Attribute Number



3 or more octets



Allowed in


Prohibited in

Access-Request, Access-Reject, Access-Challenge

Presence in Packet

Not required

Maximum Iterations


Filter-ID is arguably one of the most pragmatic, useful attributes in the RADIUS specification. Filter-ID is based upon the common practice of packet filtering, the use of which is most often found in firewalls and intrusion detection systems. The premise behind packet filtering is to inspect each and every packet in a transaction or data stream in order to determine, based on rules that an administrator configures, whether those packets should be allowed to pass through.

In RADIUS, however, that use is not as distinct. The most parallel example of packet inspection as a security device is when you view the RADIUS client gear as a gateway. Indeed, the RADIUS client is the first hop on the packet’s destination to the Internet, and the client can filter based on rules to conclude whether to allow the packet to pass. But in RADIUS, packet filtering examines rules that an administrator configures, known as “filter profiles,” which act as guides to what packets can do what actions on what network. Let’s take a closer look.

Let’s assume that a certain RADIUS implementation has three filter profiles configured: a “Mailonly” profile, a “FullInet” profile, and a “LocalSurf” profile. These profiles correspond to several account types that ...

Get RADIUS now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.