# So we rehash class with Acct-Session-ID to provide a truely unique session identifier.
#
# Using a Class/Session-ID combination is more robust than using elements in the
- # Accounting-Request, which may be subject to change, such as NAS-IP-Address
- # or Client-IP-Address and NAS-Port-ID/NAS-Port.
- # So should ensure that session data is not affected if NAS IP addresses change, or
- # the client roams to a different 'port' whilst maintaining its initial authentication
+ # Accounting-Request, which may be subject to change, such as NAS-IP-Address,
+ # Client-IP-Address and NAS-Port-ID/NAS-Port.
+ #
+ # This policy should ensure that session data is not affected if NAS IP addresses change,
+ # or the client roams to a different 'port' whilst maintaining its initial authentication
# session (Common in a wireless environment).
#
if(Class =~ /auth_id:[0-9a-f]{32}/i) {
reject
}
}
-
+
#
# Forbid all non-EAP types outside of an EAP tunnel.
#
}
#
+ # Remove Reply-Message from response if were doing EAP
+ #
+ # Be RFC 3579 2.6.5 compliant - EAP-Message and Reply-Message should
+ # not be present in the same response.
+ #
+ remove_reply_message_if_eap {
+ if(reply:EAP-Message && reply:Reply-Message) {
+ update reply {
+ Reply-Message -= "%{reply:Reply-Message}"
+ }
+ }
+ else {
+ noop
+ }
+ }
+
+ #
# Split User-Name in NAI format (RFC 4282) into components
#
# This policy writes the Username and Domain portions of the NAI into the
#
# Filter the username
#
- # Force some sanity on User-Name.This helps to avoid issues
+ # Force some sanity on User-Name. This helps to avoid issues
# issues where the back-end database is "forgiving" about
# what constitutes a user name.
#
#
# The following policies are for the Chargeable-User-Identity
# (CUI) configuration.
-
#
# The policies below can be called as just 'cui' (not cui.authorize etc..)
# from the various config sections.
# Normalize the MAC Addresses in the Calling/Called-Station-Id
#
mac-addr-regexp = ([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})
-
- # Add "rewrite_called_station_id" in the "authorize" and "preacct"
- # sections.
+
+ #
+ # Add "rewrite_called_station_id" in the "authorize" and "preacct" sections.
+ #
rewrite_called_station_id {
if(Called-Station-Id =~ /^%{config:policy.mac-addr-regexp}(:(.+))?$/i) {
update request {
}
}
- # Add "rewrite_calling_station_id" in the "authorize" and "preacct"
- # sections.
+ #
+ # Add "rewrite_calling_station_id" in the "authorize" and "preacct" sections.
+ #
rewrite_calling_station_id {
if(Calling-Station-Id =~ /^%{config:policy.mac-addr-regexp}$/i) {
update request {
# RFC 2865 behaviour for the class attribute.
insert_acct_class
+ # Remove reply message if the response contains an EAP-Message
+ remove_reply_message_if_eap
+
#
# Access-Reject packets are sent through the REJECT sub-section of the
# post-auth section.
# log failed authentications in SQL, too.
# sql
attr_filter.access_reject
+
+ # Remove reply message if the response contains an EAP-Message
+ remove_reply_message_if_eap
}
}