>>>>> "Stefan" == Stefan Paetow <[log in to unmask]> writes:
Stefan> That's not how the attr_filter module works. The filter
Stefan> works on a realm-basis only, i.e. if it is from this realm
Stefan> (and if the realm does not exist in the filter, the DEFAULT
Stefan> section matches), let the attribute pass, if not, strip it
Stefan> from the request/reply. If you want to do more advanced
Stefan> processing, you let the attribute pass, and then write
Stefan> unlang statements to either remove it or leave it in the
Stefan> reply (or request), or don't use attr_filter at all.
Yeah, when I talked about a sample policy I meant an unlang policy.
So, I'd expect the attr_filter rule to permit the attribute, but to be
commented out, and to include in a comment instructions on where to
enable the unlang policy.
Stefan> So yeah, for apc.moonshot.ja.net I would say the least we
Stefan> should do is provide this as standard, since Adam has
Stefan> pointed out that *any* RADIUS request/reply to/from the APC
Stefan> must be left alone.
*blink*
I don't follow that.
|