keycloak-radius-plugin
keycloak-radius-plugin copied to clipboard
vzakharchenko
Default Reject, Accept if member of group
Is your feature request related to a problem? Please describe. I have multiple groups. For this, I only worry about "WiFi" and "VPN". In my domain, there are some accounts that shouldn't have access to any networking, some that should have WiFi but not VPN, and some that have both.
Describe the solution you'd like I would like to have groups like so:
| User's Group Membership | Effect |
|---|---|
| None | REJECT all requests (optionally excluding requests missing the Connect-Info attribute) |
| WiFi | REJECT all except Connect-Info == "WiFi" |
| VPN | REJECT all except Connect-Info == "VPN" |
| WiFi, VPN | REJECT all except Connect-Info == "WiFi" or "VPN" |
Describe alternatives you've considered
I have tried every combination of REJECT_RADIUS, REJECT_Connect-Info, and ACCEPT_Connect-Info that I can think of, but I cannot get this behavior working. I cannot seem to handle the case of users who have no membership (users who do not have access to anything).
If someone could just point me to the part of the code where the group membership check happens, I'm sure I can do this myself. If there is also a place where I could put a checkbox to enable or disable my modification, I can add that too.
@clstrickland I wonder did you find workaround for it? we are having same exact issue.
@clstrickland I wonder did you find workaround for it? we are having same exact issue.
I found where the default decision is made in the source code. I need to look into adding a gui option to change it. If someone could help with that I'd appreciate it.
It is line 111 in keycloak-plugins\radius-plugin\src\main\java\com\github\vzakharchenko\radius\radius\handlers\attributes\AbstractKeycloakAttributes.java
Thank you for reply, unfortunately not capable enough to help on this.