Provided by: freeradius-common_2.1.12+dfsg-1.2ubuntu8.2_all bug

NAME

       rlm_attr_filter - FreeRADIUS Module

DESCRIPTION

       The  rlm_attr_filter module exists for filtering certain attributes and values in received
       ( or transmitted ) radius packets.  It gives the server a flexible framework to filter the
       attributes  we  send  to  or  receive  from  home servers or NASes.  This makes sense, for
       example, in  an  out-sourced  dialup  situation  to  various  policy  decisions,  such  as
       restricting a client to certain ranges of Idle-Timeout or Session-Timeout.

       Filter  rules  are  normally  defined and applied on a per-realm basis, where the realm is
       anything that is defined and matched based on the configuration of the  rlm_realm  module.
       Filter  rules  can  optionally  be  applied  using  another  attribute, by editing the key
       configuration for this module.

       In 2.0.1 and earlier versions, the "accounting" section filtered  the  Accounting-Request,
       even  though  it  was  documented as filtering the response.  This issue has been fixed in
       version 2.0.2 and later versions.  The  "preacct"  section  may  now  be  used  to  filter
       Accounting-Request  packets.   The  "accounting"  section  now filters Accounting-Response
       packets.  Administrators using "attr_filter" in the "accounting" section SHOULD  move  the
       reference to "attr_filter" from "accounting" to "preacct".

       The  file that defines the attribute filtering rules follows a similar syntax to the users
       file.  There are a few differences however:

           There are no check-items allowed other than the name of the key.

           There can only be a single DEFAULT entry.

       The rules for each entry are parsed to top to bottom, and an attribute must pass *all* the
       rules  which  affect  it  in  order  to  make  it  past the filter.  Order of the rules is
       important.  The operators and their purpose in defining the rules are as follows:

       =      THIS OPERATOR IS NOT ALLOWED.  If used, and warning message is printed  and  it  is
              treated as ==

       :=     Set,  this  attribute  and value will always be placed in the output A/V Pairs.  If
              the attribute exists, it is overwritten.

       ==     Equal, value must match exactly.

       =*     Always Equal, allow all values for the specified attribute.

       !*     Never Equal, disallow all values for the specified attribute.  ( This is redundant,
              as any A/V Pair not explicitly permitted will be dropped ).

       !=     Not Equal, value must not match.

       >=     Greater Than or Equal

       <=     Less Than or Equal

       >      Greater Than

       <      Less Than

       If  regular  expressions are enabled the following operators are also possible.  ( Regular
       Expressions are included by default unless your system doesn't support them, which  should
       be rare ).  The value field uses standard regular expression syntax.

       =~     Regular Expression Equal

       !~     Regular Expression Not Equal

       See  the  default /etc/raddb/attrs for working examples of sample rule ordering and how to
       use the different operators.

       The configuration items are:

       attrsfile
              This specifies the location of the file used to load the filter rules.   This  file
              is  used  to  filter  the  accounting  response, packet before it is proxied, proxy
              response from the home server, or our response to the NAS.

       key    Usually %{Realm} (the default).  Can also be %{User-Name}, or other attribute  that
              exists  in  the request.  Note that the module always keys off of attributes in the
              request, and NOT in any other packet.

       relaxed
              If set to 'yes', then attributes which do not match any  filter  rules  explicitly,
              will  also  be  allowed.  This behaviour may be overridden for an individual filter
              block using the Relax-Filter check item.  The default for this  configuration  item
              is 'no'.

SECTIONS

       preacct
              Filters Accounting-Request packets.

       accounting
              Filters Accounting-Response packets.

       pre-proxy
              Filters Accounting-Request or Access-Request packets prior to proxying them.

       post-proxy
              Filters  Accounting-Response,  Access-Accept,  Access-Reject,  or  Access-Challenge
              responses from a home server.

       authorize
              Filters Access-Request packets.

       post-auth
              Filters Access-Accept or Access-Reject packets.

FILES

       /etc/raddb/radiusd.conf /etc/raddb/attrs

SEE ALSO

       radiusd(8), radiusd.conf(5)

AUTHOR

       Chris Parker, cparker@segv.org

                                         12 February 2008                      rlm_attr_filter(5)