”:[
{
“name”:”???”,
“value”:”???”,
…
},
…
],
“action”:”???”,
},
{
“name”:”policy2”,
…
},
…
]
Values
"match":{}
- This subsection is optional and if not present the policy matches all Access-Request
packets.
Under this section, are the following subitems:
"client-ip":"192.168.0.129"
- Matches the address of the RADIUS client (NAS) that sent the packet.
"apply-before-authenticate":"false"
- Deprecated. Defaults to false. If true, the policy is matched and applied before the user password or OTP is validated. This is equivalent to "apply": "before_mfa".
"apply": "before-mfa" | "after-mfa-success" | "after-pwd-success" | "before-each-response"
- This option is preferred over the deprecated
"apply-before-authenticate"
configuration option."before-mfa"
- The policy matches this before it validates the 1FA (password) or 2FA.
"after-mfa-success"
- The policy matches this after 2FA is validated successfully.
"after-pwd-success"
- The policy matches after a successful 1FA (password) validate, before 2FA.
"before-each-response"
- The policy matches this before it is to send each response.
"attr":{}
-
This section allows matching a single attributes value in the Access-Request. Under this section, are the following subitems:
"compare":"="
- Defaults to "=". This item must be either
"="
or"!="
. "case-ignore":false
- Defaults to false. Values are compared based on a byte-by-byte comparison
against the RADIUS attribute value. The exception is when
"case-ignore"
is set to true. For that case, a UTF-8 case-insensitive character string compare is done, which can be useful for comparing the"User-Name"
attribute value. "regex":false
- Defaults to
false
. When set totrue
the "value" is interpreted as an extended regular expression when it matches the attribute value. For example,
matches any value that ends with"value": ".*ibm\\.com"
ibm.com
such astestibm.com
. For a definition of extended regular expressions, see https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap09.html, "name":"User-Name"
-
The attribute in the Access-Request to compare to. This value can either be a string, such as a name for the RADIUS attribute, or the attribute number. For example, User-Name has the number 1. See the output of the IbmRadius.exe -attributes command for a list of RADIUS attributes.
"value":"Administrator"
- The attribute value to compare with. See the following
"value-type"
table for the JSON format of the value. The default value type of the attribute depends on the attribute itself. The output of the command
shows the value-type of each RADIUS attribute."IbmRadius.exe -attributes"
"value-type":"text"
- Overrides how the
“value”
is converted into a RADIUS attribute value. The default depends on the RADIUS attribute as each has its own default value-type. See the output of the IbmRadius.exe -attributes command to see the value-type of each RADIUS attribute. This parameter allows overriding of the type for ease of input. For example, a text string can be placed in a binary string attribute.Table 1. Value mapping Name JSON value format RADIUS Value integer - number: for example, 1234.
- string: hex number, for example
"0xa2b3ff"
.
4 bytes, MSB first enum - string: enum name string appropriate for the attribute. For example,
"Login"
for the "Service-Type" attribute. See the output of the IbmRadius.exe -attributes command for a list of acceptable enum value strings. - number: for example,
5
.
4 bytes, MSB first time - number: number of seconds since 1970-01-01 00:00:00 UTC
- string: "YYYYMMDDHHMMSS" UTC
4 bytes, MSB first text - string: UTF-8 characters
UTF-8 bytes not terminated by 0x00 integer64 - number: for example, 12345
- string: hex number, for example.
"0xdeadbeaf"
8 bytes, MSB first ipv4addr - string: IPv4 formatted string, for example.
,"192.168.0.1"
4 bytes, network order, MSB first ipv6addr - string: IPv6 formatted string, for example.
"192.168.0.fe80::df3c:99dd:8a4a:16f1"
8 bytes, network order, MSB first string
ifid
ipv6prefix
ipv4prefix
tlv
vsa
extended
long_extended
evs
- string: Base64 encoded binary data.
Bytes. Note: The format for each type varies, see the RADIUS RFCs.
"user-group":{}
- This section allows matching a single group to the list of groups that a
user belongs to. This parameter can only be used when
"apply-before-authenticate" == false
. Under this section are the following subitems:compare":"="
-
Defaults to
"="
. This item must be either"="
or"!="
. "name":"{{group-name}}"
- The group that is named
"{{group-name}}"
is checked against the user's group memberships.
"return-attrs":[]
- If this is not present, no attributes are added to the returned RADIUS
packet. The
"return-attrs"
are only added if the policy match is true.Each element of the"return-attrs"
array is formatted:{ "name":"xxxx", "value":"xxxx", "value-type":"xxxx" },
The descriptions of "name", "value", and "value-type" are defined in the previoussection. One exception is that "value" can be one of the following attributes."{{group-name}}" :
insert the attribute multiple times once for each group that the user belongs to."{{group-list}}" :
insert the attribute once with all groups that the user belongs to, separated by commas.
"value-type"
is forced to "text".A "value" of"{{group-name:vsa:<vendorid>:<vendortype>}}"
can be used to add each group as a Vendor-Specific Attribute (VSA). The default VSA value-type of binary must be overridden so that the formatting string is interpreted as text. Replace<vendorid>
with the Vendor's ID as a decimal number and replace the<vendortype>
with the Vendor's value type as a decimal number. For example,"return-attrs":[ { "name": "Vendor-Specific", "value": "{{group-name:vsa:12356:1}}", "value-type": "text" } ],
A "value" of
"{{reflect}}"
copies the request value of the same name into the response. Typically, it is used to return the Proxy-State value that was received. Also, specify the"value-type": "text"
setting for this attribute. "action":"continue"
- Defaults to
"continue"
. The"action"
applies only if the policy match is true. The"action"
item can be one of three values:"continue":
Add any"return-attrs"
and continue on with processing."reject":
Add any"return-attrs"
, send back a RADIUS Access-Reject packet, and end the processing of this RADIUS client (NAS) request."accept":
Add any"return-attrs"
, send back a RADIUS Access-Accept packet, and end the processing of this RADIUS client (NAS) request.