Conditional Comparisons

lhs OP rhs

The most common use-case for conditions is to perform comparisons. The comparisons are composed of three pieces. First, the lhs is the left-hand side of the comparison. This can be an &Attribute-Name or data. Second, the OP is an operator, commonly == or <=. It is used to control how the two other portions of the condition are compared. Finally, the rhs is the right-hand side of the comparison. It can be an &Attribute-Name, data, or (depending on OP) a regular expression.

The Left Side of a Comparison

The left side of a comparison can be an &Attribute-Name or data. The data type of the left side determines how the OP operator performs its comparison.


In some situations, it is useful to force the left side to be interpreted as a particular data type.

The data types used by the cast must be a type taken from the RADIUS dictionaries, e.g., ipaddr, integer, etc. These types are not the same as the data types used in the configuration files.
lhs OP rhs

The cast text can be any one of the standard RADIUS dictionary data types, as with the following example:

&Class ==

In this example, the Class attribute is treated as if it was an IPv4 address and is compared to the address

Casting is most useful when the left side of a comparison is a dynamically expanded string. The cast ensures that the comparison is done in a type-safe manner, instead of performing a string comparison.

`/bin/echo 00` == 0

In this example, the output of the echo program is interpreted as an integer. It is then compared to the right side via integer comparisons. Since the integer 00 is equivalent to the integer 0, the comparison will match. If the comparison had been performed via string equality checks, then because the strings 00 and 0 are different, the comparison would not match.

A cast can only appear on the left side of a comparison expression. Casts cannot be used on the right side of comparison expressions.

The Comparison Operators

The comparison operators are given below.

Operator Description


less than


less than or equals




not equals


greater than or equals


greater than


regular expression matches


regular expression does not match

The comparison operators perform type-specific comparisons. The only exceptions are the regular expression operators, which interpret the left side as a printable string.

The type-specific comparisons operate as expected for most data types. The only exception is data types that are IP addresses or IP address prefixes. For those data types, the comparisons are done via the following rules:

  • Any unqualified IP address is assumed to have a /32 prefix (IPv4) or a /128 prefix (IPv6).

  • If the prefixes of the left and right sides are equal, then the comparisons are performed on the IP address portion.

  • If the prefixes of the left and right sides are not equal, then the comparisons are performed as set membership checks.

These rules allow conditions such as < 192.0.2/24. This condition will return true, as the IP address' is within the network `192.0.2/24.

The Right Side of a Comparison

The right side of a comparison can be an &Attribute-Name or data.