raddb/policy.d/eap

   1 #
   2 #       Response caching to handle proxy failovers
   3 #
   4 eap.authorize {
   5         cache_eap
   6         if (ok) {
   7                 #
   8                 #       Expire previous cache entry
   9                 #
  10                 if (control:State) {
  11                         update control {
  12                                 Cache-TTL := 0
  13                         }
  14                         cache_eap
  15
  16                         update control {
  17                                 Cache-TTL !* ANY
  18                                 State !* ANY
  19                         }
  20                 }
  21
  22                 handled
  23         }
  24         else {
  25                 eap.authorize
  26         }
  27 }
  28
  29 #
  30 #       Populate cache with responses from the EAP module
  31 #
  32 eap.authenticate {
  33         eap {
  34                 handled = 1
  35         }
  36         if (handled) {
  37                 cache_eap
  38
  39                 handled
  40         }
  41
  42         cache_eap
  43 }
  44
  45 #
  46 #       Forbid all EAP types.  Enable this by putting "forbid_eap"
  47 #       into the "authorize" section.
  48 #
  49 forbid_eap {
  50         if (EAP-Message) {
  51                 reject
  52         }
  53 }
  54
  55 #
  56 #       Forbid all non-EAP types outside of an EAP tunnel.
  57 #
  58 permit_only_eap {
  59         if (!EAP-Message) {
  60                 #  We MAY be inside of a TTLS tunnel.
  61                 #  PEAP and EAP-FAST require EAP inside of
  62                 #  the tunnel, so this check is OK.
  63                 #  If so, then there MUST be an outer EAP message.
  64                 if (!"%{outer.request:EAP-Message}") {
  65                         reject
  66                 }
  67         }
  68 }
  69
  70 #
  71 #       Remove Reply-Message from response if were doing EAP
  72 #
  73 #  Be RFC 3579 2.6.5 compliant - EAP-Message and Reply-Message should
  74 #  not be present in the same response.
  75 #
  76 remove_reply_message_if_eap {
  77         if(reply:EAP-Message && reply:Reply-Message) {
  78                 update reply {
  79                         Reply-Message !* ANY
  80                 }
  81         }
  82         else {
  83                 noop
  84         }
  85 }
  86