3 ## policy.conf -- FreeRADIUS server configuration file.
5 ## http://www.freeradius.org/
10 # Policies are virtual modules, similar to those defined in the
11 # "instantate" section of radiusd.conf.
13 # Defining a policy here means that it can be referenced in multiple
14 # places as a *name*, rather than as a series of conditions to match,
15 # and actions to take.
17 # Policies are something like subroutines in a normal language, but
18 # they cannot be called recursively. They MUST be defined in order.
19 # If policy A calls policy B, then B MUST be defined before A.
23 # Forbid all EAP types.
32 # Forbid all non-EAP types outside of an EAP tunnel.
36 # We MAY be inside of a TTLS tunnel.
37 # PEAP and EAP-FAST require EAP inside of
38 # the tunnel, so this check is OK.
39 # If so, then there MUST be an outer EAP message.
40 if (!"%{outer.request:EAP-Message}") {
47 # Forbid all attempts to login via realms.
50 if (User-Name =~ /@|\\/) {
56 # If you want the server to pretend that it is dead,
57 # then use the "do_not_respond" policy.
61 Response-Packet-Type := Do-Not-Respond
68 # Force some sanity on User-Name. This helps to avoid issues
69 # issues where the back-end database is "forgiving" about
70 # what constitutes a user name.
78 #if (User-Name != "%{tolower:%{User-Name}}") {
83 # reject all whitespace
84 # e.g. "user@ site.com", or "us er", or " user", or "user "
86 if (User-Name =~ / /) {
88 Reply-Message += "Rejected: Username contains whitespace"
95 # e.g. "user@site.com@site.com"
97 if(User-Name =~ /@.*@/ ) {
99 Reply-Message += "Rejected: Multiple @ in username"
106 # e.g. "user@site..com"
108 if (User-Name =~ /\\.\\./ ) {
110 Reply-Message += "Rejected: Username comtains ..s"
116 # must have at least 1 string-dot-string after @
117 # e.g. "user@site.com"
119 if (User-Name !~ /@(.+)\\.(.+)$/) {
121 Reply-Message += "Rejected: Realm does not have at least one dot seperator"
127 # Realm ends with a dot
128 # e.g. "user@site.com."
130 if (User-Name =~ /\\.$/) {
132 Reply-Message += "Rejected: Realm ends with a dot"
138 # Realm begins with a dot
139 # e.g. "user@.site.com"
141 if (User-Name =~ /@\\./) {
143 Reply-Message += "Rejected: Realm begins with a dot"
150 # The following policies are for the Chargeable-User-Identity
151 # (CUI) configuration.
155 # The client indicates it can do CUI by sending a CUI attribute
156 # containing one zero byte
160 Chargeable-User-Identity:='\\000'
165 # Add a CUI attribute based on the User-Name, and a secret key
166 # known only to this server.
169 if (FreeRadius-Proxied-To == 127.0.0.1) {
170 if (outer.request:Chargeable-User-Identity) {
172 Chargeable-User-Identity:="%{md5:%{config:cui_hash_key}%{User-Name}}"
177 if (Chargeable-User-Identity) {
179 Chargeable-User-Identity="%{md5:%{config:cui_hash_key}%{User-Name}}"
186 # If there is a CUI attribute in the reply, add it to the DB.
189 if (reply:Chargeable-User-Identity) {
195 # If we had stored a CUI for the User, add it to the request.
199 # If the CUI isn't in the packet, see if we can find it
202 if (!Chargeable-User-Identity) {
204 Chargeable-User-Identity := "%{cui: SELECT cui FROM cui WHERE clientipaddress = '%{Client-IP-Address}' AND callingstationid = '%{Calling-Station-Id}' AND username = '%{User-Name}'}"
209 # If it exists now, then write out when we last saw
212 if (Chargeable-User-Identity && (Chargeable-User-Identity != "")) {
218 # Normalize the MAC Addresses in the Calling/Called-Station-Id
220 mac-addr = ([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})
222 # Add "rewrite.called_station_id" in the "authorize" and "preacct"
224 rewrite.called_station_id {
225 if((Called-Station-Id) && "%{Called-Station-Id}" =~ /^%{config:policy.mac-addr}(:(.+))?$/i) {
227 Called-Station-Id := "%{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}"
233 Called-Station-Id := "%{Called-Station-Id}:%{8}"
243 # Add "rewrite.calling_station_id" in the "authorize" and "preacct"
245 rewrite.calling_station_id {
246 if((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) {
248 Calling-Station-Id := "%{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}"
257 # Assign compatibility data to request for sqlippool
258 dhcp_sqlippool.post-auth {
261 # Do some minor hacks to the request so that it looks
262 # like a RADIUS request to the SQL IP Pool module.
264 User-Name = "DHCP-%{DHCP-Client-Hardware-Address}"
265 Calling-Station-Id = "%{DHCP-Client-Hardware-Address}"
266 NAS-IP-Address = "%{%{DHCP-Gateway-IP-Address}:-127.0.0.1}"
267 Acct-Status-Type = Start
270 # Call the actual module
272 # Uncomment this in order to really call it!
276 # Convert Framed-IP-Address to DHCP, but only if we
277 # actually allocated an address.
280 DHCP-Your-IP-Address = "%{reply:Framed-IP-Address}"