Removing reply attributes
Alan DeKok
aland at deployingradius.com
Mon Oct 7 19:22:58 CEST 2019
On Oct 7, 2019, at 12:46 PM, Paul Thornton <paul at prt.org> wrote:
>
> A quick unlang question - is there a way to remove all reply attributes and start again from scratch?
Unfortunately, no.
> I have some logic similar to the following in the post-auth section (I've simplified it somewhat for this post) - we've authenticated a user, but we also know that this is actually a session steering request from an upstream provider. They don't need or care about the end user's reply attributes (IP address, service type, etc) - all they want is a handful of tunnel attributes to deliver it back to us for a second authentication (from our own router this time, which does care about such niceties as IP addresses).
>
> if ( (&request:Client-IP-Address =~ /^192\.168\.1\.5/) ) {
> update reply {
> # Remove existing reply attributes - they don't care about them.
> Framed-IP-Address !* ANY
> Framed-MTU !* ANY
> Framed-Protocol !* ANY
> Framed-Compression !* ANY
> Cisco-AVPair !* ANY
>
> # Tunnel information
> Tunnel-Type:0 = L2TP
> Tunnel-Medium-Type:0 = IPv4
> Tunnel-Server-Endpoint:0 = 192.168.2.2
> Tunnel-Client-Auth-Id:0 = 'something'
> Tunnel-Password:0 = 'something-else'
> }
> }
>
> Is there a more elegant way to remove the reply attributes?
Don't add them in the first place. :)
Alan DeKok.
More information about the Freeradius-Users
mailing list