# If policy A calls policy B, then B MUST be defined before A.
#
policy {
+ # We check for this prefix to determine whether the class
+ # value was generated by this server. It should be changed
+ # so that it is globally unique.
+ class_value_prefix = 'ai:'
+
#
- # Overload the default acct_unique module, it's not smart enough
+ # Overload the default acct_unique module, it's not
+ # smart enough.
#
acct_unique {
#
- # If we have a class attribute in the format 'auth_id:[0-9a-f]{32}' it'll have a local
- # value (defined by insert_acct_class), this ensures uniquenes and suitability.
+ # If we have a class attribute in the format
+ # 'auth_id:[0-9a-f]{32}' it'll have a local value
+ # (defined by insert_acct_class), this ensures
+ # uniqueness and suitability.
#
- # We could just use the Class attribute as Acct-Unique-Session-Id, but this may cause
- # problems with NAS that carry Class values across between multiple linked sessions.
- # So we rehash class with Acct-Session-ID to provide a truely unique session identifier.
+ # We could just use the Class attribute as
+ # Acct-Unique-Session-Id, but this may cause problems
+ # with NAS that carry Class values across between
+ # multiple linked sessions. So we rehash class with
+ # Acct-Session-ID to provide a truely unique session
+ # identifier.
#
- # Using a Class/Session-ID combination is more robust than using elements in the
- # Accounting-Request, which may be subject to change, such as NAS-IP-Address,
- # Client-IP-Address and NAS-Port-ID/NAS-Port.
+ # Using a Class/Session-ID combination is more robust
+ # than using elements in the Accounting-Request,
+ # which may be subject to change, such as
+ # NAS-IP-Address, Client-IP-Address and
+ # NAS-Port-ID/NAS-Port.
#
- # This policy should ensure that session data is not affected if NAS IP addresses change,
- # or the client roams to a different 'port' whilst maintaining its initial authentication
- # session (Common in a wireless environment).
+ # This policy should ensure that session data is not
+ # affected if NAS IP addresses change, or the client
+ # roams to a different 'port' whilst maintaining its
+ # initial authentication session (Common in a
+ # wireless environment).
#
- if(Class =~ /auth_id:[0-9a-f]{32}/i) {
+ if("%{string:Class}" =~ /${policy.class_value_prefix}([0-9a-f]{32})/i) {
update request {
- Acct-Unique-Session-Id := "%{md5:%{Class}%{Acct-Session-ID}}"
+ Acct-Unique-Session-Id := "%{md5:%{1}%{Acct-Session-ID}}"
}
}
+
#
- # Not All devices respect RFC 2865 when dealing with the class attribute,
- # so be prepared to use the older style of hashing scheme if a class attribute is not included
+ # Not All devices respect RFC 2865 when dealing with
+ # the class attribute, so be prepared to use the
+ # older style of hashing scheme if a class attribute
+ # is not included
#
else {
update request {
#
insert_acct_class {
update reply {
- Class = "auth_id:%{md5:%t%{request:NAS-Identifier}%{NAS-Port-ID}%{NAS-Port}%{Calling-Station-ID}%{reply:User-Name}}"
+ Class = "${policy.class_value_prefix}%{md5:%t%I%{Packet-Src-Port}%{Packet-Src-IP-Address}%{NAS-IP-Address}%{Calling-Station-ID}%{User-Name}}"
}
}
#
- # Forbid all EAP types.
+ # Forbid all EAP types. Enable this by putting "forbid_eap"
+ # into the "authorize" section.
#
forbid_eap {
if (EAP-Message) {
}
#
- # Split User-Name in NAI format (RFC 4282) into components
+ # Split User-Name in NAI format (RFC 4282) into components
#
- # This policy writes the Username and Domain portions of the NAI into the
- # Stripped-User-Name and Stripped-User-Domain attributes.
+ # This policy writes the Username and Domain portions of the
+ # NAI into the Stripped-User-Name and Stripped-User-Domain
+ # attributes.
#
- # The regular expression to do this is not strictly compliant with the standard,
- # but it is not possible to write a compliant regexp without perl style
- # regular expressions (or at least not a legible one).
+ # The regular expression to do this is not strictly compliant
+ # with the standard, but it is not possible to write a
+ # compliant regexp without perl style regular expressions (or
+ # at least not a legible one).
#
+ nai_regexp = "^([^@]*)(@([-[:alnum:]]+\\.[-[:alnum:].]+))?$"
+
split_username_nai {
- if(User-Name =~ /^([^@]*)(@([-[:alnum:]]+\\.[-[:alnum:].]+))?$/){
+ if(User-Name =~ /${policy.nai_regexp}/){
update request {
Stripped-User-Name := "%{1}"
Stripped-User-Domain = "%{3}"
}
- # If any of the expansions result in a null string, the update
- # section may return something other than updated...
+
+ # If any of the expansions result in a null
+ # string, the update section may return
+ # something other than updated...
+ updated
+ }
+ else {
+ noop
+ }
+ }
+
+ #
+ # If called in post-proxy we modify the proxy-reply message
+ #
+ split_username_nai.post-proxy {
+ if(proxy-reply:User-Name =~ /${policy.nai_regexp}/){
+ update proxy-reply {
+ Stripped-User-Name := "%{1}"
+ Stripped-User-Domain = "%{3}"
+ }
updated
}
- else{
+ else {
noop
}
}
#
- # Forbid all attempts to login via realms.
+ # Example of forbidding all attempts to login via
+ # realms.
#
deny_realms {
if (User-Name =~ /@|\\/) {
# The following policies are for the Chargeable-User-Identity
# (CUI) configuration.
#
- # The policies below can be called as just 'cui' (not cui.authorize etc..)
- # from the various config sections.
+ # The policies below can be called as just 'cui' (not
+ # cui.authorize etc..) from the various config sections.
#
#
mac-addr-regexp = ([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})
#
- # Add "rewrite_called_station_id" in the "authorize" and "preacct" sections.
+ # Add "rewrite_called_station_id" in the "authorize" and
+ # "preacct" sections.
#
rewrite_called_station_id {
- if(Called-Station-Id =~ /^%{config:policy.mac-addr-regexp}(:(.+))?$/i) {
+ if(Called-Station-Id =~ /^${policy.mac-addr-regexp}(:(.+))?$/i) {
update request {
Called-Station-Id := "%{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}"
}
# SSID component?
- if ("%{7}") {
+ if ("%{8}") {
update request {
- Called-Station-SSID := "%{7}"
+ Called-Station-SSID := "%{8}"
}
}
updated
}
#
- # Add "rewrite_calling_station_id" in the "authorize" and "preacct" sections.
+ # Add "rewrite_calling_station_id" in the "authorize" and
+ # "preacct" sections.
#
rewrite_calling_station_id {
- if(Calling-Station-Id =~ /^%{config:policy.mac-addr-regexp}$/i) {
+ if(Calling-Station-Id =~ /^${policy.mac-addr-regexp}$/i) {
update request {
Calling-Station-Id := "%{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}"
}
noop
}
}
+
+ # Assign compatibility data to request for sqlippool
+ dhcp_sqlippool.post-auth {
+
+
+ # Do some minor hacks to the request so that it looks
+ # like a RADIUS request to the SQL IP Pool module.
+ update request {
+ User-Name = "DHCP-%{DHCP-Client-Hardware-Address}"
+ Calling-Station-Id = "%{DHCP-Client-Hardware-Address}"
+ NAS-IP-Address = "%{%{DHCP-Gateway-IP-Address}:-127.0.0.1}"
+ Acct-Status-Type = Start
+ }
+
+ # Call the actual module
+ dhcp_sqlippool
+
+ # Convert Framed-IP-Address to DHCP, but only if we
+ # actually allocated an address.
+ if (ok) {
+ update reply {
+ DHCP-Your-IP-Address = "%{reply:Framed-IP-Address}"
+ }
+ }
+ }
}
projects / freeradius.git / blobdiff