Execution Context
Variables available during request processing
Execution context in Radiator Server defines the set of variables and their structure that are available during the processing of a request. It provides access to various attributes related to the request, user, session, and environment, allowing for dynamic handling and customisation of request processing. Execution context is created at the beginning of request processing and is passed through the execution pipelines.
Supported namespaces
Below, '*' denotes any namespace, attribute name, or data type.
Various utility namespaces
| Variable | Type | Access | Description |
|---|---|---|---|
| id | number | read | Request identifier |
| env.* | string | read | Process environment variables |
| vars.* | * | read/write | Custom variables |
| util.rand.X | bytes | read | Reads X bytes of random |
| datetime.timestamp | timestamp | read | Current time |
Namespace aaa
| Variable | Type | Access | Description |
|---|---|---|---|
| aaa.identity | string | read/write | Protocol-agnostic username/identity of the request |
| aaa.identity.name | string | read | Name part of current username/identity |
| aaa.identity.realm | string | read/write | Realm part of current username/identity |
| aaa.identity.realm.tld | string | read | TLD part of the realm |
| aaa.protocol | enum | read | Protocol of the request |
| aaa.trace | boolean | read | Is tracing enabled for the request? |
| aaa.accounting | boolean | read | Is the request an accounting request? |
| aaa.policy | string | read | Name of AAA policy handling the request |
| aaa.handler | string | read | Name of AAA policy handler handling the request |
| aaa.method | enum | read | Authentication protocol/method |
| aaa.message | string | read/write | Reply message for Accept/Reject responses |
| aaa.challenge-message | string | read/write | Challenge prompt message for Challenge responses |
| aaa.result | enum | read | AAA result |
| aaa.reason | string | read | Error or reason |
| aaa.errors | string array | read | All errors that occurred during request processing |
| aaa.caught_error | string | read/write | Most recent error caught by a try action |
| aaa.caught_error.code | string | read | Machine-readable error code of the most recent caught error (see errors namespace) |
| aaa.caught_errors | string array | read/write | All errors caught by try actions during request processing |
Namespace user
| Variable | Type | Access | Description |
|---|---|---|---|
| user.username | string | read/write | User entry's name |
| user.password | string | read/write | User's password |
| user.group | string array | read/write | User's groups |
| user.role | string array | read/write | User's roles |
| user.backend | string | read | Backend's name from which user was fetched |
Namespace acct
| Variable | Type | Access | Description |
|---|---|---|---|
| acct.status | enum | read | Accounting request status |
| acct.timestamp | timestamp | read | Accounting request timestamp |
| acct.duration | number | read | Accounting session duration in seconds |
| acct.input.packets | number | read | Accounting session packets in |
| acct.input.bytes | number | read | Accounting session bytes in |
| acct.output.packets | number | read | Accounting session packets out |
| acct.output.bytes | number | read | Accounting session bytes out |
Namespace auth
| Variable | Type | Access | Description |
|---|---|---|---|
| auth.protocol | enum | read/write | Authentication protocol |
| auth.challenge | string | read/write | Authentication challenge |
| auth.response | bytes | read/write | Authentication response |
| auth.result | string | read/write | Authentication result |
Namespace tls
| Variable | Type | Access | Description |
|---|---|---|---|
| tls.version | enum | read | Negotiated TLS protocol version |
| tls.cipher | enum | read | Negotiated TLS cipher |
Namespace cert
| Variable | Type | Access | Description |
|---|---|---|---|
| cert.valid | boolean | read | Did basic certificate validation succeed? |
| cert.error | string | read | Verification error |
| cert.server | string | read | In TLS client context, server's name or IP address |
| cert.issuer | string | read | Certificate's issuer's name |
| cert.subject | string | read | Certificate's subject's name |
| cert.serial | number | read | Certificate's serial number |
| cert.issued | timestamp | read | Certificate's issue timestamp |
| cert.expires | timestamp | read | Certificate's expiry timestamp |
| cert.policy | string array | read | Certificate's Policy OIDs |
| cert.sha256 | bytes | read | SHA256 hash of the certificate |
| cert.issuer.* | string array | read | Issuer name's individual components (dc, c, st, l, o, ou, cn, emailaddress) |
| cert.subject.* | string array | read | Subject name's individual components (dc, c, st, l, o, ou, cn, emailaddress) |
| cert.subject_alt.* | string array | read | Subject's alternative names (email, dns, dn, uri, ip, oid, upn, other) |
| cert.ca.* | * | read | Certificate's first CA certificate |
| cert.ca[N].* | * | read | Certificate's Nth CA certificate |
CA certificate has the same attributes as the cert.
Namespace radius
| Variable | Type | Access | Description |
|---|---|---|---|
| radius.client | string | read | Client's name from which the request was received |
| radius.client.ip | ip | read | IP address from which the request was received |
| radius.server | string | read | Server's name which received the request |
| radius.server.tls | boolean | read | Was request received over TLS? |
| radius.request.code | unsigned | read/write | RADIUS request packet type code |
| radius.reply.code | unsigned | read/write | RADIUS reply packet type code. When set explicitly, overrides the default code from accept/reject/challenge results. |
| radius.request.identifier | unsigned | read/write | RADIUS request packet identifier (0-255) |
| radius.reply.identifier | unsigned | read | RADIUS reply packet identifier (0-255) |
| radius.request.attrs | json | read | All RADIUS request attributes as a JSON array |
| radius.request.attr.* | * | read | RADIUS request attributes |
| radius.reply.attr | json | read/write | All RADIUS reply attributes as a JSON array (read) or spread JSON object to reply attributes (write) |
| radius.reply.attr.* | * | read/write | RADIUS reply attributes |
Attribute's data type is defined by the RADIUS dictionary used. Examples:
| Example | Description |
|---|---|
| radius.request.attr.user-name | User-Name attribute |
| radius.request.attr.tunnel-type:1 | Tunnel-Type attribute with a tag value 1 |
| radius.request.attr.framed-route[0] | First Framed-Route attribute |
| radius.request.attr.framed-route[n] | Last Framed-Route attribute |
| radius.request.attr.framed-route[*] | All Framed-Route attributes |
| radius.request.attr.cisco.avpair | Cisco AV-pair attribute |
| radius.request.attrs | All request attributes as a JSON array |
| radius.reply.attrs | All reply attributes as a JSON array |
| radius.reply.attrs = vars.json_attrs | Spread JSON object keys as reply attribute names |
When radius.request.attr or radius.reply.attr is read without a specific
attribute name, it returns all dictionary attributes as a JSON array of objects
with name and value fields. Enum-typed attribute values are resolved to
their dictionary names. This is useful for logging all attributes in a single
field:
log "AUTHENTICATION" {
json {
"request_attrs" radius.request.attr;
"reply_attrs" radius.reply.attr;
}
}
The resulting JSON array looks like:
[
{ "name": "user-name", "value": "mikem" },
{ "name": "service-type", "value": "framed-user" }
]
Constants
The radius namespace provides named constants for RADIUS packet type codes.
Use these instead of magic numbers for clearer configuration.
Packet Type Codes:
| Constant | Value | Description |
|---|---|---|
| radius.ACCESS_REQUEST | 1 | Access-Request packet |
| radius.ACCESS_ACCEPT | 2 | Access-Accept packet |
| radius.ACCESS_REJECT | 3 | Access-Reject packet |
| radius.ACCOUNTING_REQUEST | 4 | Accounting-Request packet |
| radius.ACCOUNTING_RESPONSE | 5 | Accounting-Response packet |
| radius.ACCESS_CHALLENGE | 11 | Access-Challenge packet |
| radius.STATUS_SERVER | 12 | Status-Server packet |
| radius.DISCONNECT_REQUEST | 40 | Disconnect-Request packet |
| radius.DISCONNECT_ACK | 41 | Disconnect-ACK packet |
| radius.DISCONNECT_NAK | 42 | Disconnect-NAK packet |
| radius.COA_REQUEST | 43 | CoA-Request packet |
| radius.COA_ACK | 44 | CoA-ACK packet |
| radius.COA_NAK | 45 | CoA-NAK packet |
Attribute Enum Values:
For attribute enum values (like Acct-Status-Type or Service-Type), use the
radius.dict.<Attribute>.<Value> syntax to access dictionary-defined values:
# Acct-Status-Type values
radius.dict.Acct-Status-Type.Start # 1
radius.dict.Acct-Status-Type.Stop # 2
radius.dict.Acct-Status-Type.Alive # 3
# Service-Type values
radius.dict.Service-Type.Login-User # 1
radius.dict.Service-Type.Framed-User # 2
Example usage:
if all {
radius.request.code == radius.ACCESS_REQUEST;
} then {
# Handle Access-Request
}
if all {
radius.request.attr.acct-status-type == radius.dict.Acct-Status-Type.Start;
} then {
# Handle Accounting Start
}
Namespace radiusproxy
| Variable | Type | Access | Description |
|---|---|---|---|
| radiusproxy.server | string | read | Radius proxy server's name to which send the request |
| radiusproxy.server.tls | boolean | read | Is Radius proxy server using TLS connection? |
| radiusproxy.request.attrs | json | read | All proxy request attributes as a JSON array |
| radiusproxy.request.attr | json | write | Spread JSON object to proxy request attributes |
| radiusproxy.request.attr.* | * | read/write | Radius proxy request attributes |
| radiusproxy.reply.attrs | json | read | All proxy reply attributes as a JSON array |
| radiusproxy.reply.attr.* | * | read/write | Radius proxy reply attributes |
Attribute's data type is defined by the RADIUS dictionary used. Examples:
| Example | Description |
|---|---|
| radiusproxy.request.attr.user-name | User-Name attribute |
| radiusproxy.request.attr.operator-name | Operator-Name attribute |
| radiusproxy.request.attr.tunnel-type:1 | Tunnel-Type attribute with a tag value 1 |
| radiusproxy.request.attr.cisco.avpair[0] | First Cisco AV-pair attribute |
| radiusproxy.request.attr.cisco.avpair[n] | Last Cisco AV-pair attribute |
| radiusproxy.request.attr.cisco.avpair[*] | All Cisco AV-pair attributes |
| radiusproxy.request.attr = vars.json_attrs | Spread JSON object keys as proxy request attribute names |
Namespace eap
| Variable | Type | Access | Description |
|---|---|---|---|
| eap.identity | string | read | EAP identity |
| eap.method | enum | read | EAP method |
Namespace eap-ttls
| Variable | Type | Access | Description |
|---|---|---|---|
| eap-ttls.request.attr.* | * | read/write | EAP-TTLS request attributes |
| eap-ttls.reply.attr.* | * | read/write | EAP-TTLS request attributes |
Attribute's data type is defined by the RADIUS dictionary used. Examples:
| Example | Description |
|---|---|
| eap-ttls.request.attr.user-name | User-Name attribute |
| eap-ttls.request.attr.user-password | User-Password attribute |
| eap-ttls.request.attr.chap-password | CHAP-Password attribute |
| eap-ttls.request.attr.eap-message | EAP-Message attribute |
Namespace eap-teap
| Variable | Type | Access | Description |
|---|---|---|---|
| eap-teap.username | string | read | EAP-TEAP basic password authentication response username |
| eap-teap.identity-type | enum | read | EAP-TEAP Identity-Type TLV (user/machine) |
Namespace parent
| Variable | Type | Access | Description |
|---|---|---|---|
| parent.* | * | read/write | Parent context namespace |
Examples:
| Example | Description |
|---|---|
| parent.aaa.identity | AAA identity from parent context |
| parent.radius.client | RADIUS client from parent context |
Namespace tacacsplus
| Variable | Type | Access | Description |
|---|---|---|---|
| tacacsplus.type | number | read | TACACS+ packet type |
| tacacsplus.authentication | boolean | read | Is the request an authentication request? |
| tacacsplus.authorization | boolean | read | Is the request an authorization request? |
| tacacsplus.accounting | boolean | read | Is the request an accounting request? |
| tacacsplus.unencrypted | boolean | read | Is the packet unencrypted? |
| tacacsplus.session | number | read | TACACS+ session ID |
| tacacsplus.request.action | number | read | Request action |
| tacacsplus.request.privilege | number | read | Request privilege level |
| tacacsplus.request.authentication.method | number | read | Authentication method |
| tacacsplus.request.authentication.type | number | read | Authentication type |
| tacacsplus.request.authentication.service | number | read | Authentication service |
| tacacsplus.request.user | string | read | Request username |
| tacacsplus.request.port | string | read | Request port |
| tacacsplus.request.address | string | read | Request remote address |
| tacacsplus.request.data | bytes | read | Request data |
| tacacsplus.request.message | string | read | Request message |
| tacacsplus.request.arg[N] | string | read | Nth request argument |
| tacacsplus.request.args | string array | read | All request arguments |
| tacacsplus.reply.status | string | read/write | Reply status |
| tacacsplus.reply.noecho | boolean | read/write | Reply no-echo flag |
| tacacsplus.reply.message | string | read/write | Reply message |
| tacacsplus.reply.data | bytes | read/write | Reply data |
| tacacsplus.reply.arg[N] | string | write | Nth reply argument |
| tacacsplus.reply.args | string array | read/write | All reply arguments |
| tacacsplus.client | string | read/write | TACACS+ client name |
| tacacsplus.client.ip | ip | read | TACACS+ client IP address |
| tacacsplus.client.secret | bytes | write | TACACS+ client secret |
| tacacsplus.client.timeout | number | read/write | TACACS+ client timeout in milliseconds |
| tacacsplus.server | string | read | TACACS+ server name |
Namespace http
| Variable | Type | Access | Description |
|---|---|---|---|
| http.management | boolean | read | Is the request a management API request? |
| http.method | string | read | HTTP request method (GET, POST, etc.) |
| http.path | string | read | HTTP request path |
| http.path.N | string | read | Nth part of the HTTP path (0-based) |
| http.query | map | read | All HTTP query parameters |
| http.query.KEY | string | read | Specific HTTP query parameter value |
| http.body | bytes | read | HTTP request body |
| http.body.PATH | * | read | JSON path access to request body |
| http.header.NAME | string | read | HTTP request header value |
| http.headers.NAME | string | read | HTTP request header value (alias) |
| http.response | bytes | read/write | HTTP response body |
| http.response_header.NAME | string | read/write | HTTP response header value |
| http.status | string | read/write | HTTP response status code |
| http.json | boolean | read/write | Should response be JSON formatted? |
| http.authorization.username | string | read | Username from Authorization header |
| http.authorization.password | string | read | Password from Authorization header |
| http.authorization.bearer | string | read | Bearer token from Authorization header |
| http.client | string | read | HTTP client name |
| http.client.ip | ip | read | HTTP client IP address |
| http.server | string | read | HTTP server name |
| http.server.ip | ip | read | HTTP server IP address |
| http.server.tls | boolean | read | Is the HTTP connection using TLS? |
Constants
The http namespace provides named constants for standard HTTP status codes.
Use these instead of raw numbers for clearer configuration. Constants are
read-only and resolve to their numeric values at runtime.
1xx Informational:
| Constant | Value | Description |
|---|---|---|
| http.CONTINUE | 100 | Continue |
| http.SWITCHING_PROTOCOLS | 101 | Switching Protocols |
| http.PROCESSING | 102 | Processing |
2xx Success:
| Constant | Value | Description |
|---|---|---|
| http.OK | 200 | OK |
| http.CREATED | 201 | Created |
| http.ACCEPTED | 202 | Accepted |
| http.NON_AUTHORITATIVE_INFORMATION | 203 | Non-Authoritative Information |
| http.NO_CONTENT | 204 | No Content |
| http.RESET_CONTENT | 205 | Reset Content |
| http.PARTIAL_CONTENT | 206 | Partial Content |
| http.MULTI_STATUS | 207 | Multi-Status |
| http.ALREADY_REPORTED | 208 | Already Reported |
| http.IM_USED | 226 | IM Used |
3xx Redirection:
| Constant | Value | Description |
|---|---|---|
| http.MULTIPLE_CHOICES | 300 | Multiple Choices |
| http.MOVED_PERMANENTLY | 301 | Moved Permanently |
| http.FOUND | 302 | Found |
| http.SEE_OTHER | 303 | See Other |
| http.NOT_MODIFIED | 304 | Not Modified |
| http.USE_PROXY | 305 | Use Proxy |
| http.TEMPORARY_REDIRECT | 307 | Temporary Redirect |
| http.PERMANENT_REDIRECT | 308 | Permanent Redirect |
4xx Client Errors:
| Constant | Value | Description |
|---|---|---|
| http.BAD_REQUEST | 400 | Bad Request |
| http.UNAUTHORIZED | 401 | Unauthorized |
| http.PAYMENT_REQUIRED | 402 | Payment Required |
| http.FORBIDDEN | 403 | Forbidden |
| http.NOT_FOUND | 404 | Not Found |
| http.METHOD_NOT_ALLOWED | 405 | Method Not Allowed |
| http.NOT_ACCEPTABLE | 406 | Not Acceptable |
| http.PROXY_AUTHENTICATION_REQUIRED | 407 | Proxy Authentication Required |
| http.REQUEST_TIMEOUT | 408 | Request Timeout |
| http.CONFLICT | 409 | Conflict |
| http.GONE | 410 | Gone |
| http.LENGTH_REQUIRED | 411 | Length Required |
| http.PRECONDITION_FAILED | 412 | Precondition Failed |
| http.PAYLOAD_TOO_LARGE | 413 | Payload Too Large |
| http.URI_TOO_LONG | 414 | URI Too Long |
| http.UNSUPPORTED_MEDIA_TYPE | 415 | Unsupported Media Type |
| http.RANGE_NOT_SATISFIABLE | 416 | Range Not Satisfiable |
| http.EXPECTATION_FAILED | 417 | Expectation Failed |
| http.IM_A_TEAPOT | 418 | I'm a Teapot |
| http.MISDIRECTED_REQUEST | 421 | Misdirected Request |
| http.UNPROCESSABLE_ENTITY | 422 | Unprocessable Entity |
| http.LOCKED | 423 | Locked |
| http.FAILED_DEPENDENCY | 424 | Failed Dependency |
| http.TOO_EARLY | 425 | Too Early |
| http.UPGRADE_REQUIRED | 426 | Upgrade Required |
| http.PRECONDITION_REQUIRED | 428 | Precondition Required |
| http.TOO_MANY_REQUESTS | 429 | Too Many Requests |
| http.REQUEST_HEADER_FIELDS_TOO_LARGE | 431 | Request Header Fields Too Large |
| http.UNAVAILABLE_FOR_LEGAL_REASONS | 451 | Unavailable For Legal Reasons |
5xx Server Errors:
| Constant | Value | Description |
|---|---|---|
| http.INTERNAL_SERVER_ERROR | 500 | Internal Server Error |
| http.NOT_IMPLEMENTED | 501 | Not Implemented |
| http.BAD_GATEWAY | 502 | Bad Gateway |
| http.SERVICE_UNAVAILABLE | 503 | Service Unavailable |
| http.GATEWAY_TIMEOUT | 504 | Gateway Timeout |
| http.HTTP_VERSION_NOT_SUPPORTED | 505 | HTTP Version Not Supported |
| http.VARIANT_ALSO_NEGOTIATES | 506 | Variant Also Negotiates |
| http.INSUFFICIENT_STORAGE | 507 | Insufficient Storage |
| http.LOOP_DETECTED | 508 | Loop Detected |
| http.NOT_EXTENDED | 510 | Not Extended |
| http.NETWORK_AUTHENTICATION_REQUIRED | 511 | Network Authentication Required |
Example usage:
modify http.status = http.TOO_MANY_REQUESTS;
modify http.status = http.INTERNAL_SERVER_ERROR;
Namespace root
| Variable | Type | Access | Description |
|---|---|---|---|
| root.* | * | read/write | Root context namespace |
Examples:
| Example | Description |
|---|---|
| root.aaa.identity | AAA identity from root context |
| root.radius.client | RADIUS client from root context |
Namespace server
| Variable | Type | Access | Description |
|---|---|---|---|
| server.instance_id | string | read | Server instance's ID |
| server.cluster_id | string | read | Server's cluster ID |
| server.hostname | string | read | Hostname of server |
| server.version | string | read | Software version information |
Namespace errors
The errors namespace provides compile-time-validated constants for
machine-readable error codes. Use these constants when comparing against
aaa.caught_error.code to branch on specific error conditions caught by the
try action. The namespace is read-only.
Constants
| Constant | Description |
|---|---|
| errors.RADIUS_IDENTIFIERS_EXHAUSTED | All 256 RADIUS packet identifiers are in use |
See the try action documentation for usage examples.
Navigation
Architecture Overview
Backend Load Balancing
Basic Installation
Comparison Operators
Configuration Editor
Configuration Import and Export
Data Types
Duration Units
Execution Context
Execution Pipelines
Filters
Health check /live and /ready
High Availability and Load Balancing
High availability identifiers
HTTP Basic Authentication
Introduction
Local AAA Backends
Log storage and formatting
Management API privilege levels
Namespaces
Password Hashing
Pipeline Directives
Probabilistic Sampling
Prometheus scraping
PROXY Protocol Support
Radiator server health and boot up logic
Radiator sizing
Radiator software releases
Rate Limiting
Rate Limiting Algorithms
Reverse Dynamic Authorization
Template Rendering CLI
Tools radiator-client
TOTP/HOTP Authentication
What is Radiator?