Security

Is it possible to use the realm that is sent as a request as part of role mapping or attribute mapping?

We have a legacy radius configuration that uses a format of:

username@role

To determine the specified role that the user is requesting.  This allows an end-user to specify the desired role as part of the request (i.e. user@guest, user@staff).  I could create a separate service/role mapping for every role, but we have about 140 roles that need to be mapped.  Ideally I would like to be able to use a single service/policy that does the equivalent of:

1. User authenticates with: $user@$role

2. Authenticate $user

3. If $role in User "Groups" attributes grant access AND return "Class=$role", else Deny

Any ideas of how to implement this in a single service?  Thanks.

Try something like this:

OR THIS

Make sure that you strip the realm in your service otherwise authentication to LDAP or AD will fail.

=

Tim, that is definitely getting me closer to what I'm looking for.  The other part that I need was adding an "AND" clause to the mapping to ensure that the user is also in the group (to prevent student@student from entering student@faculty and getting @faculty access).

The new mapping looks something like:

(Authorization:ActiveDirectory:Groups EQUALS staff)

AND (Authentication:Full-Username ENDS_WITH @staff)

It would be nice if I could replace "staff" with %{realm}, but this is a massive improvement of my initial idea of creating separate services for every role.

Unfortunately you'd need to create a role map rule for each variation. You still only need one service though.