3 ## policy.conf -- FreeRADIUS server configuration file.
5 ## http://www.freeradius.org/
10 # Policies are virtual modules, similar to those defined in the
11 # "instantate" section of radiusd.conf.
13 # Defining a policy here means that it can be referenced in multiple
14 # places as a *name*, rather than as a series of conditions to match,
15 # and actions to take.
17 # Policies are something like subroutines in a normal language, but
18 # they cannot be called recursively. They MUST be defined in order.
19 # If policy A calls policy B, then B MUST be defined before A.
23 # Forbid all EAP types.
32 # Forbid all non-EAP types outside of an EAP tunnel.
36 # We MAY be inside of a TTLS tunnel.
37 # PEAP and EAP-FAST require EAP inside of
38 # the tunnel, so this check is OK.
39 # If so, then there MUST be an outer EAP message.
40 if (!"%{outer.request:EAP-Message}") {
47 # Forbid all attempts to login via realms.
50 if (User-Name =~ /@|\\/) {
56 # If you want the server to pretend that it is dead,
57 # then use the "do_not_respond" policy.
61 Response-Packet-Type := Do-Not-Respond
68 # The following policies are for the Chargeable-User-Identity
69 # (CUI) configuration.
73 # The client indicates it can do CUI by sending a CUI attribute
74 # containing one zero byte
78 Chargeable-User-Identity:='\\000'
83 # Add a CUI attribute based on the User-Name, and a secret key
84 # known only to this server.
87 if (FreeRadius-Proxied-To == 127.0.0.1) {
88 if (outer.request:Chargeable-User-Identity) {
90 Chargeable-User-Identity:="%{md5:%{config:cui_hash_key}%{User-Name}}"
95 if (Chargeable-User-Identity) {
97 Chargeable-User-Identity="%{md5:%{config:cui_hash_key}%{User-Name}}"
104 # If there is a CUI attribute in the reply, add it to the DB.
107 if (reply:Chargeable-User-Identity) {
113 # If we had stored a CUI for the User, add it to the request.
117 # If the CUI isn't in the packet, see if we can find it
120 if (!Chargeable-User-Identity) {
122 Chargable-User-Identity := "%{cui: SELECT cui FROM cui WHERE clientipaddress = '%{Client-IP-Address}' AND callingstationid = '%{Calling-Station-Id}' AND username = '%{User-Name}'}"
127 # If it exists now, then write out when we last saw
130 if (Chargeable-User-Identity && (Chargeable-User-Identity != "")) {