Execution Context

Variables available during request processing

Execution context in Radiator Server defines the set of variables and their structure that are available during the processing of a request. It provides access to various attributes related to the request, user, session, and environment, allowing for dynamic handling and customisation of request processing. Execution context is created at the beginning of request processing and is passed through the execution pipelines.

Supported namespaces

Below, '*' denotes any namespace, attribute name, or data type.

Various utility namespaces

VariableTypeAccessDescription
idnumberreadRequest identifier
env.*stringreadProcess environment variables
vars.**read/writeCustom variables
util.rand.XbytesreadReads X bytes of random
datetime.timestamptimestampreadCurrent time

Namespace aaa

VariableTypeAccessDescription
aaa.identitystringread/writeProtocol-agnostic username/identity of the request
aaa.identity.namestringreadName part of current username/identity
aaa.identity.realmstringread/writeRealm part of current username/identity
aaa.identity.realm.tldstringreadTLD part of the realm
aaa.protocolenumreadProtocol of the request
aaa.tracebooleanreadIs tracing enabled for the request?
aaa.accountingbooleanreadIs the request an accounting request?
aaa.policystringreadName of AAA policy handling the request
aaa.handlerstringreadName of AAA policy handler handling the request
aaa.methodenumreadAuthentication protocol/method
aaa.messagestringread/writeReply message for Accept/Reject responses
aaa.challenge-messagestringread/writeChallenge prompt message for Challenge responses
aaa.resultenumreadAAA result
aaa.reasonstringreadError or reason
aaa.errorsstring arrayreadAll errors that occurred during request processing
aaa.caught_errorstringread/writeMost recent error caught by a try action
aaa.caught_errorsstring arrayread/writeAll errors caught by try actions during request processing

Namespace user

VariableTypeAccessDescription
user.usernamestringread/writeUser entry's name
user.passwordstringread/writeUser's password
user.groupstring arrayread/writeUser's groups
user.rolestring arrayread/writeUser's roles
user.backendstringreadBackend's name from which user was fetched

Namespace acct

VariableTypeAccessDescription
acct.statusenumreadAccounting request status
acct.timestamptimestampreadAccounting request timestamp
acct.durationnumberreadAccounting session duration in seconds
acct.input.packetsnumberreadAccounting session packets in
acct.input.bytesnumberreadAccounting session bytes in
acct.output.packetsnumberreadAccounting session packets out
acct.output.bytesnumberreadAccounting session bytes out

Namespace auth

VariableTypeAccessDescription
auth.protocolenumread/writeAuthentication protocol
auth.challengestringread/writeAuthentication challenge
auth.responsebytesread/writeAuthentication response
auth.resultstringread/writeAuthentication result

Namespace tls

VariableTypeAccessDescription
tls.versionenumreadNegotiated TLS protocol version
tls.cipherenumreadNegotiated TLS cipher

Namespace cert

VariableTypeAccessDescription
cert.validbooleanreadDid basic certificate validation succeed?
cert.errorstringreadVerification error
cert.serverstringreadIn TLS client context, server's name or IP address
cert.issuerstringreadCertificate's issuer's name
cert.subjectstringreadCertificate's subject's name
cert.serialnumberreadCertificate's serial number
cert.issuedtimestampreadCertificate's issue timestamp
cert.expirestimestampreadCertificate's expiry timestamp
cert.policystring arrayreadCertificate's Policy OIDs
cert.sha256bytesreadSHA256 hash of the certificate
cert.issuer.*string arrayreadIssuer name's individual components (dc, c, st, l, o, ou, cn, emailaddress)
cert.subject.*string arrayreadSubject name's individual components (dc, c, st, l, o, ou, cn, emailaddress)
cert.subject_alt.*string arrayreadSubject's alternative names (email, dns, dn, uri, ip, oid, upn, other)
cert.ca.**readCertificate's first CA certificate
cert.ca[N].**readCertificate's Nth CA certificate

CA certificate has the same attributes as the cert.

Namespace radius

VariableTypeAccessDescription
radius.clientstringreadClient's name from which the request was received
radius.client.ipipreadIP address from which the request was received
radius.serverstringreadServer's name which received the request
radius.server.tlsbooleanreadWas request received over TLS?
radius.request.attr.**read/writeRadius request attributes
radius.reply.attrjsonwriteSpread JSON object to reply attributes
radius.reply.attr.**read/writeRadius reply attributes

Attribute's data type is defined by the RADIUS dictionary used. Examples:

ExampleDescription
radius.request.attr.user-nameUser-Name attribute
radius.request.attr.tunnel-type:1Tunnel-Type attribute with a tag value 1
radius.request.attr.framed-route[0]First Framed-Route attribute
radius.request.attr.framed-route[n]Last Framed-Route attribute
radius.request.attr.framed-route[*]All Framed-Route attributes
radius.request.attr.cisco.avpairCisco AV-pair attribute
radius.reply.attr = vars.json_attrsSpread JSON object keys as reply attribute names

Constants

The radius namespace provides named constants for RADIUS packet type codes. Use these instead of magic numbers for clearer configuration.

Packet Type Codes:

ConstantValueDescription
radius.ACCESS_REQUEST1Access-Request packet
radius.ACCESS_ACCEPT2Access-Accept packet
radius.ACCESS_REJECT3Access-Reject packet
radius.ACCOUNTING_REQUEST4Accounting-Request packet
radius.ACCOUNTING_RESPONSE5Accounting-Response packet
radius.ACCESS_CHALLENGE11Access-Challenge packet
radius.STATUS_SERVER12Status-Server packet
radius.DISCONNECT_REQUEST40Disconnect-Request packet
radius.DISCONNECT_ACK41Disconnect-ACK packet
radius.DISCONNECT_NAK42Disconnect-NAK packet
radius.COA_REQUEST43CoA-Request packet
radius.COA_ACK44CoA-ACK packet
radius.COA_NAK45CoA-NAK packet

Attribute Enum Values:

For attribute enum values (like Acct-Status-Type or Service-Type), use the radius.dict.<Attribute>.<Value> syntax to access dictionary-defined values:

# Acct-Status-Type values
radius.dict.Acct-Status-Type.Start       # 1
radius.dict.Acct-Status-Type.Stop        # 2
radius.dict.Acct-Status-Type.Alive       # 3

# Service-Type values
radius.dict.Service-Type.Login-User      # 1
radius.dict.Service-Type.Framed-User     # 2

Example usage:

if all {
    radius.request.code == radius.ACCESS_REQUEST;
} then {
    # Handle Access-Request
}

if all {
    radius.request.attr.acct-status-type == radius.dict.Acct-Status-Type.Start;
} then {
    # Handle Accounting Start
}

Namespace radiusproxy

VariableTypeAccessDescription
radiusproxy.serverstringreadRadius proxy server's name to which send the request
radiusproxy.server.tlsbooleanreadIs Radius proxy server using TLS connection?
radiusproxy.request.attrjsonwriteSpread JSON object to proxy request attributes
radiusproxy.request.attr.**read/writeRadius proxy request attributes
radiusproxy.reply.attr.**read/writeRadius proxy reply attributes

Attribute's data type is defined by the RADIUS dictionary used. Examples:

ExampleDescription
radiusproxy.request.attr.user-nameUser-Name attribute
radiusproxy.request.attr.operator-nameOperator-Name attribute
radiusproxy.request.attr.tunnel-type:1Tunnel-Type attribute with a tag value 1
radiusproxy.request.attr.cisco.avpair[0]First Cisco AV-pair attribute
radiusproxy.request.attr.cisco.avpair[n]Last Cisco AV-pair attribute
radiusproxy.request.attr.cisco.avpair[*]All Cisco AV-pair attributes
radiusproxy.request.attr = vars.json_attrsSpread JSON object keys as proxy request attribute names

Namespace eap

VariableTypeAccessDescription
eap.identitystringreadEAP identity
eap.methodenumreadEAP method

Namespace eap-ttls

VariableTypeAccessDescription
eap-ttls.request.attr.**read/writeEAP-TTLS request attributes
eap-ttls.reply.attr.**read/writeEAP-TTLS request attributes

Attribute's data type is defined by the RADIUS dictionary used. Examples:

ExampleDescription
eap-ttls.request.attr.user-nameUser-Name attribute
eap-ttls.request.attr.user-passwordUser-Password attribute
eap-ttls.request.attr.chap-passwordCHAP-Password attribute
eap-ttls.request.attr.eap-messageEAP-Message attribute

Namespace eap-teap

VariableTypeAccessDescription
eap-teap.usernamestringreadEAP-TEAP basic password authentication response username
eap-teap.identity-typeenumreadEAP-TEAP Identity-Type TLV (user/machine)

Namespace parent

VariableTypeAccessDescription
parent.**read/writeParent context namespace

Examples:

ExampleDescription
parent.aaa.identityAAA identity from parent context
parent.radius.clientRADIUS client from parent context

Namespace tacacsplus

VariableTypeAccessDescription
tacacsplus.typenumberreadTACACS+ packet type
tacacsplus.authenticationbooleanreadIs the request an authentication request?
tacacsplus.authorizationbooleanreadIs the request an authorization request?
tacacsplus.accountingbooleanreadIs the request an accounting request?
tacacsplus.unencryptedbooleanreadIs the packet unencrypted?
tacacsplus.sessionnumberreadTACACS+ session ID
tacacsplus.request.actionnumberreadRequest action
tacacsplus.request.privilegenumberreadRequest privilege level
tacacsplus.request.authentication.methodnumberreadAuthentication method
tacacsplus.request.authentication.typenumberreadAuthentication type
tacacsplus.request.authentication.servicenumberreadAuthentication service
tacacsplus.request.userstringreadRequest username
tacacsplus.request.portstringreadRequest port
tacacsplus.request.addressstringreadRequest remote address
tacacsplus.request.databytesreadRequest data
tacacsplus.request.messagestringreadRequest message
tacacsplus.request.arg[N]stringreadNth request argument
tacacsplus.request.argsstring arrayreadAll request arguments
tacacsplus.reply.statusstringread/writeReply status
tacacsplus.reply.noechobooleanread/writeReply no-echo flag
tacacsplus.reply.messagestringread/writeReply message
tacacsplus.reply.databytesread/writeReply data
tacacsplus.reply.arg[N]stringwriteNth reply argument
tacacsplus.reply.argsstring arrayread/writeAll reply arguments
tacacsplus.clientstringread/writeTACACS+ client name
tacacsplus.client.ipipreadTACACS+ client IP address
tacacsplus.client.secretbyteswriteTACACS+ client secret
tacacsplus.client.timeoutnumberread/writeTACACS+ client timeout in milliseconds
tacacsplus.serverstringreadTACACS+ server name

Namespace http

VariableTypeAccessDescription
http.managementbooleanreadIs the request a management API request?
http.methodstringreadHTTP request method (GET, POST, etc.)
http.pathstringreadHTTP request path
http.path.NstringreadNth part of the HTTP path (0-based)
http.querymapreadAll HTTP query parameters
http.query.KEYstringreadSpecific HTTP query parameter value
http.bodybytesreadHTTP request body
http.body.PATH*readJSON path access to request body
http.header.NAMEstringreadHTTP request header value
http.headers.NAMEstringreadHTTP request header value (alias)
http.responsebytesread/writeHTTP response body
http.response_header.NAMEstringread/writeHTTP response header value
http.statusstringread/writeHTTP response status code
http.jsonbooleanread/writeShould response be JSON formatted?
http.authorization.usernamestringreadUsername from Authorization header
http.authorization.passwordstringreadPassword from Authorization header
http.authorization.bearerstringreadBearer token from Authorization header
http.clientstringreadHTTP client name
http.client.ipipreadHTTP client IP address
http.serverstringreadHTTP server name
http.server.ipipreadHTTP server IP address
http.server.tlsbooleanreadIs the HTTP connection using TLS?

Namespace root

VariableTypeAccessDescription
root.**read/writeRoot context namespace

Examples:

ExampleDescription
root.aaa.identityAAA identity from root context
root.radius.clientRADIUS client from root context

Namespace server

VariableTypeAccessDescription
server.instance_idstringreadServer instance's ID
server.cluster_idstringreadServer's cluster ID
server.hostnamestringreadHostname of server
server.versionstringreadSoftware version information
Navigation
Home