Filter Access-Challenge packets, too

diff --git a/raddb/attrs.access_challenge b/raddb/attrs.access_challenge
new file mode 100644 (file)
index 0000000..78ea54e
--- /dev/null
+++ b/raddb/attrs.access_challenge
@@ -0,0 +1,19 @@
+#
+#      Configuration file for the rlm_attr_filter module.
+#      Please see rlm_attr_filter(5) manpage for more information.
+#
+#      $Id$
+#
+#      This configuration file is used to remove almost all of the
+#      attributes From an Access-Challenge message.  The RFC's say
+#      that an Access-Challenge packet can contain only a few
+#      attributes.  We enforce that here.
+#
+DEFAULT
+       EAP-Message =* ANY,
+       State =* ANY,
+       Message-Authenticator =* ANY,
+       Reply-Message =* ANY,
+       Proxy-State =* ANY,
+       Session-Timeout =* ANY,
+       Idle-Timeout =* ANY

diff --git a/raddb/modules/attr_filter b/raddb/modules/attr_filter
index 535e2a0..0660d57 100644 (file)
--- a/raddb/modules/attr_filter
+++ b/raddb/modules/attr_filter
@@ -28,6 +28,16 @@ attr_filter attr_filter.access_reject {
        attrsfile = ${confdir}/attrs.access_reject
 }
 
+# Enforce RFC requirements on the contents of Access-Reject
+# packets.  See the comments at the top of the file for
+# more details.
+#
+attr_filter attr_filter_access_challenge {
+       key = %{User-Name}
+       attrsfile = ${confdir}/attrs.access_challenge
+}
+
+
 #  Enforce RFC requirements on the contents of the
 #  Accounting-Response packets.  See the comments at the
 #  top of the file for more details.