Logical Condition Blocks: all and any
Logical specifiers all and any group one or more condition expressions inside
a conditions or if construct. They control how multiple individual condition
lines are combined into a single boolean result.
They are used in two primary places:
conditions <logic> { ... }blocks attached to handlers/policies.if <logic> { ... } then { ... }style inline decision expressions (orif <logic> { ... }when no explicitthenform is used).
Semantics
| Block | Result is true when… | Empty Block |
|---|---|---|
all | every contained condition is true | true (vacuous truth) |
any | at least one contained condition is true | false (no expression satisfied) |
Implementations typically short‑circuit:
all: fails fast on first falseany: succeeds fast on first true
Syntax
conditions all {
<condition-1>;
<condition-2>;
...
}
conditions any {
<condition-A>;
<condition-B>;
...
}
if all {
<condition>;
<condition>;
} then {
# actions when all conditions are true
}
Each inner condition line should end with a semicolon and must be a valid
expression supported by the condition grammar (attribute comparisons, regex
matches, presence checks, etc.). See Comparison Operators
for the full list of operators and special values like any and none for presence checks.
Examples
Handler Selection
handler "WIRELESS_USERS" {
conditions all {
aaa.accounting == false;
radius.called-station-id =~ /^SSID-CORP/;
}
authentication {
backend "USERS";
pap;
}
}
Multiple Possible Realms (any)
conditions any {
aaa.realm == "engineering.example.com";
aaa.realm == "research.example.com";
}
Inline Authorization Decision
authorization {
if all {
user.group == "admin";
radius.nas-ip-address == "192.168.10.10";
} then {
set response.session-timeout = 28800;
accept;
}
if any {
user.group == "guest";
user.role == "temporary";
} then {
set response.session-timeout = 3600;
}
accept;
}
Early Reject with any
pre-authorization {
if any {
user.account_disabled == true;
user.locked == true;
} then {
reject;
}
}