1rlm_attr_filter(5)             FreeRADIUS Module            rlm_attr_filter(5)
2
3
4

NAME

6       rlm_attr_filter - FreeRADIUS Module
7

DESCRIPTION

9       The  rlm_attr_filter module exists for filtering certain attributes and
10       values in received ( or transmitted ) radius  packets.   It  gives  the
11       server  a  flexible  framework  to  filter the attributes we send to or
12       receive from home servers or NASes.  This makes sense, for example,  in
13       an  out-sourced  dialup  situation to various policy decisions, such as
14       restricting a client to certain ranges of Idle-Timeout or Session-Time‐
15       out.
16
17       Filter  rules  are  normally  defined and applied on a per-realm basis,
18       where the realm is anything that is defined and matched  based  on  the
19       configuration  of the rlm_realm module.  Filter rules can optionally be
20       applied using another attribute, by editing the key  configuration  for
21       this module.
22
23       In  2.0.1  and  earlier versions, the "accounting" section filtered the
24       Accounting-Request, even though it  was  documented  as  filtering  the
25       response.   This  issue  has been fixed in version 2.0.2 and later ver‐
26       sions.  The "preacct" section may now be  used  to  filter  Accounting-
27       Request  packets.   The  "accounting"  section  now filters Accounting-
28       Response packets.  Administrators using "attr_filter" in the  "account‐
29       ing"  section SHOULD move the reference to "attr_filter" from "account‐
30       ing" to "preacct".
31
32       The file that defines the attribute filtering rules follows  a  similar
33       syntax to the users file.  There are a few differences however:
34
35           There are no check-items allowed other than the name of the key.
36
37           There can only be a single DEFAULT entry.
38
39       The  rules for each entry are parsed to top to bottom, and an attribute
40       must pass *all* the rules which affect it in order to make it past  the
41       filter.  Order of the rules is important.  The operators and their pur‐
42       pose in defining the rules are as follows:
43
44       =      THIS OPERATOR IS NOT ALLOWED.  If used, and warning  message  is
45              printed and it is treated as ==
46
47       :=     Set,  this attribute and value will always be placed in the out‐
48              put A/V Pairs.  If the attribute exists, it is overwritten.
49
50       ==     Equal, value must match exactly.
51
52       =*     Always Equal, allow all values for the specified attribute.
53
54       !*     Never Equal, disallow all values for the specified attribute.  (
55              This is redundant, as any A/V Pair not explicitly permitted will
56              be dropped ).
57
58       !=     Not Equal, value must not match.
59
60       >=     Greater Than or Equal
61
62       <=     Less Than or Equal
63
64       >      Greater Than
65
66       <      Less Than
67
68       If regular expressions are enabled the  following  operators  are  also
69       possible.   (  Regular  Expressions are included by default unless your
70       system doesn't support them, which should be rare ).  The  value  field
71       uses standard regular expression syntax.
72
73       =~     Regular Expression Equal
74
75       !~     Regular Expression Not Equal
76
77       See  the  default /etc/raddb/mods-config/attr_filter/ for working exam‐
78       ples of sample rule ordering and how to use the different operators.
79
80       The configuration items are:
81
82       file   This specifies the location of the file used to load the  filter
83              rules.   This  file  is  used to filter the accounting response,
84              packet before it  is  proxied,  proxy  response  from  the  home
85              server, or our response to the NAS.
86
87       key    Usually  %{Realm}  (the  default).  Can also be %{User-Name}, or
88              other attribute that exists in the request.  Note that the  mod‐
89              ule always keys off of attributes in the request, and NOT in any
90              other packet.
91
92       relaxed
93              If set to 'yes', then attributes which do not match  any  filter
94              rules  explicitly,  will  also be allowed. This behaviour may be
95              overridden for an individual filter block using the Relax-Filter
96              check item.  The default for this configuration item is 'no'.
97

SECTIONS

99       preacct
100              Filters Accounting-Request packets.
101
102       accounting
103              Filters Accounting-Response packets.
104
105       pre-proxy
106              Filters  Accounting-Request  or  Access-Request packets prior to
107              proxying them.
108
109       post-proxy
110              Filters Accounting-Response,  Access-Accept,  Access-Reject,  or
111              Access-Challenge responses from a home server.
112
113       authorize
114              Filters Access-Request packets.
115
116       post-auth
117              Filters Access-Accept or Access-Reject packets.
118

FILES

120       /etc/raddb/radiusd.conf /etc/raddb/mods-config/attr_filter/*
121

SEE ALSO

123       radiusd(8), radiusd.conf(5)
124

AUTHOR

126       Chris Parker, cparker@segv.org
127
128
129
130
131                                 27 June 2013               rlm_attr_filter(5)
Impressum