On 29.4.2021 10.31, Patrik Forsberg wrote:
I used AddToReplyIfNotExist and that seems to only use the first OSC-Authorize-Group option it reaches and just ignores the rest.. a AddToReply fixed that ..
AddToReplyIfNotExist \ Service-Type = "Administrative-User",\ OSC-Group-Identifier = "%N",\ OSC-Authorize-Group = "permit service=shell cmd=show cmd-arg=running-config",\ OSC-Authorize-Group = "deny service=shell cmd=*",\ OSC-Authorize-Group = "permit .* {priv-lvl=15}"
Good to hear it works now. However, I'd say it would make more sense that AddToReplyIfNotExist didn't work like that. What happens with multi-instance attributes is exactly what you say: it adds the first and then determines for the second instance that NotExists no longer holds :(
This is fine with typical single-instance attributes but I think the expectation is that all of the above would have been added.
Thanks for letting us know about this, Heikki -- Heikki Vatiainen <h...@open.com.au> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory, EAP, TLS, TTLS, PEAP, WiMAX, RSA, Vasco, Yubikey, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc. _______________________________________________ radiator mailing list radiator@lists.open.com.au https://lists.open.com.au/mailman/listinfo/radiator