search

privacyidea / FreeRADIUS

Add two factor authentication to FreeRADIUS via privacyIDEA
GNU General Public License v2.0
19 stars 17 forks source link

Allow multiple same reply attributes #41

Closed cornelinux closed 4 years ago

cornelinux commented 4 years ago

We can now do attribute matching to allow multiple RADIUS attributes in the response like several Class attributes, that are usually used for putting users into groups.

rlm_perl expects multiple attributes to be returned in an array.

Closes #40

cornelinux commented 4 years ago

In the PR i get such a response:

Sent Access-Request Id 2 from 0.0.0.0:40178 to 127.0.0.1:1812 length 44
    User-Name = "hans"
    User-Password = "hans"
    Cleartext-Password = "hans"
Received Access-Accept Id 2 from 127.0.0.1:1812 to 0.0.0.0:0 length 98
    Filter-Id = "matching 1 tokens"
    Filter-Id = "otplen=6"
    Class = 0x504953503030303145393838
    Class = 0x7370617373
    Reply-Message = "privacyIDEA access granted"

from an rlm_perl.ini configuration like this:

[Default]
URL = https://localhost/validate/check
SSL_CHECK = false

[Mapping]
serial = Class
type = Class

[Attribute Filter-Id]
radiusAttribute = Filter-Id
userAttribute = message
regex = (.*)

[Attribute 2]
radiusAttribute = Filter-Id
userAttribute = otplen
regex = (.*)
prefix = otplen=

and an HTTP response like this:

detail |  
    message | "matching 1 tokens"
    otplen | 6
    serial | "PISP0001E988"
    threadid | 140401754359552
    type | "spass"

(I think this is rather cool ;-)