Skip to content
Browse files

Filter Access-Challenge packets, too

  • Loading branch information...
1 parent 632daac commit 4a5b18a653c5a35786f8a9dcfab8b4ebc0671101 @alandekok alandekok committed Jun 9, 2009
Showing with 29 additions and 0 deletions.
  1. +19 −0 raddb/attrs.access_challenge
  2. +10 −0 raddb/modules/attr_filter
View
19 raddb/attrs.access_challenge
@@ -0,0 +1,19 @@
+#
+# Configuration file for the rlm_attr_filter module.
+# Please see rlm_attr_filter(5) manpage for more information.
+#
+# $Id$
+#
+# This configuration file is used to remove almost all of the
+# attributes From an Access-Challenge message. The RFC's say
+# that an Access-Challenge packet can contain only a few
+# attributes. We enforce that here.
+#
+DEFAULT
+ EAP-Message =* ANY,
+ State =* ANY,
+ Message-Authenticator =* ANY,
+ Reply-Message =* ANY,
+ Proxy-State =* ANY,
+ Session-Timeout =* ANY,
+ Idle-Timeout =* ANY
View
10 raddb/modules/attr_filter
@@ -28,6 +28,16 @@ attr_filter attr_filter.access_reject {
attrsfile = ${confdir}/attrs.access_reject
}
+# Enforce RFC requirements on the contents of Access-Reject
+# packets. See the comments at the top of the file for
+# more details.
+#
+attr_filter attr_filter_access_challenge {
+ key = %{User-Name}
+ attrsfile = ${confdir}/attrs.access_challenge
+}
+
+
# Enforce RFC requirements on the contents of the
# Accounting-Response packets. See the comments at the
# top of the file for more details.

0 comments on commit 4a5b18a

Please sign in to comment.
Something went wrong with that request. Please try again.