You can do this with a PostAuthHook. Check out the goodies/hooks.txt file -- The first four examples cover this, in fact -- the fourth example is specifically removing specific reply items based on the Client Identifier.
Robert Fisher Systems Administrator Sitestar Internet Services On 12/15/2014 9:47 AM, Mueller, Jason C wrote: > Is there a way to not include radius attributes, when sending a RADIUS > access-reject? > > I have AddToReply attributes in the client stanza. I need to send different > attributes based on the device type that is being authenticated against, > which is why the AddToReply config is in the client stanza. > > > Here is a sanitized version of the client stanza: > <Client 192.168.1.1/32> > IdenticalClients 192.168.2.1/32 > Secret areallygoodsecret > DupInterval 0 > AddToReply Session-Timeout=0,Juniper-Local-User-Name=some_name > </Client> > > > However, some devices don’t like getting attributes in an access-reject, > including Juniper MX’s. > > Is there a way to strip out all the defined AddToReply attributes, as well as > the RADIUS reply-message (attribute 18), when sending an access-reject? > > Thanks. > > -Jason > > _______________________________________________ > radiator mailing list > [email protected] > http://www.open.com.au/mailman/listinfo/radiator _______________________________________________ radiator mailing list [email protected] http://www.open.com.au/mailman/listinfo/radiator
