Comparison Operators

Reference guide for comparison operators used in policy and handler conditions and condition clauses.

Comparison operators are used in condition rules (for policies and handlers) and if clauses. A condition rule consists of a namespace attribute, comparison operator, and one or more values to compare.

If you are looking for the assignment operators used in modify blocks, see the modify action documentation.

Supported Operators

Equality Operators

Operator	Alias	Description
`==`	`eq`	Equal
`!=`	`ne`	Not equal

Relational Operators

Operator	Alias	Description
`>`	`gt`	Greater than
`>=`	`ge`	Greater than or equal
`<`	`lt`	Less than
`<=`	`le`	Less than or equal

String Matching Operators

Operator	Description
`starts`	Text representation starts with
`!starts`	Text representation does not start with
`contains`	Text representation contains
`!contains`	Text representation does not contain
`ends`	Text representation ends with
`!ends`	Text representation does not end with

Operator Details

Equal (`==` or `eq`)

Matches values that are exactly equal. Works with all data types including strings, numbers, booleans, and IP addresses.

Examples:

if all {
    aaa.accounting == false;
    radius.request.attr.User-Name == "admin";
    radius.request.attr.NAS-Port == 1234;
} then {
    # Actions when conditions match
}

Not Equal (`!=` or `ne`)

Matches values that are not equal. The inverse of the equal operator.

Examples:

conditions any {
    aaa.method != "eap";
    radius.request.attr.NAS-IP-Address != "10.0.0.1";
    radius.request.attr.Service-Type != 1;
}

Greater Than (`>` or `gt`)

Matches values that are numerically or lexicographically greater than the specified value. Works with numbers and strings.

Examples:

if all {
    radius.request.attr.Session-Timeout > 3600;
    vars.priority > 5;
} then {
    # Actions when conditions match
}

Greater Than or Equal (`>=` or `ge`)

Matches values that are greater than or equal to the specified value.

Examples:

conditions any {
    radius.request.attr.Acct-Session-Time >= 300;
    vars.user_level >= 10;
}

Less Than (`<` or `lt`)

Matches values that are numerically or lexicographically less than the specified value.

Examples:

if all {
    radius.request.attr.Idle-Timeout < 600;
    vars.retry_count < 3;
} then {
    # Actions when conditions match
}

Less Than or Equal (`<=` or `le`)

Matches values that are less than or equal to the specified value.

Examples:

conditions any {
    radius.request.attr.Acct-Input-Octets <= 1000000;
    vars.connection_limit <= 100;
}

Starts With (`starts`)

Matches string values where the text representation starts with the specified substring. Case-sensitive.

Examples:

if all {
    radius.request.attr.User-Name starts "admin";
    radius.request.attr.Called-Station-Id starts "00:11:22";
} then {
    # Actions when conditions match
}

Does Not Start With (`!starts`)

Matches string values where the text representation does not start with the specified substring.

Examples:

conditions any {
    radius.request.attr.User-Name !starts "guest";
    radius.request.attr.Calling-Station-Id !starts "FF:FF:FF";
}

Contains (`contains`)

Matches string values where the text representation contains the specified substring. Case-sensitive.

Examples:

if all {
    radius.request.attr.User-Name contains "@example.com";
    radius.request.attr.NAS-Identifier contains "switch";
} then {
    # Actions when conditions match
}

Does Not Contain (`!contains`)

Matches string values where the text representation does not contain the specified substring.

Examples:

conditions any {
    radius.request.attr.User-Name !contains "test";
    radius.request.attr.Filter-Id !contains "deny";
}

Ends With (`ends`)

Matches string values where the text representation ends with the specified substring. Case-sensitive.

Examples:

if all {
    radius.request.attr.User-Name ends "@domain.com";
    radius.request.attr.Called-Station-Id ends ":SSID";
} then {
    # Actions when conditions match
}

Does Not End With (`!ends`)

Matches string values where the text representation does not end with the specified substring.

Examples:

conditions any {
    radius.request.attr.User-Name !ends ".guest";
    radius.request.attr.NAS-Identifier !ends "-backup";
}

Multiple Values

Operators can compare against multiple values using array syntax. The condition matches if the comparison is true for any of the provided values.

Example:

conditions any {
    # Match if NAS-Port-Type is any of these values
    radius.request.attr.NAS-Port-Type == [15, 19, 20];

    # Match if User-Name starts with any of these prefixes
    radius.request.attr.User-Name starts ["admin", "root", "system"];
}

Usage in Conditions

Comparison operators are used in condition blocks with matching strategies:

all: All condition rules must match
any: Any condition rule must match
none: None of the condition rules must match

Example:

policy "example" {
    handler "wireless" {
        conditions all {
            aaa.authentication == true;
            radius.request.attr.NAS-Port-Type == 19;  # Wireless-802.11
            radius.request.attr.User-Name !starts "guest-";
        }

        authentication {
            backend "ldap";
            pap;
        }
    }
}