Comparison Operators

Reference guide for comparison operators used in policy and handler conditions and condition clauses.

Comparison operators are used in condition rules (for policies and handlers) and if clauses. A condition rule consists of a namespace attribute, comparison operator, and one or more values to compare.

If you are looking for the assignment operators used in modify blocks, see the modify action documentation.

Supported Operators

Equality Operators

Operator	Alias	Description
`==`	`eq`	Equal
`!=`	`ne`	Not equal

Relational Operators

Operator	Alias	Description
`>`	`gt`	Greater than
`>=`	`ge`	Greater than or equal
`<`	`lt`	Less than
`<=`	`le`	Less than or equal

String Matching Operators

Operator	Description
`starts`	Text representation starts with
`!starts`	Text representation does not start with
`contains`	Text representation contains
`!contains`	Text representation does not contain
`ends`	Text representation ends with
`!ends`	Text representation does not end with

Regular Expression Matching

Regular expressions are specified using /pattern/ literal syntax with the == or != operators:

Syntax	Description
`== /pattern/`	Value matches the regular expression pattern
`== /pattern/i`	Case-insensitive regular expression match
`!= /pattern/`	Value does not match the regular expression

Operator Details

Equal (`==` or `eq`)

Matches values that are exactly equal. Works with all data types including strings, numbers, booleans, and IP addresses.

Examples:

if all {
    radius.request.code == radius.ACCESS_REQUEST;
    radius.request.attr.User-Name == "admin";
    radius.request.attr.NAS-Port == 1234;
} then {
    # Actions when conditions match
}

Not Equal (`!=` or `ne`)

Matches values that are not equal. The inverse of the equal operator.

Examples:

conditions any {
    aaa.method != "eap";
    radius.request.attr.NAS-IP-Address != "10.0.0.1";
    radius.request.attr.Service-Type != 1;
}

Greater Than (`>` or `gt`)

Matches values that are numerically or lexicographically greater than the specified value. Works with numbers and strings.

Examples:

if all {
    radius.request.attr.Session-Timeout > 3600;
    vars.priority > 5;
} then {
    # Actions when conditions match
}

Greater Than or Equal (`>=` or `ge`)

Matches values that are greater than or equal to the specified value.

Examples:

conditions any {
    radius.request.attr.Acct-Session-Time >= 300;
    vars.user_level >= 10;
}

Less Than (`<` or `lt`)

Matches values that are numerically or lexicographically less than the specified value.

Examples:

if all {
    radius.request.attr.Idle-Timeout < 600;
    vars.retry_count < 3;
} then {
    # Actions when conditions match
}

Less Than or Equal (`<=` or `le`)

Matches values that are less than or equal to the specified value.

Examples:

conditions any {
    radius.request.attr.Acct-Input-Octets <= 1000000;
    vars.connection_limit <= 100;
}

Starts With (`starts`)

Matches string values where the text representation starts with the specified substring. Case-sensitive.

Examples:

if all {
    radius.request.attr.User-Name starts "admin";
    radius.request.attr.Called-Station-Id starts "00:11:22";
} then {
    # Actions when conditions match
}

Contains (`contains`)

Matches string values where the text representation contains the specified substring. Case-sensitive.

Examples:

if all {
    radius.request.attr.User-Name contains "@example.com";
    radius.request.attr.NAS-Identifier contains "switch";
} then {
    # Actions when conditions match
}

Ends With (`ends`)

Matches string values where the text representation ends with the specified substring. Case-sensitive.

Examples:

if all {
    radius.request.attr.User-Name ends "@domain.com";
    radius.request.attr.Called-Station-Id ends ":SSID";
} then {
    # Actions when conditions match
}

Does Not Start With (`!starts`)

Matches string values where the text representation does not start with the specified substring. Case-sensitive.

Examples:

if all {
    # Reject test accounts
    radius.request.attr.User-Name !starts "test_";
    # Skip devices with specific OUI
    radius.request.attr.Called-Station-Id !starts "00:11:22";
} then {
    # Actions when conditions match
}

Does Not Contain (`!contains`)

Matches string values where the text representation does not contain the specified substring. Case-sensitive.

Examples:

if all {
    # Exclude guest accounts
    radius.request.attr.User-Name !contains "guest";
    # Skip certain NAS identifiers
    radius.request.attr.NAS-Identifier !contains "legacy";
} then {
    # Actions when conditions match
}

Does Not End With (`!ends`)

Matches string values where the text representation does not end with the specified substring. Case-sensitive.

Examples:

if all {
    # Exclude external domains
    radius.request.attr.User-Name !ends "@external.com";
    # Skip certain SSID types
    radius.request.attr.Called-Station-Id !ends ":GUEST";
} then {
    # Actions when conditions match
}

Regular Expression Match (`== /pattern/`)

Matches string values against a regular expression pattern using /pattern/ literal syntax. Uses Rust regex syntax.

Examples:

if all {
    # Match usernames starting with lowercase letters followed by @
    radius.request.attr.User-Name == /^[a-z]+@/;
    # Match MAC address format
    radius.request.attr.Called-Station-Id == /^([0-9A-Fa-f]{2}:){5}[0-9A-Fa-f]{2}$/;
} then {
    # Actions when conditions match
}

Case-Insensitive Match (`== /pattern/i`)

Add the i flag after the closing slash for case-insensitive matching:

if all {
    # Case-insensitive match
    radius.request.attr.User-Name == /admin.*/i;
} then {
    # Matches "admin", "ADMIN", "Admin", etc.
}

Does Not Match (`!= /pattern/`)

Use != with a regex literal to reject values that match the pattern:

conditions any {
    # Reject usernames that look like test accounts
    radius.request.attr.User-Name != /^test[0-9]*@/;
}

Special Values

In addition to literal values, conditions support special keyword values:

Value	Description
`any`	Matches any existing value (variable/attribute is set)
`none`	Matches only when the value does not exist (not set)
`true`	Boolean true
`false`	Boolean false
`now`	Current timestamp (for time-based comparisons)

Presence Checks with `any` and `none`

Use any and none to check whether a variable or attribute exists, regardless of its value:

Examples:

# Check if variable is set (has any value)
if all {
    vars.load_limit_reason == any;
} then {
    discard;
}

# Check if variable is NOT set
if all {
    vars.session_key == none;
} then {
    reject;
}

# Check if optional RADIUS attribute exists
if all {
    radius.request.attr.Framed-IP-Address == any;
} then {
    # Attribute is present
}

These are especially useful when:

A Lua script conditionally sets a variable
A backend query may or may not return a value
Checking for optional RADIUS attributes

Note: Comparing with empty string (vars.foo != "") only works when the variable is set. Use == any or == none for reliable presence checks.

Multiple Values

Operators can compare against multiple values using array syntax. The condition matches if the comparison is true for any of the provided values.

Example:

conditions any {
    # Match if NAS-Port-Type is any of these values
    radius.request.attr.NAS-Port-Type == [15, 19, 20];

    # Match if User-Name starts with any of these prefixes
    radius.request.attr.User-Name starts ["admin", "root", "system"];
}

Logical Condition Blocks: `all`, `any`, and `none`

Logical specifiers all, any, and none group one or more condition expressions. They control how multiple individual condition lines are combined into a single boolean result.

They are used in two primary places:

conditions blocks that act as accept/reject gates on handlers and pipelines.
if clauses for inline conditional execution within pipelines.

Semantics

Block	Result is true when...	Empty block
`all`	Every contained condition is true	true (vacuous truth)
`any`	At least one contained condition is true	false (no expression satisfied)
`none`	No contained condition is true	true (vacuous truth)

Evaluation typically short-circuits:

all - fails fast on the first false condition
any - succeeds fast on the first true condition
none - fails fast on the first true condition

Syntax

conditions all {
    <condition-1>;
    <condition-2>;
    ...
}

conditions any {
    <condition-A>;
    <condition-B>;
    ...
}

if all {
    <condition>;
    <condition>;
} then {
    # actions when all conditions are true
}

Each condition line must end with a semicolon and must be a valid expression supported by the condition grammar (attribute comparisons, regex matches, presence checks, etc.).

Handler Selection

policy "example" {
    handler "wireless" {
        conditions all {
            aaa.authentication == true;
            radius.request.attr.NAS-Port-Type == 19;  # Wireless-802.11
            radius.request.attr.User-Name !starts "guest-";
        }

        @execute {
            backend "ldap";
            pap;
        }
    }
}

Multiple Possible Realms (any)

conditions any {
    aaa.realm == "engineering.example.com";
    aaa.realm == "research.example.com";
}

Inline Authorization Decision

@execute {
    if all {
        user.group == "admin";
        radius.nas-ip-address == 192.168.10.10;
    } then {
        set response.session-timeout = 28800;
        accept;
    }

    if any {
        user.group == "guest";
        user.role == "temporary";
    } then {
        set response.session-timeout = 3600;
    }

    accept;
}

Early Reject with `any`

@execute {
    if any {
        user.account_disabled == true;
        user.locked == true;
    } then {
        reject;
    }
}

conditions Action - Accept/reject gate based on conditions
if Clause - Conditional execution with then and else blocks
Handler Conditions
Policy Conditions
Execution Context
Data Types