bionic (5) rlm_attr_filter.5.gz

Provided by: freeradius-common_3.0.16+dfsg-1ubuntu3.2_all bug

NAME

       rlm_attr_filter - FreeRADIUS Module

DESCRIPTION

       The  rlm_attr_filter  module  exists  for  filtering  certain  attributes  and  values  in  received ( or
       transmitted ) radius packets.  It gives the server a flexible framework to filter the attributes we  send
       to  or  receive  from  home  servers  or  NASes.  This makes sense, for example, in an out-sourced dialup
       situation to various policy decisions, such as restricting a client to certain ranges of Idle-Timeout  or
       Session-Timeout.

       Filter  rules  are normally defined and applied on a per-realm basis, where the realm is anything that is
       defined and matched based on the configuration of the rlm_realm module.  Filter rules can  optionally  be
       applied using another attribute, by editing the key configuration for this module.

       In  2.0.1  and earlier versions, the "accounting" section filtered the Accounting-Request, even though it
       was documented as filtering the response.  This issue has been fixed in version 2.0.2 and later versions.
       The "preacct" section may now be used to filter Accounting-Request packets.  The "accounting" section now
       filters Accounting-Response packets.  Administrators using  "attr_filter"  in  the  "accounting"  section
       SHOULD move the reference to "attr_filter" from "accounting" to "preacct".

       The  file  that  defines the attribute filtering rules follows a similar syntax to the users file.  There
       are a few differences however:

           There are no check-items allowed other than the name of the key.

           There can only be a single DEFAULT entry.

       The rules for each entry are parsed to top to bottom, and an attribute must pass *all*  the  rules  which
       affect it in order to make it past the filter.  Order of the rules is important.  The operators and their
       purpose in defining the rules are as follows:

       =      THIS OPERATOR IS NOT ALLOWED.  If used, and warning message is printed and it is treated as ==

       :=     Set, this attribute and value will always be placed in the output A/V  Pairs.   If  the  attribute
              exists, it is overwritten.

       ==     Equal, value must match exactly.

       =*     Always Equal, allow all values for the specified attribute.

       !*     Never  Equal,  disallow  all  values for the specified attribute.  ( This is redundant, as any A/V
              Pair not explicitly permitted will be dropped ).

       !=     Not Equal, value must not match.

       >=     Greater Than or Equal

       <=     Less Than or Equal

       >      Greater Than

       <      Less Than

       If regular expressions are enabled the following operators are also possible.  ( Regular Expressions  are
       included  by  default  unless  your system doesn't support them, which should be rare ).  The value field
       uses standard regular expression syntax.

       =~     Regular Expression Equal

       !~     Regular Expression Not Equal

       See the default /etc/freeradius/3.0/mods-config/attr_filter/ for working examples of sample rule ordering
       and how to use the different operators.

       The configuration items are:

       file   This  specifies  the  location  of  the  file used to load the filter rules.  This file is used to
              filter the accounting response, packet before it is proxied, proxy response from the home  server,
              or our response to the NAS.

       key    Usually  %{Realm}  (the default).  Can also be %{User-Name}, or other attribute that exists in the
              request.  Note that the module always keys off of attributes in the request, and NOT in any  other
              packet.

       relaxed
              If  set  to  'yes',  then  attributes which do not match any filter rules explicitly, will also be
              allowed. This behaviour may be overridden for an individual filter block  using  the  Relax-Filter
              check item.  The default for this configuration item is 'no'.

SECTIONS

       preacct
              Filters Accounting-Request packets.

       accounting
              Filters Accounting-Response packets.

       pre-proxy
              Filters Accounting-Request or Access-Request packets prior to proxying them.

       post-proxy
              Filters  Accounting-Response,  Access-Accept,  Access-Reject, or Access-Challenge responses from a
              home server.

       authorize
              Filters Access-Request packets.

       post-auth
              Filters Access-Accept or Access-Reject packets.

FILES

       /etc/freeradius/3.0/radiusd.conf /etc/freeradius/3.0/mods-config/attr_filter/*

SEE ALSO

       radiusd(8), radiusd.conf(5)

AUTHOR

       Chris Parker, cparker@segv.org

                                                  27 June 2013                                rlm_attr_filter(5)