Man Linux: Main Page and Category List

NAME

       rlm_attr_filter - FreeRADIUS Module

DESCRIPTION

       The  rlm_attr_filter module exists for filtering certain attributes and
       values in received ( or transmitted ) radius  packets.   It  gives  the
       server  a  flexible  framework  to  filter the attributes we send to or
       receive from home servers or NASes.  This makes sense, for example,  in
       an  out-sourced  dialup  situation to various policy decisions, such as
       restricting a client to certain  ranges  of  Idle-Timeout  or  Session-
       Timeout.

       Filter  rules  are  normally  defined and applied on a per-realm basis,
       where the realm is anything that is defined and matched  based  on  the
       configuration  of the rlm_realm module.  Filter rules can optionally be
       applied using another attribute, by editing the key  configuration  for
       this module.

       In  2.0.1  and  earlier versions, the "accounting" section filtered the
       Accounting-Request, even though it  was  documented  as  filtering  the
       response.   This  issue  has  been  fixed  in  version  2.0.2 and later
       versions.  The "preacct" section may now be used to filter  Accounting-
       Request  packets.   The  "accounting"  section  now filters Accounting-
       Response  packets.    Administrators   using   "attr_filter"   in   the
       "accounting"  section  SHOULD  move the reference to "attr_filter" from
       "accounting" to "preacct".

       The file that defines the attribute filtering rules follows  a  similar
       syntax to the users file.  There are a few differences however:

                  There are no check-items allowed other than the name of the key.

                  There can only be a single DEFAULT entry.

              The rules for each entry are parsed to top to bottom, and an
              attribute must pass *all* the rules which affect it in order to
              make it past the filter.  Order of the rules is important.
              The operators and their purpose in defining the rules are as
              follows:

              =      THIS OPERATOR IS NOT ALLOWED.  If used, and warning message is
                     printed and it is treated as ==

              :=     Set, this attribute and value will always be placed in the
                     output A/V Pairs.  If the attribute exists, it is overwritten.

              ==     Equal, value must match exactly.

              =*     Always Equal, allow all values for the specified attribute.

              !*     Never Equal, disallow all values for the specified attribute.
                     ( This is redundant, as any A/V Pair not explicitly permitted
                     will be dropped ).

              !=     Not Equal, value must not match.

              >=     Greater Than or Equal

              <=     Less Than or Equal

              >      Greater Than

              <      Less Than

              If regular expressions are enabled the following operators are
              also possible.  ( Regular Expressions are included by default
              unless your system doesn’t support them, which should be rare ).
              The value field uses standard regular expression syntax.

              =~     Regular Expression Equal

              !~     Regular Expression Not Equal

              See the default /etc/raddb/attrs for working examples of
              sample rule ordering and how to use the different operators.

       The configuration items are:

       attrsfile
              This  specifies the location of the file used to load the filter
              rules.  This file is used to  filter  the  accounting  response,
              packet  before  it  is  proxied,  proxy  response  from the home
              server, or our response to the NAS.

       key    Usually %{Realm} (the default).  Can also  be  %{User-Name},  or
              other  attribute  that  exists  in  the  request.  Note that the
              module always keys off of attributes in the request, and NOT  in
              any other packet.

SECTIONS

       preacct
              Filters Accounting-Request packets.

       accounting
              Filters Accounting-Response packets.

       pre-proxy
              Filters  Accounting-Request  or  Access-Request packets prior to
              proxying them.

       post-proxy
              Filters Accounting-Response,  Access-Accept,  Access-Reject,  or
              Access-Challenge responses from a home server.

       authorize
              Filters Access-Request packets.

       post-auth
              Filters Access-Accept or Access-Reject packets.

FILES

       /etc/raddb/radiusd.conf /etc/raddb/attrs

SEE ALSO

       radiusd(8), radiusd.conf(5)

AUTHOR

       Chris Parker, cparker@segv.org

                               12 February 2008             rlm_attr_filter(5)