# do things here
}
else {
+ update reply {
+ Reply-Message = "RP not authorized for this ABFAB request"
+ }
reject
}
}
}
-abfab_pre_proxy {
+abfab_client_check {
# check that the acceptor host name is correct
if ("%{client:gss_acceptor_host_name}" && "%{gss-acceptor-host-name}") {
if ("%{client:gss_acceptor_host_name}" != "%{gss-acceptor-host-name}") {
+ update reply {
+ Reply-Message = "GSS-Acceptor-Host-Name incorrect"
+ }
reject
}
}
# set trust-router-coi attribute from the client configuration
if ("%{client:trust_router_coi}") {
- update proxy-request {
+ update request {
Trust-Router-COI := "%{client:trust_router_coi}"
}
}
# set gss-acceptor-realm-name attribute from the client configuration
if ("%{client:gss_acceptor_realm_name}") {
- update proxy-request {
+ update request {
GSS-Acceptor-Realm-Name := "%{client:gss_acceptor_realm_name}"
}
}
server abfab-idp {
authorize {
psk_authorize
+ abfab_client_check
filter_username
preprocess
# Insert EAP-Failure message if the request was
# rejected by policy instead of because of an
- # authentication failure
- eap
+ # authentication failure And already has an EAP message
+ # For non-ABFAB, we insert the failure all the time, but for ABFAB
+ # It's more desirable to preserve reply-message when we can
+if &reply:Eap-Message {
+ eap
+ }
# Remove reply message if the response contains an EAP-Message
remove_reply_message_if_eap
# No need to uncomment this if you have already enabled this in
# the authorize section.
# operator-name
- abfab_pre_proxy
# The client requests the CUI by sending a CUI attribute
# containing one zero byte.