NAS-Filter-Rule incorrectly encoded as string

Pablo Nogueira pnogueira at
Tue Feb 16 12:23:30 CET 2021

first post here.
I'm trying to implement dynamic access lists for 802.1X authenticated
users. To do so, I'm using attribute NAS-Filter-Rule, as defined in
RFC 4849 and FreeRADIUS Version 3.0.21 as the RADIUS server.

To do so, I've modified users file with the following entry
user1      Cleartext-Password := "pass1"
               Service-Type = Framed-User,
               Nas-filter-Rule = "permit in tcp from any to",
               Nas-filter-Rule += 0x00,
               Nas-filter-Rule += "permit in ip from
               Nas-filter-Rule += 0x00,
               Nas-filter-Rule += "deny in ip from any to any",
               Nas-filter-Rule += 0x00

According to RFC 4849
"The String field is one or more octets.  It contains filter rules
      in the IPFilterRule syntax defined in [RFC3588], Section 4.3, with
      individual filter rules separated by a NUL (0x00).  A NAS-Filter-
      Rule attribute may contain a partial rule, one rule, or more than
      one rule.  Filter rules may be continued across attribute
      boundaries, so implementations cannot assume that individual
      filter rules begin or end on attribute boundaries.

      The set of NAS-Filter-Rule attributes SHOULD be created by
      concatenating the individual filter rules, separated by a NUL
      (0x00) octet.  The resulting data should be split on 253-octet
      boundaries to obtain a set of NAS-Filter-Rule attributes.  On
      reception, the individual filter rules are determined by
      concatenating the contents of all NAS-Filter-Rule attributes, and
      then splitting individual filter rules with the NUL octet (0x00)
      as a delimiter.

In my example above, RADIUS server is sending NAS-Filter-Rule as a
string, thus converting 0x00 into strings "0x00".
If I remove the 0x00, then rules are not NUL separated which goes
against the RFC,

share/dictionary/radius/dictionary.rfc4849 defines NAS-Filter-Rule as
ATTRIBUTE    NAS-Filter-Rule                92    string

I've been able to make it work as I think it should adding the
following line to my dictionary
# override NAS-Filter-Rule to convey NUL character between rules
ATTRIBUTE       NAS-Filter-Rule                         92      octets

My question is, is there any other way to force freeradius to send the
entry rules as strings with NUL terminated character? Should I report
this as an issue (bug) to freeradius developers so that they change
the dictionary.rfc4849 entry?

I hope my question is clear. Best regards

More information about the Freeradius-Users mailing list