#
-# Please read the documentation file ../doc/rlm_attr_filter
-# for more information.
+# Configuration file for the rlm_attr_filter module.
+# Please see rlm_attr_filter(5) manpage for more information.
+#
+# $Id$
#
# This file contains security and configuration information
-# for each realm. The first field is the realm name and
-# can be up to 253 characters in length. This is followed (on
+# for each realm. The first field is the realm name and
+# can be up to 253 characters in length. This is followed (on
# the next line) with the list of filter rules to be used to
-# decide what attributes we allow proxy servers to return to us
-# for this realm.
+# decide what attributes and/or values we allow proxy servers
+# to pass to the NAS for this realm.
#
-# When a proxy-reply request is received from a proxy server,
-# these values are tested. Only the first match is used unless the
-# "Fall-Through" variable is set to "Yes". In that case the rules
-# defined in the DEFAULT case are processed as well.
+# When a proxy-reply packet is received from a home server,
+# these attributes and values are tested. Only the first match
+# is used unless the "Fall-Through" variable is set to "Yes".
+# In that case the rules defined in the DEFAULT case are
+# processed as well.
#
-# A special user named "DEFAULT" matches on all realm names.
+# A special realm named "DEFAULT" matches on all realm names.
# You can have only one DEFAULT entry. All entries are processed
# in the order they appear in this file. The first entry that
# matches the login-request will stop processing unless you use
# the Fall-Through variable.
#
# Indented (with the tab character) lines following the first
-# line indicate the filter rules to be used by the server to
+# line indicate the filter rules.
#
# You can include another `attrs' file with `$INCLUDE attrs.other'
#
#
-# This is a complete entry for "fisp". Note that there is no Fall-Through
-# entry so that no DEFAULT entry will be used, and the server will NOT
-# allow any other a/v pairs other than the ones listed here.
+# This is a complete entry for realm "fisp". Note that there is no
+# Fall-Through entry so that no DEFAULT entry will be used, and the
+# server will NOT allow any other a/v pairs other than the ones
+# listed here.
#
# These rules allow:
# o Only Framed-User Service-Types ( no telnet, rlogin, tcp-clear )
# Idle-Timeout <= 600,
# Session-Timeout <= 28800
-
#
-# This is a complete entry for "tisp". Note that there is no Fall-Through
-# entry so that no DEFAULT entry will be used, and the server will NOT
-# allow any other a/v pairs other than the ones listed here.
+# This is a complete entry for realm "tisp". Note that there is no
+# Fall-Through entry so that no DEFAULT entry will be used, and the
+# server will NOT allow any other a/v pairs other than the ones
+# listed here.
#
# These rules allow:
# o Only Login-User Service-Type ( no framed/ppp sessions )
# Service-Type == Login-User,
# Login-Service == Telnet,
# Login-TCP-Port == 23,
-# Login-IP-Host == 192.168.1.1
-# Login-IP-Host == 192.168.1.2
+# Login-IP-Host == 192.168.1.1,
+# Login-IP-Host == 192.168.1.2
+
+#
+# The following example can be used for a home server which is only
+# allowed to supply a Reply-Message, a Session-Timeout attribute of
+# maximum 86400, a Idle-Timeout attribute of maximum 600 and a
+# Acct-Interim-Interval attribute between 300 and 3600.
+# All other attributes sent back will be filtered out.
+#
+#strictrealm
+# Reply-Message =* ANY,
+# Session-Timeout <= 86400,
+# Idle-Timeout <= 600,
+# Acct-Interim-Interval >= 300,
+# Acct-Interim-Interval <= 3600
#
-# This is a complete entry for "spamrealm". Fall-Through is used, so
-# that the DEFAULT filter rules are used in addition to these.
+# This is a complete entry for realm "spamrealm". Fall-Through is used,
+# so that the DEFAULT filter rules are used in addition to these.
#
# These rules allow:
# o Force the application of Filter-ID attribute to be returned
#
# The rest of this file contains the DEFAULT entry.
-# DEFAULT matches with all realm names.
+# DEFAULT matches with all realm names. (except if the realm previously
+# matched an entry with no Fall-Through)
#
-DEFAULT
+DEFAULT
Service-Type == Framed-User,
Service-Type == Login-User,
Login-Service == Telnet,
Framed-Filter-ID =* ANY,
Reply-Message =* ANY,
Proxy-State =* ANY,
+ EAP-Message =* ANY,
+ Message-Authenticator =* ANY,
+ MS-MPPE-Recv-Key =* ANY,
+ MS-MPPE-Send-Key =* ANY,
+ MS-CHAP-MPPE-Keys =* ANY,
+ State =* ANY,
Session-Timeout <= 28800,
Idle-Timeout <= 600,
Port-Limit <= 2
-
-
-
-