handler
This is the start of a handler clause. The handler specifies how incoming requests are processed. The handler can, for example, be used to specify authentication methods, authorization rules, post-AA actions and logging. Multiple handlers can be defined within a policy.
A handler configuration consists of one or more blocks returning a value which is either none, accept, or reject.
By default, directives and statement clauses within a clause are executed in order until a reject is returned or the return value of the last directive or statement clause is returned. Changing this can be done by specifying an inner statement clause with a different strategy.
Example configuration of a handler clause inside a default policy:
policy "default" {
# Policy handler named "default"
handler "default" {
# Try to authenticate requests
authentication {
# Search for username from backend "users"
backend "users";
# Try to authenticate user with PAP
pap;
}
# Authorize authenticated requests
authorization {
# Set a reply message based on user's role
map user.role {
"admin" => {
message "Welcome admin!";
}
"guest" => {
message "Welcome guest!";
}
}
# Explicitly accept, if user's roles didn't match
accept;
}
# Log authentication requests
post-authentication {
# Log with AAA logger "auth"
log "auth" {
format "%{datetime.timestamp} method=%{aaa.method} username=\"%{aaa.identity}\" result=%{aaa.result} reason=\"%{aaa.reason}\"";
}
}
# Explicitly just accept any accounting requests
accounting {
accept;
}
}
}