Name
Filter-ID
Synopsis
|
Attribute Number |
11 |
|
Length |
3 or more octets |
|
Value |
STRING |
|
Allowed in |
Access-Accept |
|
Prohibited in |
Access-Request, Access-Reject, Access-Challenge |
|
Presence in Packet |
Not required |
|
Maximum Iterations |
Unlimited |
Filter-ID is arguably one of the most
pragmatic,
useful attributes in the RADIUS specification.
Filter-ID is based upon the common practice of
packet filtering, the use of which is most often found in firewalls
and intrusion detection systems. The premise behind packet filtering
is to inspect each and every packet in a transaction or data stream
in order to determine, based on rules that an administrator
configures, whether those packets should be allowed to pass through.
In RADIUS, however, that use is not as distinct. The most parallel example of packet inspection as a security device is when you view the RADIUS client gear as a gateway. Indeed, the RADIUS client is the first hop on the packet’s destination to the Internet, and the client can filter based on rules to conclude whether to allow the packet to pass. But in RADIUS, packet filtering examines rules that an administrator configures, known as “filter profiles,” which act as guides to what packets can do what actions on what network. Let’s take a closer look.
Let’s assume that a certain RADIUS implementation has three filter profiles configured: a “Mailonly” profile, a “FullInet” profile, and a “LocalSurf” profile. These profiles correspond to several account types that ...
Get RADIUS now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
