Removing reply attributes

Paul Thornton paul at
Mon Oct 7 18:46:09 CEST 2019

Hi folks,

A quick unlang question - is there a way to remove all reply attributes 
and start again from scratch?

I have some logic similar to the following in the post-auth section 
(I've simplified it somewhat for this post) - we've authenticated a 
user, but we also know that this is actually a session steering request 
from an upstream provider.  They don't need or care about the end user's 
reply attributes (IP address, service type, etc) - all they want is a 
handful of tunnel attributes to deliver it back to us for a second 
authentication (from our own router this time, which does care about 
such niceties as IP addresses).

                 if ( (&request:Client-IP-Address =~ /^192\.168\.1\.5/) ) {
                         update reply {
                                 # Remove existing reply attributes - 
they don't care about them.
                                 Framed-IP-Address !* ANY
                                 Framed-MTU !* ANY
                                 Framed-Protocol !* ANY
                                 Framed-Compression !* ANY
                                 Cisco-AVPair !* ANY

                                 # Tunnel information
                                 Tunnel-Type:0 = L2TP
                                 Tunnel-Medium-Type:0 = IPv4
                                 Tunnel-Server-Endpoint:0 =
                                 Tunnel-Client-Auth-Id:0 = 'something'
                                 Tunnel-Password:0 = 'something-else'

Is there a more elegant way to remove the reply attributes?



More information about the Freeradius-Users mailing list