Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
rlm_attr_filter(5)	       FreeRADIUS Module	    rlm_attr_filter(5)

       rlm_attr_filter - FreeRADIUS Module

       The  rlm_attr_filter module exists for filtering	certain	attributes and
       values in received ( or transmitted ) radius  packets.	It  gives  the
       server  a flexible framework to filter the attributes we	send to	or re-
       ceive from home servers or NASes.  This makes sense, for	example, in an
       out-sourced  dialup  situation to various policy	decisions, such	as re-
       stricting a client to certain ranges of Idle-Timeout  or	 Session-Time-

       Filter  rules  are  normally  defined and applied on a per-realm	basis,
       where the realm is anything that	is defined and matched	based  on  the
       configuration  of the rlm_realm module.	Filter rules can optionally be
       applied using another attribute,	by editing the key  configuration  for
       this module.

       In  2.0.1  and  earlier versions, the "accounting" section filtered the
       Accounting-Request, even	though it was documented as filtering the  re-
       sponse.	This issue has been fixed in version 2.0.2 and later versions.
       The "preacct" section may now  be  used	to  filter  Accounting-Request
       packets.	  The  "accounting"  section  now  filters Accounting-Response
       packets.	 Administrators	using "attr_filter" in the  "accounting"  sec-
       tion  SHOULD  move  the reference to "attr_filter" from "accounting" to

       The file	that defines the attribute filtering rules follows  a  similar
       syntax to the users file.  There	are a few differences however:

	   There are no	check-items allowed other than the name	of the key.

	   There can only be a single DEFAULT entry.

       The  rules for each entry are parsed to top to bottom, and an attribute
       must pass *all* the rules which affect it in order to make it past  the
       filter.	Order of the rules is important.  The operators	and their pur-
       pose in defining	the rules are as follows:

       =      THIS OPERATOR IS NOT ALLOWED.  If	used, and warning  message  is
	      printed and it is	treated	as ==

       :=     Set,  this attribute and value will always be placed in the out-
	      put A/V Pairs.  If the attribute exists, it is overwritten.

       ==     Equal, value must	match exactly.

       =*     Always Equal, allow all values for the specified attribute.

       !*     Never Equal, disallow all	values for the specified attribute.  (
	      This is redundant, as any	A/V Pair not explicitly	permitted will
	      be dropped ).

       !=     Not Equal, value must not	match.

       >=     Greater Than or Equal

       <=     Less Than	or Equal

       >      Greater Than

       <      Less Than

       If regular expressions are enabled the  following  operators  are  also
       possible.   (  Regular  Expressions are included	by default unless your
       system doesn't support them, which should be rare ).  The  value	 field
       uses standard regular expression	syntax.

       =~     Regular Expression Equal

       !~     Regular Expression Not Equal

       See  the	 default  /usr/local/share/examples/freeradius/raddb/mods-con-
       fig/attr_filter/	for working examples of	sample rule ordering  and  how
       to use the different operators.

       The configuration items are:

       file   This  specifies the location of the file used to load the	filter
	      rules.  This file	is used	to  filter  the	 accounting  response,
	      packet  before  it  is  proxied,	proxy  response	 from the home
	      server, or our response to the NAS.

       key    Usually %{Realm} (the default).  Can also	 be  %{User-Name},  or
	      other  attribute that exists in the request.  Note that the mod-
	      ule always keys off of attributes	in the request,	and NOT	in any
	      other packet.

	      If  set  to 'yes', then attributes which do not match any	filter
	      rules explicitly,	will also be allowed. This  behaviour  may  be
	      overridden for an	individual filter block	using the Relax-Filter
	      check item.  The default for this	configuration item is 'no'.

	      Filters Accounting-Request packets.

	      Filters Accounting-Response packets.

	      Filters Accounting-Request or Access-Request  packets  prior  to
	      proxying them.

	      Filters  Accounting-Response,  Access-Accept,  Access-Reject, or
	      Access-Challenge responses from a	home server.

	      Filters Access-Request packets.

	      Filters Access-Accept or Access-Reject packets.

       /usr/local/share/examples/freeradius/raddb/radiusd.conf	      /usr/lo-

       radiusd(8), radiusd.conf(5)

       Chris Parker,

				 27 June 2013		    rlm_attr_filter(5)


Want to link to this manual page? Use this URL:

home | help