On Thu, Mar 28, 2002 at 09:42:48AM -0600, Chris Parker wrote: > At 06:18 PM 3/28/2002 +0300, Fduch the Pravking wrote: > >By the way, how can I say "Any number of such attribute" > >for rlm_attr_filter? > > It should already do that. It doesn't track state, so if you permit > 'Ascend-Data-Filter ~= ".*"' then it will allow through all attributes > that match that rule.
It doesn't do that. raddb/attrs: DEFAULT Service-Type == Framed-User, Service-Type == Login-User, Login-Service == Telnet, Login-Service == Rlogin, Login-Service == TCP-Clear, Login-TCP-Port <= 65536, Framed-IP-Address =~ ".*", Framed-IP-Netmask == 255.255.255.255, Framed-Protocol == PPP, Framed-Protocol == SLIP, Framed-Compression == Van-Jacobson-TCP-IP, Framed-MTU >= 576, Framed-Filter-ID =~ ".*", Reply-Message =~ ".*", Session-Timeout <= 28800, Idle-Timeout <= 600, Port-Limit <= 2, Cisco-AVPair =~ ".*", Fall-Through = Yes And here are logs: rad_recv: Access-Request packet from host <client>:2893, id=244, length=64 Thread 1 assigned request 35 --- Walking the entire request list --- Waking up in 4 seconds... Thread 1 handling request 35, (5 handled so far) User-Name = "stricted-user@realm" User-Password = "<crypted password>" NAS-IP-Address = "<NAS>" NAS-Port-Id = "3" modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok modcall[authorize]: module "attr_filter" returns noop modcall[authorize]: module "files" returns notfound rlm_realm: Proxying request from user register to realm realm modcall[authorize]: module "suffix" returns updated modcall: group authorize returns updated Sending Access-Request of id 13 to <remote server> User-Name = "stricted-user@realm" User-Password = "<crypted-password>" NAS-IP-Address = "<NAS>" NAS-Port-Id = "3" Proxy-State = "244" Thread 1 waiting to be assigned a request rad_recv: Access-Accept packet from host <remote server>, id=13, length=1241 Thread 2 assigned request 35 Waking up in 4 seconds... Thread 2 handling request 35, (5 handled so far) User-Name = "stricted-user@realm" User-Password = "<crypted password>" NAS-IP-Address = "<NAS>" Proxy-State = 0x323434 NAS-Identifier = "<NAS id>" Service-Type = Framed-User Framed-Protocol = PPP Cisco-AVPair = "ip:inacl#1=permit udp..." Cisco-AVPair = "ip:inacl#2=permit udp..." Cisco-AVPair = "ip:inacl#3=permit udp..." Cisco-AVPair = "ip:inacl#4=permit udp..." Cisco-AVPair = "ip:inacl#5=permit udp..." Cisco-AVPair = "ip:inacl#6=permit udp..." Cisco-AVPair = "ip:inacl#7=permit udp..." Cisco-AVPair = "ip:inacl#8=permit tcp..." Cisco-AVPair = "ip:inacl#9=permit tcp..." Cisco-AVPair = "ip:inacl#10=deny ip any any" Cisco-AVPair = "ip:outacl#1=permit udp..." Cisco-AVPair = "ip:outacl#2=permit udp..." Cisco-AVPair = "ip:outacl#3=permit udp..." Cisco-AVPair = "ip:outacl#4=permit udp..." Cisco-AVPair = "ip:outacl#5=permit udp..." Cisco-AVPair = "ip:outacl#6=permit udp..." Cisco-AVPair = "ip:outacl#7=permit udp..." Cisco-AVPair = "ip:outacl#8=permit tcp..." Cisco-AVPair = "ip:outacl#9=permit tcp..." Cisco-AVPair = "ip:outacl#10=deny ip any any" modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok attr_filter: Matched entry DEFAULT at line 84 modcall[authorize]: module "attr_filter" returns updated modcall[authorize]: module "files" returns notfound modcall[authorize]: module "suffix" returns ok modcall: group authorize returns updated rad_check_password: Found Auth-Type rad_check_password: Auth-Type = Accept, accepting the user Login OK: [stricted-user@realm] (from nas <client> port 0) Sending Access-Accept of id 244 to <client>:2893 Service-Type = Framed-User Framed-Protocol = PPP Cisco-AVPair = "ip:inacl#1=permit udp..." Finished request 35 Going to the next request So, only the first Cisco-AVPair attribute is sent back to the NAS. The only way I see is to add as many 'Cisco-AVPair =~ ".*"' lines to raddb/attrs as it seems to be possible :( Any comments or suggestions? -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html