Documentation

handler directives

Handler directives define specific actions that the RADIUS server should take when processing a request.

Following directives are supported:

Request handling directives These directives determine how the server should respond to the request:

  • accept: The policy explicitly allows the request. When this directive is used, the server unconditionally accepts the request and typically sends an “Access-Accept” response back to the client.
  • reject: This directive unconditionally denies the request. The server responds with an “Access-Reject” message.
  • challenge: Instead of simply accepting or rejecting, the server responds with a challenge. This is used in multi-factor authentication scenarios where the client must provide additional credentials or perform extra steps before access is granted.
  • message: Message is used to add additional information to the response.
  • reason: Reason is also used to add additional information to the response that provides additional context. For example, the reason might explain why a request was rejected.

Backend authentication and forwarding These directives control authentication methods and backend queries:

  • backend: Directs the policy handler to forward the request to an external backend for further processing or to look up additional attributes.
  • pap: Try to authenticate the request with PAP (plaintext password).
  • chap: Try to authenticate the request with CHAP.
  • mschap: Try to authenticate the request with MSCHAP.
  • mschapv2: Try to authenticate the request with MSCHAPv2.

Logging These directives allow logging for debugging or auditing:

  • log: Logs the transaction with an AAA logger.

Context attribute manipulation These directives allow modifying context attributes:

  • modify: Modifies context attributes.
  • set: Assigns a value to an attribute.
  • replace: Replaces an existing attribute with a new value.
  • rewrite: Modifies the value of an attribute based on its current value.
  • append: Appends a new value into an attribute.

    Copy and filter can only be used in backend RADIUS pre-proxying and post-proxying handlers.

  • copy: Copies wanted attributes into to be proxied RADIUS request or from a received RADIUS proxy response.
  • filter: Filters unwanted attributes from a to be proxied RADIUS request or from a received RADIUS proxy response.