Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation  Back up to About Overview 
  
[+] Expand All
[-] Collapse All

Overview

A filter is a collection of rules for adding, modifying, or removing attributes or attribute values in RADIUS requests and responses. You define filters and their rules using Web GUI. You enable filters by referring to them by name when using the Web GUI or when editing certain .ini file sections.

A filter consists of one or more rules, which are processed in sequential order.

  • Add rules specify that an attribute-value pair (AVP) is added to a RADIUS packet during processing. The AVP is added after all other rules are processed. An attribute is added to a packet only if it is legal to do so.

    Some attributes can appear only once in a RADIUS packet; others can appear multiple times. If an attribute that is the subject of an Add rule is already present in the packet (after processing Allow and Exclude rules) and the attribute can only appear once, the Add rule is not processed and the second instance of the attribute is not added.

  • Allow rules specify whether an attribute or AVP is allowed in a RADIUS packet.
    • If an Allow rule specifies an attribute name and an attribute value, then only attributes of the specified type and value are allowed in the RADIUS packet.
    • If an Allow rule specifies an attribute name without an attribute value, then all attributes of the specified type, regardless of value, are allowed in the RADIUS packet.
    • If an Allow rule does not specify an attribute name, then all attributes, regardless of value, are allowed in the RADIUS packet.
    • The Allow Unknown rule specifies that all attributes, regardless of whether they are included in the dictionary of the sending NAS, are included when proxying the message to the target (outbound filters) or before returning the proxy response (inbound filters). Optionally, a Vendor Id may accompany the directive. When used with a global Exclude Unknown, this rule overrides the exclusion of attributes from the specified vendor ID.
  • Exclude rules specify an attribute or AVP to be excluded from a RADIUS packet.
    • If an Exclude rule specifies an attribute name and an attribute value, then only attributes of the specified type and value are excluded from the RADIUS packet.
    • If an Exclude rule specifies an attribute name without an attribute value, then all attributes of the specified type, regardless of value, are excluded from the RADIUS packet.
    • If an Exclude rule does not specify an attribute name, then all attributes, regardless of value, are excluded from the RADIUS packet.
    • The Exclude Unknown rule specifies that all attributes that are not included in the dictionary of the sending NAD are deleted before proxying the message to the target (outbound filters) or before returning the proxy response (inbound filters). Optionally, a vendor ID may accompany the directive. If included, only attributes from the specified vendor are excluded.
  • Replace rules specify the conditions whereby one attribute (or attribute value) is replaced with another.
    • If a Replace rule specifies replacement of one named attribute of a specified value (attr1 v1) to be replaced with a different attribute of a specified value (attr2 v2), then any occurrence of the first AVP is replaced with the second AVP. Result: attr2 v2.
    • If a Replace rule specifies replacement of a named attribute without a specified value (attr1) to be replaced with a different attribute of a specified value (attr2 v2), then any occurrence of the first attribute (regardless of value) is replaced with the second AVP. Result: attr2 v2.
    • If a Replace rule specifies replacement of one named attribute of a specified value (attr1 v1) to be replaced with a different attribute without a specified value (attr2), then any occurrence of the first attribute is replaced with the second attribute, which retains the value of the original attribute. Result: attr2 v1.
    • If a Replace rule specifies replacement of one named attribute (without a specified value) with a different attribute without a specified value, then any occurrence of the first attribute is replaced with the second attribute, which retains the value of the original attribute. Result: attr2 v1.

      Note: You cannot replace a subattribute with a parent attribute, or vice versa.

  • Script rules specify when to run attribute filter scripts. For information about attribute filter scripts, refer to Creating Attribute Filter Scripts .

The SBR Carrier dictionary file radius.dct provides string aliases for certain integer values defined in the RADIUS standard. You can use these strings in attribute filter rules.

Note: Filter rules provide you with tremendous flexibility. However, SBR Carrier does not prevent you from creating an invalid RADIUS packet. Some attributes are not appropriate for certain types of requests. For example, adding a pooled Framed-Ip-Address attribute to an accounting request can cause a loss of available IP addresses.

Note: You can specify structured attributes in attribute filters. Throughout this chapter, the term attributes refers to both standard RADIUS attributes and structured attributes. For information about specifying structured attributes, see the SBR Carrier Reference Guide.

Note: You can use a separately licensed add-on module to use JavaScript to select and create filters. For more information about the JavaScript module, refer to Optional Scripting Module.

Order of Filter Rules

The order of rules within a filter is important. General default rules that take no parameters, such as Allow (allow all attributes unless otherwise specified) or Exclude (exclude all attributes unless otherwise specified) must appear as the first rule in the filter. Later rules supersede earlier rules; the last applicable rule takes precedence. Add and Replace rules are applied after the Allow and Exclude rules.

More specific rules with more parameters (Add attribute value) act as exceptions to less specific rules with fewer parameters (Allow attribute, EXCLUDE). For example, you might want to allow a certain attribute and exclude one or more specific values for that attribute. Or you might exclude all attributes, allow specific attributes, and add specific attribute/value pairs.

Note: Script rules are not subject to rule ordering.

You can use two basic approaches to designing a filter:

  • Start the rule list with a default Exclude rule (no parameters) and add Allow rules for any attributes or attribute/value pairs that you want to insert into the packet. Add and Replace rules may be used.
  • Start the rule list with a default Allow rule (no parameters) and add Exclude rules for any attributes or attribute/value pairs that you want to remove from the packet. Add and Replace rules may be used.

The default action for SBR Carrier is Exclude. If a filter does not contain any rules, the filter removes all attributes from a packet when the filter is applied.

Values in Filter Rules

The value of an attribute is interpreted based on the type of the attribute in its attribute dictionary. Table 31 lists the meaning of each attribute type.

Table 31: Filter Rule Values

Attribute Type

Function

hexadecimal

A hexadecimal value is specified as a string. Special characters may be included using escape codes.

int1, int4, integer

1- or 4-byte unsigned decimal number (integer is equivalent to int4).

Note: The SBR Carrier dictionary file radius.dct provides string aliases for certain integer values defined in the RADIUS standard. You can use these strings in attribute filter rules.

ipaddr, ipaddr-pool

An IP address in dotted notation; for example:

    EXCLUDE NAS-IP-Address 127.0.0.1

string

String attribute (includes null terminator). A string is specified as text. The text may be enclosed in double-quotes (“). The text is interpreted as a regular expression. Back slash (\) is the escape character. Escape codes are interpreted as follows:

Code   Meaning

\a      7

\b      8

\f      12

\n      10

\r      13

\t      9

\v      11

\nnn nnn is a decimal value between 0 and 255

\xnn nn is a hexadecimal value between 00 and FF

\c   c is a single character, interpreted literally

Prefix literal backslashes (\) within a string and double-quotes (“) within quoted strings with an escape character. For example:

ADD Reply-Message Session limit is one hour

ADD Reply-Message “Session limit is one hour”

ADD Reply-Message “Your username is \”George\” \“George\””

time

A time value is specified with a string indicating date and time:

yyyy/mm/dd hh:mm:ss

The date portion is mandatory; the time portion may be specified to whatever degree of precision is required, or may be omitted entirely. For example:

   2009/01/20 14:00:00

and

   2009/01/20 14

both refer to January 20, 2009 at 2:00 p.m.

For example:

   ADD Ascend-PW-Expiration 2009/01/20

Referencing Attribute Filters

SBR Carrier attribute filtering provides flexibility in packet processing. You reference filters by name in Web GUI dialogs, in various .ini and .aut configuration files, and in the FilterOut and FilterIn sections of your .pro and .dir files. You can use the same filter for all packets in all realms. You can apply filtering to some realms, and not others.

To disable filtering for a realm, omit filtering parameters from the *.pro or *.dir files and from the EAP-PEAP/EAP-TTLS configurations. Filtering is often used only for packets that are routed out to realms (the FilterOut parameter).

To reference filtering rules in proxy or directed realm configurations, you must use the FilterOut and FilterIn parameters in the [Auth] and [Acct] sections of a realm configuration file. For more information, refer to the SBR Carrier Reference Guide.

Note: Do not allocate IP addresses from SBR Carrier IP address pools in accounting filters. These addresses are allocated but never released.

Modified: 2017-03-07