cui_hash_key = "some_hash_key"
#
+# cui_require_operator_name switch
+# If this is set to nonzero value then CUI will only be added
+# when a non-empty Operator-Name value is present in the request
+#
+cui_require_operator_name = 0
+
+#
# The client indicates it can do CUI by sending a CUI attribute
# containing one zero byte.
# A non-empty value in Operator-Name can be an additional requirement.
}
+#
# Add a CUI attribute based on the User-Name, and a secret key
# known only to this server.
+# For EAP-TTLS and EAP-PEAP methods
+# use_tunneled_reply parameter MUST be set to yes
#
cui.post-auth {
- if (FreeRadius-Proxied-To == 127.0.0.1) {
- if (outer.request:Chargeable-User-Identity) {
- update outer.reply {
- Chargeable-User-Identity:="%{md5:%{config:cui_hash_key}%{User-Name}}"
- }
- }
- }
- else {
- if (Chargeable-User-Identity) {
- update reply {
- Chargeable-User-Identity="%{md5:%{config:cui_hash_key}%{User-Name}}"
- }
- }
- }
+ if (Freeradius-Proxied-To == 127.0.0.1) {
+ if (outer.request:Chargeable-User-Identity && \
+ (outer.request:Operator-Name || !("${policy.cui_require_operator_name}"))) {
+ update reply {
+ Chargeable-User-Identity:="%{md5:${policy.cui_hash_key}%{User-Name}%{outer.request:Operator-Name:-}}"
+ }
+ }
+ }
+ else {
+ if (!("%{control:Proxy-To-Realm}") && \
+ Chargeable-User-Identity && \
+ !(reply:Chargeable-User-Identity) && \
+ (Operator-Name || !("${policy.cui_require_operator_name}")) ) {
+ update reply {
+ Chargeable-User-Identity="%{md5:${policy.cui_hash_key}%{User-Name}%{%{Operator-Name}:-}}"
+ }
+ }
+ update reply {
+ User-Name-="%{reply:User-Name}"
+ }
+ }
}