Table of Contents Table of contents: Radiator® AAA Server <AuthBy CDB> 3.37 - <AuthBy CDB> <AuthBy UNIX> 3.39 - <AuthBy UNIX>

3.38. <AuthBy GROUP>

<AuthBy GROUP> allows you to conveniently define and group multiple AuthBy clauses. It is implemented in AuthGROUP.pm. This is most useful where you need to be able to have multiple sets of authentication clauses, perhaps with different AuthByPolicy settings for each group. You can use an <AuthBy GROUP> (containing any number of AuthBy clauses) anywhere that a single AuthBy clause is permitted. <AuthBy GROUP> can be nested to any depth.
<AuthBy GROUP> will try each AuthBy method in turn until one of them either Accepts or Rejects the request. You can change this using AuthByPolicy. For more information, see Section 3.38.1. AuthByPolicy.
<AuthBy GROUP>
      AuthByPolicy ContinueUntilReject
      <AuthBy SQL>
            ...
      </AuthBy>
      <AuthBy DBM>
            ...
      </AuthBy>
      <AuthBy GROUP>
            AuthByPolicy ContinueUntilAccept
            RewriteUsername s/^(.+)$/cyb-$1/
            <AuthBy FILE>
                  ...
            </AuthBy> 
            <AuthBy FILE>
                  ... 
            </AuthBy>
      </AuthBy>
</AuthBy>
<AuthBy GROUP> understands also the same parameters as <AuthBy xxxxxx>. For more information, see Section 3.32. <AuthBy xxxxxx>.

3.38.1. AuthByPolicy

This parameter allows you to control the behaviour of multiple AuthBy clauses inside this <AuthBy GROUP>. This parameter is always available in <Handler ...> and <Realm ...> clauses. In particular, it allows you to specify under what conditions Radiator tries the next AuthBy clause. If you only have one AuthBy clause, AuthByPolicy is not relevant and is ignored.
You can specify more than one AuthBy clause for a single Realm, Handler, or <AuthBy GROUP>. The normal behaviour of Radiator is to try to authenticate with the first one. If that authentication method either Accepts or Rejects the request, then Radiator immediately sends a reply to the NAS. If the AuthBy ignores the request, then the next one is tried. That is the default behaviour, you can change it using AuthByPolicy. The permissible values of AuthByPolicy are:
  • ContinueWhileIgnore
    This is the default. Continue trying to authenticate until either Accept, Challenge, or Reject.
  • ContinueUntilIgnore
    Continue trying to authenticate until Ignore.
  • ContinueWhileAccept
    Continue trying to authenticate as long as it is Accepted.
  • ContinueUntilAccept
    Continue trying to authenticate until it is Accepted.
  • ContinueWhileChallenge
    Continue trying to authenticate as long as it is Challenged.
  • ContinueUntilChallenge
    Continue trying to authenticate until it is Challenged.
  • ContinueWhileReject
    Continue trying to authenticate as long as it is Rejected.
  • ContinueUntilReject
    Continue trying to authenticate until it is Rejected.
  • ContinueWhileAcceptOrChallenge
    Continue trying to authenticate as long as it is either Accepted or Challenged.
  • ContinueUntilAcceptOrChallenge
    Continue trying to authenticate until it is either Accepted or Challenged.
  • ContinueUntilRejectOrChallenge
    Continue trying to authenticate until it is either Reject or Challenged.
  • ContinueAlways Note: this is the same as any other value
    Always do every authentication method. Returns the result of the last one.
Here is an example of using AuthByPolicy:
# Authenticate with SQL, but if they are rejected 
# fall back to a flat file
AuthByPolicy ContinueWhileReject
<AuthBy SQL>
      ....
</AuthBy>
<AuthBy FILE>
      ....
</AuthBy>
You can only have one AuthByPolicy parameter and it applies to all the AuthBy clauses. You cannot change it between AuthBy clauses.
Tip
ContinueUntilAcceptOrChallenge is the most useful one when using EAP requests in an <AuthBy GROUP> with multiple internal AuthBys.

3.38.2. RewriteUsername

This is an optional parameter. It enables you to alter the username in authentication and accounting requests. For more details and examples, see Section 8. Rewriting user names.

3.38.3. StripFromRequest

Strips the named attributes from the request before passing it to any lower authentication modules. The value is a comma separated list of attribute names. StripFromRequest removes attributes from the request before AddToRequest adds any to the request. There is no default.
# Remove any NAS-IP-Address,NAS-Port attributes
StripFromRequest NAS-IP-Address,NAS-Port

3.38.4. AddToRequest

Adds attributes to the request before passing it to any lower authentication modules. Value is a list of comma separated attribute value pairs all on one line, exactly as for any reply item. StripFromRequest removes attributes from the request before AddToRequest and AddToRequestIfNotExist adds any to the request. You can use any of the special % formats in the attribute values. There is no default.
# Append a Filter-ID and host name
AddToRequest Calling-Station-Id=1,Login-IP-Host=%h

3.38.5. AddToRequestIfNotExist

Adds attributes to the request before passing it to any lower authentication modules. Unlike AddToRequest, an attribute will only be added if it does not already exist in the request. Value is a list of comma separated attribute value pairs all on one line, exactly as for any reply item. StripFromRequest removes attributes from the request before AddToRequest and AddToRequestIfNotExist adds any to the request. You can use any of the special % formats in the attribute values. There is no default.
# Append a Filter-ID and host name if they are not there already
AddToRequestIfNotExist Calling-Station-Id=1,Login-IP-Host=%h

3.38.6. HandleAcctStatusTypes

This optional parameter specifies a list of Acct-Status-Type attribute values that will be processed in Accounting requests. The value is a comma-separated list of valid Acct-Status-Type attribute values including, Start, Stop, Alive, Modem-Start, Modem-Stop, Cancel, Accounting-On and Accounting-Off. See your dictionary for a full list.
If HandleAcctStatusTypes is specified and an Accounting request has an Acct-Status-Type not mentioned in HandleAcctStatusTypes, then the request will be ACCEPTed but not otherwise processed by the enclosing clause. The default is to handle all Acct-Status-Type values.
# Only process Start and Stop requests, ACCEPT and acknowledge everything else
HandleAcctStatusTypes Start,Stop
Table of Contents Table of contents: Radiator® AAA Server <AuthBy CDB> 3.37 - <AuthBy CDB> <AuthBy UNIX> 3.39 - <AuthBy UNIX>