Re: [Help-gnu-radius] Cisco-AVPair

[Sergey Poznyakoff]

Hello Macram,

> I am receiving from the cisco  more than one Cisco-AV-Pair during client
> authentication.
> 
> How should I modify my users profile to send to my external program the
> whole array of AV-Pairs and not just the first AV-Pair 

It can't be done directly, you will have to create the new attribute
first. Here's the suggested approach:

1) In your dictionary create the special attribute for passing AV-Pairs,
e.g.:

ATTRIBUTE       My-Concat-Avpair       3000 string

(The exact numeric value is up to you. The only requirement is that it
may not coincide with any existing attribute).

2) To your raddb/rewrite add the following function:

integer
concat_avpair()
{
        integer i;
        %[My-Concat-Avpair] = "";
        i = 0;
        while (*%[Cisco-AVPair](i)) {
                %[My-Concat-Avpair] = %[My-Concat-Avpair] +
                                      %[Cisco-AVPair](i) + ";" ;
                i = i + 1;
        }
        return 0;
}

3) To your raddb/hints (or huntgroups, depending on the exact
configuration) add the invocation of this function, e.g.:

#raddb/hints:
DEFAULT Rewrite-Function = "concat_avpair"      NULL

4) Now, change your users profile as follows:


DEFAULT Auth-Type = Local,
                Password-Location = SQL,
                Service-Type = Login
                Exec-Program-Wait = "/usr/local/sbin/telauth  \
                             %C{User-Name} \
                             %C{Called-Station-Id} \
                             %C{Calling-Station-Id} \
                             %C{My-Concat-Avpair}"

This way the last argument to telauth program will be the string,
containing the values of all Cisco-AVPair attributes delimited by
semicolons. It would be trivial to split them again in the
program.

Regards,
Sergey