not logged in | [Login]

Also see the related list of run-time variables.

Provided by the server core

name description
attr attribute name of an attribute reference
attr_num attribute number of an attribute reference
debug_attr print to debug output all instances of current attribute, or all attributes in a list; expands to a zero-length string
debug dynamically change the debug level for the current request
hex convert to hex
integer convert to integer
length size of the given attributes in bytes
map processes data as a map string and applies to the current request
module returns current module processing the request
regex return named subcapture value from previous regex
string convert data to a string if possible
strlen length of given string "%{strlen:Hello}" == 5
tag tag of an attribute reference
vendor_num vendor number of an attribute reference
vendor vendor of an attribute reference
xlat xlat expand given string value

Provided by modules

The following xlats are provided by particular modules, so the module will need to be instantiated before the xlat will be available to use.

xlat names marked with an asterisk (*) take the name of the module instantiation, so may change from that listed here if different instantiations are used.


name description
cache* retrieve single attribute values from the cache


name description
date* convert dates between different formats


name description
exec* execute external program


name description
base64 encode string as base64: "%{base64:foo}" == "Zm9v"
base64tohex convert base64 to hex: "%{base64tohex:Zm9v}" == "666f6f"
escape escape string similar to rlm_sql 'safe_characters': "%{escape:<img>foo.jpg</img>}" == "=60img=62foo.jpg=60/img=62"
explode split an attribute into multiple new attributes based on a delimiter: "%{explode:&ref <delim>}"
hmacmd5 generate HMAC-MD5 of string: "%{hmacmd5:foo bar}" == "31b6db9e5eb4addb42f1a6ca07367adc"
hmacsha1 generate HMAC-SHA1 of string: "%{hmacsha1:foo bar}" == "85d155c55ed286a300bd1cf124de08d87e914f3a"
lpad left-pad a string: if User-Name is "foo": "%{lpad:&User-Name 6 x}" == "xxxfoo"
md5 get md5sum hash: "%{md5:foo}" == "acbd18db4cc2f85cedef654fccc4a4d8"
nexttime calculate number of seconds until next n hour(s), day(s), week(s), year(s), e.g. if it were 16:18, %{nexttime:1h} would expand to 2520
pairs serialize attributes as comma-delimited string: "%{pairs:request:}" == "User-Name = 'foo', User-Password = 'bar', ..."
rand get random number from 0 to n-1 "%{rand:10}" == "9"
randstr get random string built from character classes (see below)
rpad right-pad a string: if User-Name is "foo": "%{rpad:&User-Name 5 -}" == "foo--"
sha1 get sha1 hash: "%{sha1:foo}" == "0beec7b5ea3f0fdbc95d0dd47f3c5bc275da8a33"
sha256 get sha256 hash: "%{sha256:foo}" == "2c26b46b68ffc68ff99b453c1d30413413422d706..."
sha512 get sha512 hash: "%{sha512:foo}" == "f7fbba6e0636f890e56fbbf3283e524c6fa3204ae29838..."
tolower convert to lowercase: "%{tolower:Bar}" == "bar"
toupper convert to uppercase: "%{toupper:Foo}" == "FOO"
unescape reverse of escape: "%{unescape:=60img=62foo.jpg=60/img=62}" == "<img>foo.jpg</img>"
urlquote quote special characters in URI: "%{urlquote:}" == ""
urlunquote unquote URL special characters: "%{}" == ""

Characters that can be used in randstr are:

character class
c lowercase letters
C uppercase letters
n numbers
a alphanumeric
! punctuation
. alphanumeric + punctuation
s alphanumeric + "./"
o characters suitable for OTP (easily confused removed)
h binary data as lowercase hex
H binary data as uppercase hex


"%{randstr:CCCC!!cccnnn}" == "IPFL>{saf874"
"%{randstr:oooooooo}" == "rfVzyA4y"
"%{randstr:hhhh}" == "68d60de3"


name description
idn* convert idn to ascii


name description
ldap* do an LDAP query
ldapquote safely quote string for use in ldap query


name description
mschap* extract ms-chap data from the request, e.g. "%{mschap:User-Name}" or "%{mschap:Challenge}"


name description
perl* call perl xlat function defined in func_xlat


name description
redis* run a redis query: "%{redis:GET mykey}"


name description
rest* retrieve text data from a URL
jsonquote quote data for use in JSON


name description
soh* translate SoH data, currently just "%{soh:OS}"


name description
sql* execute an SQL query, e.g. `"%{sql:SELECT user FROM users WHERE field = '%{Attribute-Name}';}%"


name description
unbound*-a lookup an A record in the DNS
unbound*-aaaa lookup an AAAA record in the DNS
unbound*-ptr lookup a PTR record in the DNS


name description
unpack unpack attribute data, e.g. "%{unpack:&Class 0 integer}" expands 4 octets at position 0 as an integer


name description
modhextohex convert Yubikey modhex to standard hex, e.g. "%{modhextohex:vvrbuctetdhc}" == "ffc1e0d3d260"

Other xlat expansions

These are provided by proto_dhcp:

name description
client provides per-client config options i.e. %{client:ipaddr} or %{client:mymadeupoption}