+++ /dev/null
-#
-# $Id$
-#
-# Filter protocols by realm (or other key)
-# The "protocol_filter" module reads this file, and implements
-# the restrictions contained in it.
-#
-# The main purpose of this configuration file is to permit the
-# administrator to control, by realm (or any other key), which
-# protocols the request is permitted to contain. This allows
-# the server to permit users in one realm to use (say) EAP, and
-# to deny EAP to users in other realms.
-#
-# The key is used to look up entries by subsection. Within each
-# subsection, there is a list of attributes, with value "permit"
-# or "deny". When a request comes in, the attributes from the
-# request packet are looked up in the appropriate section given
-# by the key. If the section has an entry which says "permit"
-# for that attribute, the request is permitted to continue. If
-# the section has and entry which says "deny" for that
-# attribute, the request is immediately rejected.
-#
-# The default (if the attribute is not listed in the subsection)
-# is to permit the attribute.
-#
-# The attribute names MUST be spelled the same way as in
-# the dictionary files.
-#
-# The entries can have sub-sections, too. Each subsection
-# MUST begin with a "key" entry, which is used to apply
-# one of the rules in the subsection. Only one rule from
-# each subsection is applied, and that rule is the one pointed
-# to by the key. The key is dynamically expanded (see doc/variables.txt)
-# at run time, for each request as it comes in.
-#
-DEFAULT {
- #
- # There is no key here, as the key is always hard-coded to be
- # attributes in the request. For a request to pass the tests
- # in this section, ALL of the rules below must permit the
- # request to pass. That is, the rules are logically ANDed
- # together.
- #
-
- # allow requests to contain a user password attribute.
- User-Password = permit
-
- # Deny requests which try to use MS-CHAP, for testing.
- # just because we can. Both MS-CHAPv1 and MS-CHAPv2
- # use MS-CHAP-Challenge, so we just deny that.
- # If we wanted to deny just MS-CHAPv2, we would deny the
- # MS-CHAP2-Response attribute.
- MS-CHAP-Challenge = deny
-
- #
- # Allow some EAP protocols, but not others.
- #
- # The use of the EAP-Type for the key, below, means that the
- # protocol_filter module MUST be listed after "eap" in the
- # "authorize" section.
- #
- EAP-Message {
- #
- # See the dictionary for the names of the EAP-Types.
- # e.g. VALUE EAP-Type <name> <number>
- #
- # The names for the EAP types MUST be exactly the same
- # as the names in the dictionary file.
- #
- key = %{EAP-Type:-DEFAULT}
-
- # This is insecure, so we don't allow it.
- MD5-Challenge = deny
-
- # Permit one EAP type. We picked this one at random.
- EAP-MSCHAP-V2 = permit
-
- DEFAULT = deny
- }
-}
-
-#
-# A more complicated example.
-#
-example.com {
- #
- # For various reasons, we often would like to use the same
- # configuration entries inside, and outside of the TLS tunnel.
- # This allows us to keep all of the per-realm configuration in
- # one place.
- #
- EAP-Message {
- #
- # Define subsections, based on the request being
- # inside, or outside, of the TLS tunnel.
- #
- key = %{FreeRADIUS-Proxied-To:-Outer}
-
- #
- # Outside of the tunnel.
- #
- Outer {
- key = %{EAP-Type:-DEFAULT}
-
- # This is insecure, so we don't allow it.
- # It's not necessary, as the DEFAULT below will
- # take care of it, but this is a good example.
- MD5-Challenge = deny
-
- # We allow TTLS & PEAP as EAP types.
- EAP-TTLS = permit
-
- PEAP = permit
-
- DEFAULT = deny
- }
-
- #
- # Inside of the tunnel.
- #
- 127.0.0.1 {
- key = %{EAP-Type:-DEFAULT}
-
- # We don't do TLS inside of TTLS.
- EAP-TLS = deny
-
- DEFAULT = permit
- }
- }
-}