2 # Forbid all EAP types. Enable this by putting "forbid_eap"
3 # into the "authorize" section.
12 # Forbid all non-EAP types outside of an EAP tunnel.
16 # We MAY be inside of a TTLS tunnel.
17 # PEAP and EAP-FAST require EAP inside of
18 # the tunnel, so this check is OK.
19 # If so, then there MUST be an outer EAP message.
20 if (!"%{outer.request:EAP-Message}") {
27 # Remove Reply-Message from response if were doing EAP
29 # Be RFC 3579 2.6.5 compliant - EAP-Message and Reply-Message should
30 # not be present in the same response.
32 remove_reply_message_if_eap {
33 if(reply:EAP-Message && reply:Reply-Message) {
44 # Example of forbidding all attempts to login via
48 if (User-Name =~ /@|\\/) {
56 # Force some sanity on User-Name. This helps to avoid issues
57 # issues where the back-end database is "forgiving" about
58 # what constitutes a user name.
65 if (User-Name != "%{tolower:%{User-Name}}") {
70 # reject all whitespace
71 # e.g. "user@ site.com", or "us er", or " user", or "user "
73 if (User-Name =~ / /) {
75 Reply-Message += "Rejected: Username contains whitespace"
82 # e.g. "user@site.com@site.com"
84 if(User-Name =~ /@.*@/ ) {
86 Reply-Message += "Rejected: Multiple @ in username"
93 # e.g. "user@site..com"
95 if (User-Name =~ /\\.\\./ ) {
97 Reply-Message += "Rejected: Username comtains ..s"
103 # must have at least 1 string-dot-string after @
104 # e.g. "user@site.com"
106 if (User-Name !~ /@(.+)\\.(.+)$/) {
108 Reply-Message += "Rejected: Realm does not have at least one dot seperator"
114 # Realm ends with a dot
115 # e.g. "user@site.com."
117 if (User-Name =~ /\\.$/) {
119 Reply-Message += "Rejected: Realm ends with a dot"
125 # Realm begins with a dot
126 # e.g. "user@.site.com"
128 if (User-Name =~ /@\\./) {
130 Reply-Message += "Rejected: Realm begins with a dot"