3.31.3. DynamicReply Previous topic Parent topic Child topic Next topic

This optional parameter specifies a reply item that will be eligible for run-time variable substitution. That means that you can use any of the % substitutions in Section 3.3 in that reply item. You can specify any number of DynamicReply lines, one for each reply item you want to do replacements on. Any packet-specific replacement values will come from the Access-Accept message being constructed, and not from the incoming Access-Request. That means that special characters like %n will not be replaced by the received User-Name, because User-Name is in the request, but not the reply.
In the following example, substitution is enabled for USR-IP-Input-Filter in an AuthBy clause. When a user authenticates, the %a in the filter will be replaced by the users IP Address, which makes the filter an anti-spoof filter.
<AuthBy whatever>
      DynamicReply USR-IP-Input-Filter
In the users file:
DEFAULT User-Password = "UNIX"
      Framed-IP-Address =,
      Framed-Routing = None,
      Framed-IP-Netmask =,
      USR-IP-Input-Filter = "1 REJECT src-addr != %a;",
      Service-Type = Framed-User
This parameter used to be called Dynamic. That name is still recognised as a synonym for DynamicReply.