OR-logic patch for IC-Radius documentation ------------------------------------------- For most comprehensive "documentation", look at my diary on http://www.hazard.maks.net. -- Vladimir Ivaschenko 1. Theory of operation OR logic for group membership: if a group has "Fall-Through = Yes" check item, then if this group check items are not satisfied group's reply items will be removed and authentication will not fail. OR logic for group check items: if group's name contains "__OR__", then all group's check items will be ORed with each other. That means, if one of the check items succeeds, group membership will suceed as well, and group reply items will be added to request reply list. Useful for phone number blacklists. AND logic for groups: If a group has Auth-Type: Accept check item and group check items are satisfied, then all Auth-Type: Reject's will be removed from the check item lists. This allows for AND logic, where it is required for at least one group membership to succeed, or authentication will fail. Please note that groups are scanned in ALPHABETICAL order, so a good idea is to add a special deny group, like "_ACCESS_CHECK", which has Auth-Type: Reject. NOT logic for groups:If a group has Auth-Type: Reject check item and group check items are satisfied, then authentication request will fail immediately. Please note that various types of logic can be combined (where it makes sense). Like, you can combine OR logic for group membership with OR logic for group check items, OR logic for group check items with AND logic for groups and so on. 2. Some examples OR groups should now have __OR__ inside them in any place (instead of OR_ in the beginning). This way you can play with their check order (all groups are checked in alphabetical order).
And here is an example of using the patch. ------------------------------ Group =BLACKLIST_CHECK__OR__: check items: Caller-Station-Id : 1234 Caller-Station-Id : 2345 ... Auth-Type: Reject Fall-Through : Yes WHAT IT DOES: This group rejects all users whose phone number is in the blacklist. Because it starts with "=", it will be the first group which will be checked. ------------------------------ Group DIALUP_USER_NAS1: check items: NAS-IP-Address : 1.2.3.4 Auth-Type : Accept Fall-Through : Yes reply items: Framed-Protocol : PPP Service-Type : Framed-User WHAT IT DOES: Checks that a user is coming from NAS 1.2.3.4 and sets service type to Framed-User, also has Auth-Type accept, which will remove all Auth-Type rejects in other groups that follow. ------------------------------ Group DIALUP_USER_NAS2: check items: NAS-IP-Address : 1.2.3.5 Auth-Type : Accept Fall-Through : Yes reply items: Framed-Protocol : PPP Service-Type : Framed-User WHAT IT DOES: Same as for NAS2, but for a different access server ------------------------------ _ACCESS_CHECK: Auth-Type: Reject WHAT IT DOES: Default catch-all deny rule, starts with "_", so will be parsed last. Authentification will be rejected if at least one group didn't succeed before. For example it is necessary if you have users can dial only to specific NAS (otherwise, all group checks will be done, and if user's personal check items are satisfied, authentification will succeed). It is a good idea to have it just in case you didn't think about some possible way for a user to get in. Please note that if user has Auth-Type: Reject in user's personal check items authentification will fail immidiately (same behaviour as in unpatched IC-Radius).