4 # Filter protocols by realm (or other key)
5 # The "protocol_filter" module reads this file, and implements
6 # the restrictions contained in it.
8 # The main purpose of this configuration file is to permit the
9 # administrator to control, by realm (or any other key), which
10 # protocols the request is permitted to contain. This allows
11 # the server to permit users in one realm to use (say) EAP, and
12 # to deny EAP to users in other realms.
14 # The key is used to look up entries by subsection. Within each
15 # subsection, there is a list of attributes, with value "permit"
16 # or "deny". When a request comes in, the attributes from the
17 # request packet are looked up in the appropriate section given
18 # by the key. If the section has an entry which says "permit"
19 # for that attribute, the request is permitted to continue. If
20 # the section has and entry which says "deny" for that
21 # attribute, the request is immediately rejected.
23 # The default (if the attribute is not listed in the subsection)
24 # is to permit the attribute.
26 # The attribute names MUST be spelled the same way as in
27 # the dictionary files.
29 # The entries can have sub-sections, too. Each subsection
30 # MUST begin with a "key" entry, which is used to apply
31 # one of the rules in the subsection. Only one rule from
32 # each subsection is applied, and that rule is the one pointed
33 # to by the key. The key is dynamically expanded (see doc/variables.txt)
34 # at run time, for each request as it comes in.
38 # There is no key here, as the key is always hard-coded to be
39 # attributes in the request. For a request to pass the tests
40 # in this section, ALL of the rules below must permit the
41 # request to pass. That is, the rules are logically ANDed
45 # allow requests to contain a user password attribute.
46 User-Password = permit
48 # Deny requests which try to use MS-CHAP, for testing.
49 # just because we can. Both MS-CHAPv1 and MS-CHAPv2
50 # use MS-CHAP-Challenge, so we just deny that.
51 # If we wanted to deny just MS-CHAPv2, we would deny the
52 # MS-CHAP2-Response attribute.
53 MS-CHAP-Challenge = deny
56 # Allow some EAP protocols, but not others.
58 # The use of the EAP-Type for the key, below, means that the
59 # protocol_filter module MUST be listed after "eap" in the
60 # "authorize" section.
64 # See the dictionary for the names of the EAP-Types.
65 # e.g. VALUE EAP-Type <name> <number>
67 # The names for the EAP types MUST be exactly the same
68 # as the names in the dictionary file.
70 key = %{EAP-Type:-DEFAULT}
72 # This is insecure, so we don't allow it.
75 # Permit one EAP type. We picked this one at random.
76 EAP-MSCHAP-V2 = permit
83 # A more complicated example.
87 # For various reasons, we often would like to use the same
88 # configuration entries inside, and outside of the TLS tunnel.
89 # This allows us to keep all of the per-realm configuration in
94 # Define subsections, based on the request being
95 # inside, or outside, of the TLS tunnel.
97 key = %{FreeRADIUS-Proxied-To:-Outer}
100 # Outside of the tunnel.
103 key = %{EAP-Type:-DEFAULT}
105 # This is insecure, so we don't allow it.
106 # It's not necessary, as the DEFAULT below will
107 # take care of it, but this is a good example.
110 # We allow TTLS & PEAP as EAP types.
119 # Inside of the tunnel.
122 key = %{EAP-Type:-DEFAULT}
124 # We don't do TLS inside of TTLS.