Steel-Belted Radius Carrier supports several types of scripts, each linked to a functional module.
LDAP Authentication—Scripts that control the execution of searches and the processing of attributes by the LDAP authentication plug-in. The LDAP authentication scripts are executed only by the LDAP authentication plug-in.
Realm Selection—Scripts used to determine the name of a proxy or directed realm to which a RADIUS request is directed for processing. Realm selection scripts are executed during normal request processing by the Steel-Belted Radius Carrier server core and during inner authentication by the tunneled authentication plug-ins (PEAP and TTLS).
Attribute Filter—Scripts used to manipulate the values of attributes in the RADIUS request or response packets. Attribute filter scripts are executed any time a server core component or plug-in module invokes an attribute filter that is configured for scripting.
Steel-Belted Radius Carrier uses the LDAP authentication plug-in to authenticate users and retrieve attributes from external LDAP repositories. LDAP connection parameters and search specifications are defined in the ldapauth.aut file.
You can configure the LDAP authentication plug-in to perform scripted or unscripted searches. With unscripted searches, selected attributes can be transferred directly from the RADIUS request into the LDAP search string, and from the LDAP search result into the RADIUS response. You can create a simple search tree to execute a sequence of LDAP searches each time Steel-Belted Radius Carrier processes an authentication request.
With LDAP authentication scripts, you have even greater control over the execution of LDAP searches and the processing of attribute values and search results. You can combine, manipulate, and test attribute values, and define conditional logic to select which searches to execute.
Uses for LDAP authentication scripts include:
Modifying the username and retrying the LDAP search in the case that the initial search returns no result from the repository.
Selecting a RADIUS response profile for the user based on attributes returned from the LDAP server.
Reformatting the LDAP result data before assigning values to the RADIUS response.
Using the results from prior LDAP searches to select subsequent LDAP searches to execute.
For more details, see Creating LDAP Scripts.
A realm is a collection of authentication methods that Steel-Belted Radius Carrier invokes to process a RADIUS request. When an authentication request is received, Steel-Belted Radius Carrier uses the username, selected RADIUS attributes, or other properties of the request to determine which realm handles the request. The selected realm can be a proxy realm, a directed realm, or the default realm (if no explicit realm is selected).
Realm selection is performed both by the Steel-Belted Radius Carrier server core and during inner authentication by tunneled authentication plug-ins. Five built-in realm selection methods, plus the scripted method, are supported. Using realm selection scripts, you can define programmed logic to select the realm for processing each RADIUS request. Realm selection scripts may retrieve RADIUS request attributes, query external SQL or LDAP servers, or invoke any of the built-in realm selection methods.
Uses for realm selection scripts include:
Querying multiple LDAP servers to look up the realm name for a specific user.
Combining multiple RADIUS request attributes to form a SQL database key for retrieving the realm name.
Changing the authentication username.
Setting a profile to be applied to the RADIUS response once the user is authenticated.
For more details, see Creating Realm Selection Scripts.
Steel-Belted Radius Carrier uses attribute filters to allow, exclude, add, or modify attribute values in the RADIUS response and request packets. Attribute filters are also used to transfer attribute values in and out of the inner methods of tunneled authentication plug-ins. Attribute filters are defined by name using the Web GUI and are referred to throughout the server configuration.
Unscripted or static attribute filters use simple, fixed rules for manipulating RADIUS attributes. In contrast, scripted attribute filters enable you to specify detailed algorithms to read, write, modify, and delete request and response attribute values. You can query external SQL or LDAP servers and execute static attribute filters by name from your attribute filter scripts.
Uses for attribute filter scripts include:
Using an LDAP query to select a static attribute filter to execute.
Adding or removing selected values from a multi-valued attribute.
Editing the values of string attributes.
Accepting or rejecting requests based on mathematical calculations on numeric attribute values.
For more details, see Creating Attribute Filter Scripts .