# they cannot be called recursively. They MUST be defined in order.
# If policy A calls policy B, then B MUST be defined before A.
#
-#
policy {
#
# Forbid all EAP types.
#
forbid_eap {
- if ("%{EAP-Message}") {
+ if (EAP-Message) {
reject
}
}
# Forbid all non-EAP types outside of an EAP tunnel.
#
permit_only_eap {
- if (!"%{EAP-Message}") {
+ if (!EAP-Message) {
# We MAY be inside of a TTLS tunnel.
# PEAP and EAP-FAST require EAP inside of
# the tunnel, so this check is OK.
# Forbid all attempts to login via realms.
#
deny_realms {
- if ("%{User-Name}" =~ /@|\\/) {
+ if (User-Name =~ /@|\\/) {
reject
}
}
+
+ #
+ # If you want the server to pretend that it is dead,
+ # then use the "do_not_respond" policy.
+ #
+ do_not_respond {
+ update control {
+ Response-Packet-Type := Do-Not-Respond
+ }
+
+ handled
+ }
+
+ #
+ # The following policies are for the Chargeable-User-Identity
+ # (CUI) configuration.
+ #
+
+ #
+ # The client indicates it can do CUI by sending a CUI attribute
+ # containing one zero byte
+ #
+ cui_authorize {
+ update request {
+ Chargeable-User-Identity:='\\000'
+ }
+ }
+
+ #
+ # Add a CUI attribute based on the User-Name, and a secret key
+ # known only to this server.
+ #
+ cui_postauth {
+ if (FreeRadius-Proxied-To == 127.0.0.1) {
+ if (outer.request:Chargeable-User-Identity) {
+ update outer.reply {
+ Chargeable-User-Identity:="%{md5:%{config:cui_hash_key}%{User-Name}}"
+ }
+ }
+ }
+ else {
+ if (Chargeable-User-Identity) {
+ update reply {
+ Chargeable-User-Identity="%{md5:%{config:cui_hash_key}%{User-Name}}"
+ }
+ }
+ }
+ }
+
+ #
+ # If there is a CUI attribute in the reply, add it to the DB.
+ #
+ cui_updatedb {
+ if (reply:Chargeable-User-Identity) {
+ cui
+ }
+ }
+
+ #
+ # If we had stored a CUI for the User, add it to the request.
+ #
+ cui_accounting {
+ #
+ # If the CUI isn't in the packet, see if we can find it
+ # in the DB.
+ #
+ if (!Chargeable-User-Identity) {
+ update control {
+ Chargable-User-Identity := "%{cui: SELECT cui FROM cui WHERE clientipaddress = '%{Client-IP-Address}' AND callingstationid = '%{Calling-Station-Id}' AND username = '%{User-Name}'}"
+ }
+ }
+
+ #
+ # If it exists now, then write out when we last saw
+ # this CUI.
+ #
+ if (Chargeable-User-Identity && (Chargeable-User-Identity != "")) {
+ cui
+ }
+ }
}