1rlm_attr_filter(5)             FreeRADIUS Module            rlm_attr_filter(5)
2
3
4

NAME

6       rlm_attr_filter - FreeRADIUS Module
7

DESCRIPTION

9       The  rlm_attr_filter module exists for filtering certain attributes and
10       values in received ( or transmitted ) radius packets from  (  or  to  )
11       remote proxy servers.  It gives the proxier ( us ) a flexible framework
12       to filter the attributes we send to or receive from these remote  prox‐
13       ies.  This makes sense, for example, in an out-sourced dialup situation
14       to various policy decisions, such as restricting a  client  to  certain
15       ranges of Idle-Timeout or Session-Timeout.
16
17       Filter  rules  are  defined and applied on a per-realm basis, where the
18       realm is anything that is defined and matched based on  the  configura‐
19       tion of the rlm_realm module.
20
21       The  file  that defines the attribute filtering rules follows a similar
22       syntax to the users file.  There are a few differences however:
23
24           There are no check-items allowed other than the realm.
25
26           There can only be a single DEFAULT entry.
27
28       The rules for each entry are parsed to top to bottom, and an  attribute
29       must  pass *all* the rules which affect it in order to make it past the
30       filter.  Order of the rules is important.  The operators and their pur‐
31       pose in defining the rules are as follows:
32
33       =      THIS  OPERATOR  IS NOT ALLOWED.  If used, and warning message is
34              printed and it is treated as ==
35
36       :=     Set, this attribute and value will always be placed in the  out‐
37              put A/V Pairs.  If the attribute exists, it is overwritten.
38
39       ==     Equal, value must match exactly.
40
41       =*     Always Equal, allow all values for the specified attribute.
42
43       !*     Never Equal, disallow all values for the specified attribute.  (
44              This is redundant, as any A/V Pair not explicitly permitted will
45              be dropped ).
46
47       !=     Not Equal, value must not match.
48
49       >=     Greater Than or Equal
50
51       <=     Less Than or Equal
52
53       >      Greather Than
54
55       <      Less Than
56
57       If  regular  expressions  are  enabled the following operators are also
58       possible.  ( Regular Expressions are included by  default  unless  your
59       system  doesn't  support them, which should be rare ).  The value field
60       uses standard regular expression syntax.
61
62       =~     Regular Expression Equal
63
64       !~     Regular Expression Not Equal
65
66       See the default /etc/raddb/attrs for working examples  of  sample  rule
67       ordering and how to use the different operators.
68
69       The main configuration item is:
70
71       attrsfile
72              This  specifies the location of the file used to load the filter
73              rules.
74

SECTIONS

76       authorization, accounting, preproxy, postproxy
77

FILES

79       /etc/raddb/radiusd.conf /etc/raddb/attrs
80

SEE ALSO

82       radiusd(8), radiusd.conf(5)
83

AUTHOR

85       Chris Parker, cparker@segv.org
86
87
88
89
90                                3 February 2004             rlm_attr_filter(5)