 |
» |
|
|
|
A decision file contains group entries that
define conditions based on combinations of A-V pairs and
associates each condition with a set of returned A-V pairs.
These files are only used when the radius.fsm file has been modified to call a specific decision file.
Decision files can be used for complex policy decisions, for logging,
and for other custom server configurations. (See Chapter 22 “The
Finite State Machine (FSM) ” for more information about
radius.fsm modifications). If a decision file is being used, the
AAA server will evaluate each condition according to A-V
pairs in RADIUS messages, like the Access-Request, and
other values generated by the server. When a condition evaluates
to true, the server will return the associated attribute values
as reply items and can return an event value to the FSM. There are sample decision files in the /etc/opt/aaa directory that provide a template for implementing Dialed
Number Identification Service (DNIS) routing and Dynamic Access
Control (DAC) decisions. You can also create your own decision files,
but they must be stored in the same directory that contains the
server's other configuration files. There are no required naming
conventions for a decision file, but the file name must match its
reference in radius.fsm. | | | |  | IMPORTANT: Decision files are read from beginning to end.
When the first match occurs, the server ignores the remaining entries. | | | | |
Below is the syntax of a decision file: Group Name {
Condition {
expression
}
Reply {
reply-items
. . .
} |
- Group Name
Begins the group entry by
specifying a Name for the group. - Condition
Block that contains an expression
of A-V pairs. They will evaluate to true or false to determine
if the user belongs to the group. If condition is not defined in
the group entry, the group will match all requests. - Reply
Block that contains a list
of one or more reply items that will be added to the request if
condition evaluates to true.
Expressions | |
The simplest expression is a comparison of two A-V
pairs with one relative operator. You can use relative and Boolean
operators to create an expression with various combinations of A-V
pairs and comparisons. Table 23-3 “A-V Pair Expression Operators” lists
the operators that you can use. Table 23-3 A-V Pair Expression Operators Operator | Description |
|---|
| = | Equal to | | != | Not equal to | | > | Greater than | | < | Less than | | >= | Greater than or equal to | | <= | Less than or equal to | | && | Logical AND | | || | Logical OR | | ! | Logical NOT |
You can also use parentheses to nest expressions. Line breaks
are not significant. Table 23-4 “A-V Pair Expression Examples” illustrates some
possible expressions that you can use if you want to control access
according to the dial-in phone number and time called. Table 23-4 A-V Pair Expression Examples Expression Example | Description |
|---|
Calling-Station-Id = 123456789 ||
Called-Station-Id = 8005551212 | Allows access if either the calling number
or the called number match the specified values. | Day-Of-Week => Monday &&
Day-Of-Week <= Friday | Allows access if the day of the week is between
Monday and Friday. | ((Calling-Station-Id = 123456789 ||
Calling-Station-Id = 987654321) &&
Called-Station-Id = 8005551212) ||
!(Day-Of-Week => Monday &&
Day-Of-Week <= Friday) | Allows access when one of the following
is true: The
calling number matches either specified value, and the called number matches
the specified number The day of the week is not
between Monday and Friday
|
Your expressions can be as short or as long as you like. Since
only one group match can be made for each request, you choose to
use shorter expressions, and manage each distinct decision (DNIS
routing, dynamic access control, membership in groups, and so on)
in a separate file. You can also create a single file with longer
expressions that cover a wide range of decision criteria. Specifying
Attributes in Group Entries | |
You can create decision groups for provisioning
with the A-V pairs that may be used in a user profile for
session logging with accounting attributes, refer to Chapter 11 “Logging
and Monitoring ”. In addition, you can use
the following attributes to define a group condition or reply. Day-Of-Week A string, representing the day of the week (spelled
out or three letter abbreviation), or a number from 0 to 6, where
0 represents Sunday and 6 represents Saturday. This attribute is
compared to the current system clock of the machine hosting the
AAA server that is making the comparison. Date-Time 24 hour clock in yyyy:mm:dd:hh:mm format. This
attribute is compared to the current system clock of the machine
hosting the AAA server that is making the comparison. Time-of-Day 24 hour clock in hh:mm format. This attribute
is compared to the current system clock of the machine hosting the
AAA server that is making the comparison. Hours must be two digits,
for example, 08:00, not 8:00. Decision You assign a value to this attribute that corresponds
to a predefined or custom event that will
be returned to the finite state machine
when the group entry's condition has evaluated to true. Interlink-Packet-Code An integer value that indicates what type of RADIUS
message has been received: either 1 (Access-Request) or
4 (Accounting-Request). Interlink-Proxy-Action A string determined by information in an Access-Request
or Accounting-Request. This indicates the name of the starting
event in the FSM when the AAA server receives a RADIUS message.
You can preempt this value by beginning radius.fsm with an *.*.ACK
event that invokes the POLICY action, which could then determine
the start event based on a policy decision. User-Id After the AAA server parses the NAI, it assigns
the user name to this attribute. User-Realm After the AAA server parses the NAI, it assigns
the realm to this attribute. Using
Indirection | |
You can also use indirection
to compare or assign attribute values to each other. Follow a Test
Operator $Value$Pos$Len syntax, where Test is the attribute to check
or assign a value to, and Value is the attribute with the value
to check against or assign to the Test attribute; Operator is the relative
or Boolean operator to use. $Pos and $Len are optional parameters
that allow you to test or assign a substring of the specified Value
attribute. Pos indicates the index position in the attribute's value to
begin the substring and if specified Len determines the length. When used in the condition section of a group entry, indirection
checks values. When used in the reply section, it assigns a value.
For example, in an expression Port-Id <= $Port-Limit
would only allow access to users who access the server through ports
that don't exceed the limit set in their profile. As a reply item
Decision = $Interlink-Proxy-Action would assign
the current FSM event to the Decision attribute. | | | |  | NOTE: Test = $Value$Pos$Len will add a new A-V pair
to the request. It will not update an existing pair. For example,
when the request includes a Test = “String” A-V
pair, the expression Test = $Test$2$3 will append Test = “rin” to
the request, which results in both Test = “String” and
Test = “rin” in the request. Because the left-side attribute is handled
differently than the right-side attribute value, multiple
attributes in a request can cause some unexpected indirection results.
Each instance of the left-side attribute is AND'd, but
only the value of the right-side attribute's last instance
is used. For example, the expression Test < $Test would
evaluate to FALSE as (Test1 < 1) && (Test2 < 1)
when the request contains the A-V pairs Test1 = 1 and Test2
= 2. | | | | |
Example
Group Entries | |
The HP-UX AAA server includes two sample decision
files: /opt/aaa/examples/config/DNIS.grp for DNIS routing /opt/aaa/examples/config/DAC.grp for dynamic access control
DNIS.grp
for DNIS RoutingThis example shows a simple DNIS routing scheme. Refer to Chapter 11 “Logging
and Monitoring ” for an example of
a modified radius.fsm file that will work with this decision file. 1 Group Controlled-Access {
2 Condition {
3 (Calling-Station-Id = 1234567890) ||
4 (Called-Station-Id = 8005551212)
5 }
6 Reply {
7 Authentication-Type = radius
8 Server-Name = flatland.com
9 Server-Port = 1812
10 Decision = Forward
11 }
12 }
13 Group Denied-Access {
14 Condition {
15 Called-Station-Id = 8001234567
16 }
17 Reply {
18 Authentication-Type = blackhole
19 Decision = Abandon
20 }
21 }
22 Group NORMAL {
23 Reply {
24 Decision = $Interlink-Proxy-Action
25 }
26 } |
|
- Line 1
Names the first group entry
Controlled-Access. - Lines 2 to 5
If the user calls from 1234567890,
or calls into 8005551212, the user belongs to this group. - Lines 7 to 9
The Authentication-Type
attribute indicates that requests from members of this group should
be proxied. The Server-Name and Server-Port attributes
specify flatland.com:1812 as the remote server that should receive
the proxied request. - Line 10
The Decision attribute returns
the Forward value to the FSM as an event. The radius.fsm file must be modified to recognize this event and to
call the RADIUS module when it occurs, refer to Chapter 11 “Logging
and Monitoring ”. - Line 13
Names the second group entry
Denied-Access. - Lines 14 to 16
If the user calls into 8001234567,
the user belongs to this group. - Lines 18
The Authentication-Type
attribute indicates that the request should be ignored. - Line 19
The Decision attribute returns
the Abandon value to the FSM as an event. The radius.fsm file must
be modified to recognize this event to end the request when it occurs,
refer to Chapter 11 “Logging
and Monitoring ”. - Line 22
Names the third group Normal.
Since this group entry does not include a condition section, all
requests that have not been matched to the previous two groups will be
matched to this group. - Line 24
This line uses indirection
to pass the current event ($Interlink-Proxy-Action)
to the FSM, so the server will handle the request as if DNIS routing
did not occur.
DAC.grp for Dynamic Access ControlThis example shows a simple DAC decision scheme based on the
value of an Access-Group attribute. Allow access
to users in the weekday group during a weekday Allow access to users in
the daytime group during the day Allow access to users in
the nighttime group during the night Otherwise, deny access to
users
Refer to Chapter 11 “Logging
and Monitoring ” for
an example of a modified radius.fsm file that will work with this
decision file. In addition, this decision file would only work if
the Access-Group attribute were added to the dictionary
and added to user profiles as a configuration item, refer to “The
dictionary File ”. |
1 Group Weekday-Access {
2 Condition {
3 (Access-Group = weekday) &&
4 ((Day-Of-Week >= Monday) && (Day-Of-Week <= Friday))
5 }
6 Reply {
7 Decision = ACK
8 Reply-Message = "Weekday access allowed"
9 }
10 }
11 Group Daytime-Access {
12 Condition {
13 (Access-Group = daytime) &&
14 ((Time-Of-Day >= 06:00) && (Time-Of-Day <= 20:00))
15 }
16 Reply {
17 Decision = ACK
18 Reply-Message = "Daytime access allowed"
19 }
20 }
21 Group Nighttime-Access {
22 Condition {
23 (Access-Group = nighttime) &&
24 ((Time-Of-Day < 06:00) || (Time-Of-Day > 20:00))
25 }
26 Reply {
27 Decision = ACK
28 Reply-Message = "Nighttime access allowed"
29 }
30 }
31 Group Denied-by-timed-access {
32 Reply {
33 Decision = NAK
34 Reply-Message = "Time-Based access denied"
35 }
36 } |
|
- Line 1
Names the first group entry
Weekday-Access. - Lines 2 to 5
If the user belongs to the
weekday access group and calls on a weekday they belong to this
group. - Line 7
The Decision attribute returns
the ACK value to the FSM as an event, which will accept the request. - Line 8
Specifies a message that
will be sent back to the user. - Lines 11 to 30
Define the second and third
groups with a structure similar to the first group entry. - Line 31
Names the fourth group Denied-by-time-access.
Since this group entry does not include a condition section, all
requests that have not been matched to the previous two groups will
be matched to this group. - Line 33
The Decision attribute returns
the NAK value to the FSM as an event, which will reject the request. - Line 34
Specifies a message that
will be sent back to the user.
|
Printable version
