[RADIATOR] strip attributes from access-reject

Mueller, Jason C jason-mueller at uiowa.edu
Mon Dec 15 11:59:07 CST 2014


Thanks. I will take a look.

On Dec 15, 2014, at 10:00 AM, Robert Fisher <robert at sitestar.net> wrote:

> You can do this with a PostAuthHook.
> 
> Check out the goodies/hooks.txt file -- The first four examples cover
> this, in fact -- the fourth example is specifically removing specific
> reply items based on the Client Identifier.
> 
> Robert Fisher
> Systems Administrator
> Sitestar Internet Services
> 
> On 12/15/2014 9:47 AM, Mueller, Jason C wrote:
>> Is there a way to not include radius attributes, when sending a RADIUS access-reject?
>> 
>> I have AddToReply attributes in the client stanza. I need to send different attributes based on the device type that is being authenticated against, which is why the AddToReply config is in the client stanza.
>> 
>> 
>> Here is a sanitized version of the client stanza:
>> <Client 192.168.1.1/32>
>> 	IdenticalClients 192.168.2.1/32
>> 	Secret	areallygoodsecret
>> 	DupInterval 0
>> 	AddToReply Session-Timeout=0,Juniper-Local-User-Name=some_name
>> </Client>
>> 
>> 
>> However, some devices don’t like getting attributes in an access-reject, including Juniper MX’s.
>> 
>> Is there a way to strip out all the defined AddToReply attributes, as well as the RADIUS reply-message (attribute 18), when sending an access-reject?
>> 
>> Thanks.
>> 
>> -Jason
>> 
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
> 
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator



More information about the radiator mailing list