{
        #  Remove reply message if the response contains an EAP-Message
}        remove_reply_message_if_eap
{
        #
        #  Access-Reject packets are sent through the REJECT sub-section of the
        #  post-auth section.
        #
        #  Add the ldap module name (or instance) if you have set
        #  'edir_account_policy_check = yes' in the ldap module configuration
        #
}        Post-Auth-Type REJECT \{
                # log failed authentications in SQL, too.
                #-sql
                attr_filter.access_reject

                # Insert EAP-Failure message if the request was
                # rejected by policy instead of because of an
                # authentication failure
                eap

                #  Remove reply message if the response contains an EAP-Message
                remove_reply_message_if_eap
        \}
\}

