# If policy A calls policy B, then B MUST be defined before A.
#
policy {
- # We check for this prefix to determine whether the class value was generated by the server.
+ # We check for this prefix to determine whether the class
+ # value was generated by this server. It should be changed
+ # so that it is globally unique.
class_value_prefix = 'ai:'
+
#
- # Overload the default acct_unique module, it's not smart enough
+ # Overload the default acct_unique module, it's not
+ # smart enough.
#
acct_unique {
#
- # If we have a class attribute in the format 'auth_id:[0-9a-f]{32}' it'll have a local
- # value (defined by insert_acct_class), this ensures uniquenes and suitability.
+ # If we have a class attribute in the format
+ # 'auth_id:[0-9a-f]{32}' it'll have a local value
+ # (defined by insert_acct_class), this ensures
+ # uniqueness and suitability.
#
- # We could just use the Class attribute as Acct-Unique-Session-Id, but this may cause
- # problems with NAS that carry Class values across between multiple linked sessions.
- # So we rehash class with Acct-Session-ID to provide a truely unique session identifier.
+ # We could just use the Class attribute as
+ # Acct-Unique-Session-Id, but this may cause problems
+ # with NAS that carry Class values across between
+ # multiple linked sessions. So we rehash class with
+ # Acct-Session-ID to provide a truely unique session
+ # identifier.
#
- # Using a Class/Session-ID combination is more robust than using elements in the
- # Accounting-Request, which may be subject to change, such as NAS-IP-Address,
- # Client-IP-Address and NAS-Port-ID/NAS-Port.
+ # Using a Class/Session-ID combination is more robust
+ # than using elements in the Accounting-Request,
+ # which may be subject to change, such as
+ # NAS-IP-Address, Client-IP-Address and
+ # NAS-Port-ID/NAS-Port.
#
- # This policy should ensure that session data is not affected if NAS IP addresses change,
- # or the client roams to a different 'port' whilst maintaining its initial authentication
- # session (Common in a wireless environment).
+ # This policy should ensure that session data is not
+ # affected if NAS IP addresses change, or the client
+ # roams to a different 'port' whilst maintaining its
+ # initial authentication session (Common in a
+ # wireless environment).
#
if("%{string:Class}" =~ /${policy.class_value_prefix}([0-9a-f]{32})/i) {
update request {
Acct-Unique-Session-Id := "%{md5:%{1}%{Acct-Session-ID}}"
}
}
+
#
- # Not All devices respect RFC 2865 when dealing with the class attribute,
- # so be prepared to use the older style of hashing scheme if a class attribute is not included
+ # Not All devices respect RFC 2865 when dealing with
+ # the class attribute, so be prepared to use the
+ # older style of hashing scheme if a class attribute
+ # is not included
#
else {
update request {
}
#
- # Forbid all EAP types.
+ # Forbid all EAP types. Enable this by putting "forbid_eap"
+ # into the "authorize" section.
#
forbid_eap {
if (EAP-Message) {
#
# Split User-Name in NAI format (RFC 4282) into components
#
- # This policy writes the Username and Domain portions of the NAI into the
- # Stripped-User-Name and Stripped-User-Domain attributes.
+ # This policy writes the Username and Domain portions of the
+ # NAI into the Stripped-User-Name and Stripped-User-Domain
+ # attributes.
#
- # The regular expression to do this is not strictly compliant with the standard,
- # but it is not possible to write a compliant regexp without perl style
- # regular expressions (or at least not a legible one).
+ # The regular expression to do this is not strictly compliant
+ # with the standard, but it is not possible to write a
+ # compliant regexp without perl style regular expressions (or
+ # at least not a legible one).
#
-
nai_regexp = "^([^@]*)(@([-[:alnum:]]+\\.[-[:alnum:].]+))?$"
split_username_nai {
Stripped-User-Name := "%{1}"
Stripped-User-Domain = "%{3}"
}
- # If any of the expansions result in a null string, the update
- # section may return something other than updated...
+
+ # If any of the expansions result in a null
+ # string, the update section may return
+ # something other than updated...
updated
}
- else{
+ else {
noop
}
}
#
# If called in post-proxy we modify the proxy-reply message
#
-
split_username_nai.post-proxy {
if(proxy-reply:User-Name =~ /${policy.nai_regexp}/){
update proxy-reply {
}
updated
}
- else{
+ else {
noop
}
}
#
- # Forbid all attempts to login via realms.
+ # Example of forbidding all attempts to login via
+ # realms.
#
deny_realms {
if (User-Name =~ /@|\\/) {
# The following policies are for the Chargeable-User-Identity
# (CUI) configuration.
#
- # The policies below can be called as just 'cui' (not cui.authorize etc..)
- # from the various config sections.
+ # The policies below can be called as just 'cui' (not
+ # cui.authorize etc..) from the various config sections.
#
#
mac-addr-regexp = ([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})
#
- # Add "rewrite_called_station_id" in the "authorize" and "preacct" sections.
+ # Add "rewrite_called_station_id" in the "authorize" and
+ # "preacct" sections.
#
rewrite_called_station_id {
if(Called-Station-Id =~ /^${policy.mac-addr-regexp}(:(.+))?$/i) {
}
#
- # Add "rewrite_calling_station_id" in the "authorize" and "preacct" sections.
+ # Add "rewrite_calling_station_id" in the "authorize" and
+ # "preacct" sections.
#
rewrite_calling_station_id {
if(Calling-Station-Id =~ /^${policy.mac-addr-regexp}$/i) {