# they cannot be called recursively. They MUST be defined in order.
# If policy A calls policy B, then B MUST be defined before A.
#
-#
policy {
#
# Forbid all EAP types.
#
forbid_eap {
- if ("%{EAP-Message}") {
+ if (EAP-Message) {
reject
}
}
# Forbid all non-EAP types outside of an EAP tunnel.
#
permit_only_eap {
- if (!"%{EAP-Message}") {
+ if (!EAP-Message) {
# We MAY be inside of a TTLS tunnel.
# PEAP and EAP-FAST require EAP inside of
# the tunnel, so this check is OK.
# Forbid all attempts to login via realms.
#
deny_realms {
- if ("%{User-Name}" =~ /@|\\/) {
+ if (User-Name =~ /@|\\/) {
reject
}
}