rlm_attr_filter (5) - Linux Manuals
rlm_attr_filter: FreeRADIUS Module
NAME
rlm_attr_filter - FreeRADIUS ModuleDESCRIPTION
The rlm_attr_filter module exists for filtering certain attributes and values in received ( or transmitted ) radius packets. It gives the server a flexible framework to filter the attributes we send to or receive from home servers or NASes. This makes sense, for example, in an out-sourced dialup situation to various policy decisions, such as restricting a client to certain ranges of Idle-Timeout or Session-Timeout.Filter rules are normally defined and applied on a per-realm basis, where the realm is anything that is defined and matched based on the configuration of the rlm_realm module. Filter rules can optionally be applied using another attribute, by editing the key configuration for this module.
In 2.0.1 and earlier versions, the "accounting" section filtered the Accounting-Request, even though it was documented as filtering the response. This issue has been fixed in version 2.0.2 and later versions. The "preacct" section may now be used to filter Accounting-Request packets. The "accounting" section now filters Accounting-Response packets. Administrators using "attr_filter" in the "accounting" section SHOULD move the reference to "attr_filter" from "accounting" to "preacct".
The file that defines the attribute filtering rules follows a similar syntax to the users file. There are a few differences however:
-
There are no check-items allowed other than the name of the key. There can only be a single DEFAULT entry. The rules for each entry are parsed to top to bottom, and an attribute must pass *all* the rules which affect it in order to make it past the filter. Order of the rules is important. The operators and their purpose in defining the rules are as follows:
- =
- THIS OPERATOR IS NOT ALLOWED. If used, and warning message is printed and it is treated as ==
- :=
- Set, this attribute and value will always be placed in the output A/V Pairs. If the attribute exists, it is overwritten.
- ==
- Equal, value must match exactly.
- =*
- Always Equal, allow all values for the specified attribute.
- !*
- Never Equal, disallow all values for the specified attribute. ( This is redundant, as any A/V Pair not explicitly permitted will be dropped ).
- !=
- Not Equal, value must not match.
- >=
- Greater Than or Equal
- <=
- Less Than or Equal
- >
- Greater Than
- <
- Less Than
- =~
- Regular Expression Equal
- !~
- Regular Expression Not Equal
The configuration items are:
- file
- This specifies the location of the file used to load the filter rules. This file is used to filter the accounting response, packet before it is proxied, proxy response from the home server, or our response to the NAS.
- key
- Usually %{Realm} (the default). Can also be %{User-Name}, or other attribute that exists in the request. Note that the module always keys off of attributes in the request, and NOT in any other packet.
- relaxed
- If set to 'yes', then attributes which do not match any filter rules explicitly, will also be allowed. This behaviour may be overridden for an individual filter block using the Relax-Filter check item. The default for this configuration item is 'no'.
SECTIONS
- preacct
- Filters Accounting-Request packets.
- accounting
- Filters Accounting-Response packets.
- pre-proxy
- Filters Accounting-Request or Access-Request packets prior to proxying them.
- post-proxy
- Filters Accounting-Response, Access-Accept, Access-Reject, or Access-Challenge responses from a home server.
- authorize
- Filters Access-Request packets.
- post-auth
- Filters Access-Accept or Access-Reject packets.
FILES
/etc/raddb/radiusd.conf /etc/raddb/filter/*AUTHOR
Chris Parker, cparker [at] segv.org