rlm_attr_filter(5)

1rlm_attr_filter(5)             FreeRADIUS Module            rlm_attr_filter(5)
2
3
4

NAME

6       rlm_attr_filter - FreeRADIUS Module
7

DESCRIPTION

9       The  rlm_attr_filter module exists for filtering certain attributes and
10       values in received ( or transmitted ) radius  packets.   It  gives  the
11       server  a  flexible  framework  to  filter the attributes we send to or
12       receive from home servers or NASes.  This makes sense, for example,  in
13       an  out-sourced  dialup  situation to various policy decisions, such as
14       restricting a client to certain ranges of Idle-Timeout or Session-Time‐
15       out.
16
17       Filter  rules  are  normally  defined and applied on a per-realm basis,
18       where the realm is anything that is defined and matched  based  on  the
19       configuration  of the rlm_realm module.  Filter rules can optionally be
20       applied using another attribute, by editing the key  configuration  for
21       this module.
22
23       In  2.0.1  and  earlier versions, the "accounting" section filtered the
24       Accounting-Request, even though it  was  documented  as  filtering  the
25       response.   This  issue  has been fixed in version 2.0.2 and later ver‐
26       sions.  The "preacct" section may now be  used  to  filter  Accounting-
27       Request  packets.   The  "accounting"  section  now filters Accounting-
28       Response packets.  Administrators using "attr_filter" in the  "account‐
29       ing"  section SHOULD move the reference to "attr_filter" from "account‐
30       ing" to "preacct".
31
32       The file that defines the attribute filtering rules follows  a  similar
33       syntax to the users file.  There are a few differences however:
34
35           There are no check-items allowed other than the name of the key.
36
37           There can only be a single DEFAULT entry.
38
39       The  rules for each entry are parsed to top to bottom, and an attribute
40       must pass *all* the rules which affect it in order to make it past  the
41       filter.  Order of the rules is important.  The operators and their pur‐
42       pose in defining the rules are as follows:
43
44       =      THIS OPERATOR IS NOT ALLOWED.  If used, and warning  message  is
45              printed and it is treated as ==
46
47       :=     Set,  this attribute and value will always be placed in the out‐
48              put A/V Pairs.  If the attribute exists, it is overwritten.
49
50       ==     Equal, value must match exactly.
51
52       =*     Always Equal, allow all values for the specified attribute.
53
54       !*     Never Equal, disallow all values for the specified attribute.  (
55              This is redundant, as any A/V Pair not explicitly permitted will
56              be dropped ).
57
58       !=     Not Equal, value must not match.
59
60       >=     Greater Than or Equal
61
62       <=     Less Than or Equal
63
64       >      Greater Than
65
66       <      Less Than
67
68       If regular expressions are enabled the  following  operators  are  also
69       possible.   (  Regular  Expressions are included by default unless your
70       system doesn't support them, which should be rare ).  The  value  field
71       uses standard regular expression syntax.
72
73       =~     Regular Expression Equal
74
75       !~     Regular Expression Not Equal
76
77       See  the  default  /etc/raddb/attrs for working examples of sample rule
78       ordering and how to use the different operators.
79
80       The configuration items are:
81
82       attrsfile
83              This specifies the location of the file used to load the  filter
84              rules.   This  file  is  used to filter the accounting response,
85              packet before it  is  proxied,  proxy  response  from  the  home
86              server, or our response to the NAS.
87
88       key    Usually  %{Realm}  (the  default).  Can also be %{User-Name}, or
89              other attribute that exists in the request.  Note that the  mod‐
90              ule always keys off of attributes in the request, and NOT in any
91              other packet.
92
93       relaxed
94              If set to 'yes', then attributes which do not match  any  filter
95              rules  explicitly,  will  also be allowed. This behaviour may be
96              overridden for an individual filter block using the Relax-Filter
97              check item.  The default for this configuration item is 'no'.
98

SECTIONS

100       preacct
101              Filters Accounting-Request packets.
102
103       accounting
104              Filters Accounting-Response packets.
105
106       pre-proxy
107              Filters  Accounting-Request  or  Access-Request packets prior to
108              proxying them.
109
110       post-proxy
111              Filters Accounting-Response,  Access-Accept,  Access-Reject,  or
112              Access-Challenge responses from a home server.
113
114       authorize
115              Filters Access-Request packets.
116
117       post-auth
118              Filters Access-Accept or Access-Reject packets.
119

FILES

121       /etc/raddb/radiusd.conf /etc/raddb/attrs
122

AUTHOR

127       Chris Parker, cparker@segv.org
128
129
130
131
132                               12 February 2008             rlm_attr_filter(5)

NAME

DESCRIPTION

SECTIONS

FILES

SEE ALSO

AUTHOR