2 # The following policies are for the Chargeable-User-Identity
5 # The policies below can be called as just 'cui' (not
6 # cui.authorize etc..) from the various config sections.
10 # cui_hash_key definition
11 # This key serves the purpose of protecting CUI values against
12 # dictionary attacks, therefore should be chosen as a "random"
13 # string and kept secret.
15 cui_hash_key = "changeme"
18 # cui_require_operator_name switch
19 # If this is set to nonzero value then CUI will only be added
20 # when a non-empty Operator-Name value is present in the request
22 cui_require_operator_name = "no"
25 # The client indicates it can do CUI by sending a CUI attribute
26 # containing one zero byte.
27 # A non-empty value in Operator-Name can be an additional requirement.
28 # Normally CUI support is turned on only for such requests.
29 # CUI support can be used for local clients which do not
30 # supports CUI themselves, the server can simulate a CUI request
31 # adding the missing NUL CUI value and the Operator-Name attribute.
32 # Clients which are supposed to get this treatment should
33 # be marked by add-cui flag in clients.conf
34 # We assume that local clients are marked in the client.conf with
42 if ("%{client:add-cui}" == 'yes') {
44 Chargeable-User-Identity := '\\000'
50 # Before proxing an Access-Request to a remote server, a NUL CUI
51 # attribute should be added, unless it is already present in the request.
54 if (("%{request:Packet-Type}" == 'Access-Request') && ("%{client:add-cui}" == 'yes')) {
55 update proxy-request {
56 Chargeable-User-Identity = '\\000'
63 # Add a CUI attribute based on the User-Name, and a secret key
64 # known only to this server.
65 # For EAP-TTLS and EAP-PEAP methods
66 # use_tunneled_reply parameter MUST be set to yes
69 if (outer.request:EAP-Message) {
70 if (outer.request:Chargeable-User-Identity && \
71 (outer.request:Operator-Name || ('${policy.cui_require_operator_name}' != 'yes'))) {
73 Chargeable-User-Identity := "%{md5:${policy.cui_hash_key}%{User-Name}%{%{outer.request:Operator-Name}:-}}"
78 if (!control:Proxy-To-Realm && \
79 Chargeable-User-Identity && \
80 !reply:Chargeable-User-Identity && \
81 (Operator-Name || ('${policy.cui_require_operator_name}' != 'yes')) ) {
83 Chargeable-User-Identity = "%{md5:${policy.cui_hash_key}%{User-Name}%{%{Operator-Name}:-}}"
87 User-Name -= "%{reply:User-Name}"
90 # The section below will store a CUI for the User in the DB.
91 # You need to configure the cuisql module and your database for this to work.
92 # If your NAS-es can do CUI based accounting themselves
93 # or you do not care about accounting, comment out the three lines below.
95 if (reply:Chargeable-User-Identity) {
102 # If your NAS-es can do CUI based accounting or you do not care about
103 # accounting then just comment out the call to cui in ......
105 # If we had stored a CUI for the User, add it to the request.
109 # If the CUI isn't in the packet, see if we can find it
112 if (!Chargeable-User-Identity) {
114 Chargeable-User-Identity := "%{cuisql:SELECT cui FROM cui WHERE clientipaddress = '%{%{Packet-Src-IPv6-Address}:-%{Packet-Src-IP-Address}}' AND callingstationid = '%{Calling-Station-Id}' AND username = '%{User-Name}'}"
119 # If it exists now, then write out when we last saw
122 if (Chargeable-User-Identity && (Chargeable-User-Identity != '')) {