23
23
The goal of the language is to allow simple policies to be written
24
24
with minimal effort. Those policies are then applied when a request
25
is being processed. Requests are processed through virtual servers
26
(including the default one), in the sections titled "authorize",
27
"authenticate", "post-auth", "preacct", "accounting", "pre-proxy",
28
"post-proxy", and "session".
30
These policies cannot be used in any other part of the configuration
31
files, such as module or client configuration.
27
33
The keywords for the language are a combination of pre-defined
28
34
keywords, and references to loadable module names. We document only
146
152
The <list> can be one of "request", "reply", "proxy-request",
147
"proxy-reply", or "control". The "control" list is the list of
148
attributes maintainted internally by the server that controls how the
149
server processes the request. Any attribute that does not go in a
150
packet on the network will generally be placed in the "control" list.
153
"proxy-reply", "coa", "disconnect", or "control". The "control" list
154
is the list of attributes maintainted internally by the server that
155
controls how the server processes the request. Any attribute that
156
does not go in a packet on the network will generally be placed in the
152
159
For backwards compatibility with older versions, "check" is accepted
153
160
as a synonym for "control". The use of "check" is deprecated, and
158
165
"outer.request", "outer.reply", and "outer.control". Those references
159
166
allow you to address the relevant list in the outer tunnel session.
168
The "coa" and "disconnect" sections can only be used when the server
169
receives an Access-Request or Accounting-Request. Use "request" and
170
"reply" instead of "coa" when the server receives a CoA-Request or
171
Disconnect-Request packet.
173
Adding one or more attributes to either of the "coa" or "disconnect"
174
list causes server to originate a CoA-Request or Disconnect-Request
175
packet. That packet is sent when the current Access-Request or
176
Accounting-Request has been finished, and a reply sent to the NAS.
177
See raddb/sites-available/originate-coa for additional information.
161
179
The only contents permitted in an "update" section are attributes and
162
180
values. The contents of the "update" section are described in the
163
181
ATTRIBUTES section below.
304
322
in "Simple conditions", above. They can also appear (with some
305
323
exceptions noted below) on the left-hand or on the right-hand side of
308
326
Numbers are composed of decimal digits. Floating point, hex, and
309
327
octal numbers are not supported. The maximum value for a number is
310
328
machine-dependent, but is usually 32-bits, including one bit for a
333
351
if (Service-Type == Login-User) {
338
356
Double-quoted strings are expanded by inserting the value of any
339
357
variables (see VARIABLES, below) before being evaluated. If
340
358
the result is a number it is evaluated in a numerical context.
342
360
String length is limited by line-length, usually about 8000
343
characters. A double quote character (") can be used in a string via
361
characters. A double quote character can be used in a string via
344
362
the normal back-slash escaping method. ("like \\"this\\" !")
532
550
Add the attribute to the list, if and only if an attribute of the same
533
name is already present in that list.
551
name is not already present in that list.
535
553
Add the attribute to the list. If any attribute of the same name is
536
554
already present in that list, its value is replaced with the value of
550
568
and value have to match in order for the attribute to be removed from
553
Remove all non-matching attributes from the list. Both the attribute
554
name and value have to match in order for the attribute to remain in
571
Keep all matching attributes. Both the attribute name and value have
572
to match in order for the attribute to remain in the list.
557
574
Note that this operator is very different than the '=' operator listed
560
Enforce that the integer value of the attribute is less than or equal
561
to the value given here. If there is no attribute of the same name in
562
the list, the attribute is added with the given value, is with "+=".
563
If an attribute in the list exists, and has value less than given
564
here, it's value is unchanged. If an attribute in the list exists,
565
and has a value greater than given here, then that value is replaced
566
with the one given here.
577
Keep all attributes having values less than, or equal to, the value
578
given here. Any larger value is replaced by the value given here. If
579
no attribute exists, it is added with the value given here, as with
568
582
This operator is valid only for attributes of integer type.
570
Enforce that the integer value of the attribute is greater than or
571
equal to the value given here. If there is no attribute of the same
572
name in the list, the attribute is added with the given value, is with
573
"+=". If an attribute in the list exists, and has value greater than
574
given here, it's value is unchanged. If an attribute in the list
575
exists, and has value less than given here, then that value is
576
replaced with the one given here.
584
Keep all attributes having values greater than, or equal to, the value
585
given here. Any larger value is replaced by the value given here. If
586
no attribute exists, it is added with the value given here, as with
578
589
This operator is valid only for attributes of integer type.
591
Delete all occurances of the named attribute, no matter what the