Man page or keyword search:   man All Sections 1 - General Commands 2 - System Calls 3 - Subroutines, Functions 4 - Special Files 5 - File Formats 6 - Games and Screensavers 7 - Macros and Conventions 8 - Maintenence Commands 9 - Kernel Interface New Commands Server 4.4BSD AIX Alpinelinux Archlinux Aros BSDOS BSDi Bifrost CentOS Cygwin Darwin Debian DigitalUNIX DragonFly ElementaryOS Fedora FreeBSD Gentoo GhostBSD HP-UX Haiku Hurd IRIX Inferno JazzOS Kali Knoppix LinuxMint MacOSX Mageia Mandriva Manjaro Minix MirBSD NeXTSTEP NetBSD OPENSTEP OSF1 OpenBSD OpenDarwin OpenIndiana OpenMandriva OpenServer OpenSuSE OpenVMS Oracle PC-BSD Peanut Pidora Plan9 QNX Raspbian RedHat Scientific Slackware SmartOS Solaris SuSE SunOS Syllable Tru64 UNIXv7 Ubuntu Ultrix UnixWare Xenix YellowDog aLinux   44335 pages apropos Keyword Search (all sections) Output format html ascii pdf view pdf save postscript

rlm_attr_filter(5)	       FreeRADIUS Module	    rlm_attr_filter(5)

NAME
       rlm_attr_filter - FreeRADIUS Module

DESCRIPTION
       The  rlm_attr_filter module exists for filtering certain attributes and
       values in received ( or transmitted ) radius  packets.	It  gives  the
       server  a  flexible  framework  to  filter the attributes we send to or
       receive from home servers or NASes.  This makes sense, for example,  in
       an  out-sourced	dialup	situation to various policy decisions, such as
       restricting a client to certain ranges of Idle-Timeout or Session-Time‐
       out.

       Filter  rules  are  normally  defined and applied on a per-realm basis,
       where the realm is anything that is defined and matched	based  on  the
       configuration  of the rlm_realm module.	Filter rules can optionally be
       applied using another attribute, by editing the key  configuration  for
       this module.

       In  2.0.1  and  earlier versions, the "accounting" section filtered the
       Accounting-Request, even though it  was	documented  as	filtering  the
       response.   This	 issue	has been fixed in version 2.0.2 and later ver‐
       sions.  The "preacct" section may now be	 used  to  filter  Accounting-
       Request	packets.   The	"accounting"  section  now filters Accounting-
       Response packets.  Administrators using "attr_filter" in the  "account‐
       ing"  section SHOULD move the reference to "attr_filter" from "account‐
       ing" to "preacct".

       The file that defines the attribute filtering rules follows  a  similar
       syntax to the users file.  There are a few differences however:

	   There are no check-items allowed other than the name of the key.

	   There can only be a single DEFAULT entry.

       The  rules for each entry are parsed to top to bottom, and an attribute
       must pass *all* the rules which affect it in order to make it past  the
       filter.	Order of the rules is important.  The operators and their pur‐
       pose in defining the rules are as follows:

       =      THIS OPERATOR IS NOT ALLOWED.  If used, and warning  message  is
	      printed and it is treated as ==

       :=     Set,  this attribute and value will always be placed in the out‐
	      put A/V Pairs.  If the attribute exists, it is overwritten.

       ==     Equal, value must match exactly.

       =*     Always Equal, allow all values for the specified attribute.

       !*     Never Equal, disallow all values for the specified attribute.  (
	      This is redundant, as any A/V Pair not explicitly permitted will
	      be dropped ).

       !=     Not Equal, value must not match.

       >=     Greater Than or Equal

       <=     Less Than or Equal

       >      Greater Than

       <      Less Than

       If regular expressions are enabled the  following  operators  are  also
       possible.   (  Regular  Expressions are included by default unless your
       system doesn't support them, which should be rare ).  The  value	 field
       uses standard regular expression syntax.

       =~     Regular Expression Equal

       !~     Regular Expression Not Equal

       See  the	 default  /etc/raddb/attrs for working examples of sample rule
       ordering and how to use the different operators.

       The configuration items are:

       attrsfile
	      This specifies the location of the file used to load the	filter
	      rules.   This  file  is  used to filter the accounting response,
	      packet before it	is  proxied,  proxy  response  from  the  home
	      server, or our response to the NAS.

       key    Usually  %{Realm}	 (the  default).  Can also be %{User-Name}, or
	      other attribute that exists in the request.  Note that the  mod‐
	      ule always keys off of attributes in the request, and NOT in any
	      other packet.

       relaxed
	      If set to 'yes', then attributes which do not match  any	filter
	      rules  explicitly,  will	also be allowed. This behaviour may be
	      overridden for an individual filter block using the Relax-Filter
	      check item.  The default for this configuration item is 'no'.

SECTIONS
       preacct
	      Filters Accounting-Request packets.

       accounting
	      Filters Accounting-Response packets.

       pre-proxy
	      Filters  Accounting-Request  or  Access-Request packets prior to
	      proxying them.

       post-proxy
	      Filters Accounting-Response,  Access-Accept,  Access-Reject,  or
	      Access-Challenge responses from a home server.

       authorize
	      Filters Access-Request packets.

       post-auth
	      Filters Access-Accept or Access-Reject packets.

FILES
       /etc/raddb/radiusd.conf /etc/raddb/attrs

SEE ALSO
       radiusd(8), radiusd.conf(5)

AUTHOR
       Chris Parker, cparker@segv.org

			       12 February 2008		    rlm_attr_filter(5)

Vote for polarhome