1
0
forked from infra/ansible
infra/roles/radius/files/raddb/attrs

130 lines
4.2 KiB
Plaintext
Raw Normal View History

2017-02-21 20:20:04 +01:00
#
# Configuration file for the rlm_attr_filter module.
# Please see rlm_attr_filter(5) manpage for more information.
#
# $Id: 76c644b100656f8bd45e768b13cbcf140ce5a770 $
#
# This file contains security and configuration information
# for each realm. The first field is the realm name and
# can be up to 253 characters in length. This is followed (on
# the next line) with the list of filter rules to be used to
# decide what attributes and/or values we allow proxy servers
# to pass to the NAS for this realm.
#
# When a proxy-reply packet is received from a home server,
# these attributes and values are tested. Only the first match
# is used unless the "Fall-Through" variable is set to "Yes".
# In that case the rules defined in the DEFAULT case are
# processed as well.
#
# A special realm named "DEFAULT" matches on all realm names.
# You can have only one DEFAULT entry. All entries are processed
# in the order they appear in this file. The first entry that
# matches the login-request will stop processing unless you use
# the Fall-Through variable.
#
# Indented (with the tab character) lines following the first
# line indicate the filter rules.
#
# You can include another `attrs' file with `$INCLUDE attrs.other'
#
#
# This is a complete entry for realm "fisp". Note that there is no
# Fall-Through entry so that no DEFAULT entry will be used, and the
# server will NOT allow any other a/v pairs other than the ones
# listed here.
#
# These rules allow:
# o Only Framed-User Service-Types ( no telnet, rlogin, tcp-clear )
# o PPP sessions ( no SLIP, CSLIP, etc. )
# o dynamic ip assignment ( can't assign a static ip )
# o an idle timeout value set to 600 seconds (10 min) or less
# o a max session time set to 28800 seconds (8 hours) or less
#
#fisp
# Service-Type == Framed-User,
# Framed-Protocol == PPP,
# Framed-IP-Address == 255.255.255.254,
# Idle-Timeout <= 600,
# Session-Timeout <= 28800
#
# This is a complete entry for realm "tisp". Note that there is no
# Fall-Through entry so that no DEFAULT entry will be used, and the
# server will NOT allow any other a/v pairs other than the ones
# listed here.
#
# These rules allow:
# o Only Login-User Service-Type ( no framed/ppp sessions )
# o Telnet sessions only ( no rlogin, tcp-clear )
# o Login hosts of either 192.168.1.1 or 192.168.1.2
#
#tisp
# Service-Type == Login-User,
# Login-Service == Telnet,
# Login-TCP-Port == 23,
# Login-IP-Host == 192.168.1.1,
# Login-IP-Host == 192.168.1.2
#
# The following example can be used for a home server which is only
# allowed to supply a Reply-Message, a Session-Timeout attribute of
# maximum 86400, a Idle-Timeout attribute of maximum 600 and a
# Acct-Interim-Interval attribute between 300 and 3600.
# All other attributes sent back will be filtered out.
#
#strictrealm
# Reply-Message =* ANY,
# Session-Timeout <= 86400,
# Idle-Timeout <= 600,
# Acct-Interim-Interval >= 300,
# Acct-Interim-Interval <= 3600
#
# This is a complete entry for realm "spamrealm". Fall-Through is used,
# so that the DEFAULT filter rules are used in addition to these.
#
# These rules allow:
# o Force the application of Filter-ID attribute to be returned
# in the proxy reply, whether the proxy sent it or not.
# o The standard DEFAULT rules as defined below
#
#spamrealm
# Framed-Filter-Id := "nosmtp.in",
# Fall-Through = Yes
#
# The rest of this file contains the DEFAULT entry.
# DEFAULT matches with all realm names. (except if the realm previously
# matched an entry with no Fall-Through)
#
DEFAULT
Service-Type == Framed-User,
Service-Type == Login-User,
Login-Service == Telnet,
Login-Service == Rlogin,
Login-Service == TCP-Clear,
Login-TCP-Port <= 65536,
Framed-IP-Address == 255.255.255.254,
Framed-IP-Netmask == 255.255.255.255,
Framed-Protocol == PPP,
Framed-Protocol == SLIP,
Framed-Compression == Van-Jacobson-TCP-IP,
Framed-MTU >= 576,
Framed-Filter-ID =* ANY,
Reply-Message =* ANY,
Proxy-State =* ANY,
EAP-Message =* ANY,
Message-Authenticator =* ANY,
MS-MPPE-Recv-Key =* ANY,
MS-MPPE-Send-Key =* ANY,
MS-CHAP-MPPE-Keys =* ANY,
State =* ANY,
Session-Timeout <= 28800,
Idle-Timeout <= 600,
Calling-Station-Id =* ANY,
Operator-Name =* ANY,
Port-Limit <= 2