Removing reply attributes

classic Classic list List threaded Threaded
3 messages Options
| Threaded
Open this post in threaded view
|

Removing reply attributes

Paul Thornton-2
Hi folks,

A quick unlang question - is there a way to remove all reply attributes
and start again from scratch?

I have some logic similar to the following in the post-auth section
(I've simplified it somewhat for this post) - we've authenticated a
user, but we also know that this is actually a session steering request
from an upstream provider.  They don't need or care about the end user's
reply attributes (IP address, service type, etc) - all they want is a
handful of tunnel attributes to deliver it back to us for a second
authentication (from our own router this time, which does care about
such niceties as IP addresses).

                 if ( (&request:Client-IP-Address =~ /^192\.168\.1\.5/) ) {
                         update reply {
                                 # Remove existing reply attributes -
they don't care about them.
                                 Framed-IP-Address !* ANY
                                 Framed-MTU !* ANY
                                 Framed-Protocol !* ANY
                                 Framed-Compression !* ANY
                                 Cisco-AVPair !* ANY

                                 # Tunnel information
                                 Tunnel-Type:0 = L2TP
                                 Tunnel-Medium-Type:0 = IPv4
                                 Tunnel-Server-Endpoint:0 = 192.168.2.2
                                 Tunnel-Client-Auth-Id:0 = 'something'
                                 Tunnel-Password:0 = 'something-else'
                         }
                 }

Is there a more elegant way to remove the reply attributes?

Thanks,

Paul.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Removing reply attributes

Alan DeKok-2
On Oct 7, 2019, at 12:46 PM, Paul Thornton <[hidden email]> wrote:
>
> A quick unlang question - is there a way to remove all reply attributes and start again from scratch?

  Unfortunately, no.

> I have some logic similar to the following in the post-auth section (I've simplified it somewhat for this post) - we've authenticated a user, but we also know that this is actually a session steering request from an upstream provider.  They don't need or care about the end user's reply attributes (IP address, service type, etc) - all they want is a handful of tunnel attributes to deliver it back to us for a second authentication (from our own router this time, which does care about such niceties as IP addresses).
>
>                if ( (&request:Client-IP-Address =~ /^192\.168\.1\.5/) ) {
>                        update reply {
>                                # Remove existing reply attributes - they don't care about them.
>                                Framed-IP-Address !* ANY
>                                Framed-MTU !* ANY
>                                Framed-Protocol !* ANY
>                                Framed-Compression !* ANY
>                                Cisco-AVPair !* ANY
>
>                                # Tunnel information
>                                Tunnel-Type:0 = L2TP
>                                Tunnel-Medium-Type:0 = IPv4
>                                Tunnel-Server-Endpoint:0 = 192.168.2.2
>                                Tunnel-Client-Auth-Id:0 = 'something'
>                                Tunnel-Password:0 = 'something-else'
>                        }
>                }
>
> Is there a more elegant way to remove the reply attributes?

  Don't add them in the first place. :)

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Removing reply attributes

Paul Thornton-2
Hi Alan


On 07/10/2019 18:22, Alan DeKok wrote:
>
>    Don't add them in the first place. :)
>
>    Alan DeKok.
>

I thought that might be the case.  I'll have to add "re-working this
logic" to my long list of things to do!

Paul.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html