attrs.pre-proxy clients.conf dictionary eap.conf \
experimental.conf hints huntgroups ldap.attrmap otp.conf \
policy.txt preproxy_users proxy.conf radiusd.conf \
- snmp.conf sql.conf sqlippool.conf users \
+ snmp.conf sql.conf sqlippool.conf users policy.conf \
sites-available/default sites-available/example \
sites-available/README
--- /dev/null
+# -*- text -*-
+##
+## policy.conf -- FreeRADIUS server configuration file.
+##
+## http://www.freeradius.org/
+## $Id$
+##
+
+#
+# Policies are virtual modules, similar to those defined in the
+# "instantate" section of radiusd.conf.
+#
+# Defining a policy here means that it can be referenced in multiple
+# places as a *name*, rather than as a series of conditions to match,
+# and actions to take.
+#
+# Policies are something like subroutines in a normal language, but
+# they cannot be called recursively. They MUST be defined in order.
+# If policy A calls policy B, then B MUST be defined before A.
+#
+#
+policy {
+ #
+ # Forbid all EAP types.
+ #
+ forbid_eap {
+ if ("%{EAP-Message}") {
+ reject
+ }
+ }
+
+ #
+ # Forbid all non-EAP types outside of an EAP tunnel.
+ #
+ permit_only_eap {
+ if (!"%{EAP-Message}") {
+ # We MAY be inside of a TTLS tunnel.
+ # PEAP and EAP-FAST require EAP inside of
+ # the tunnel, so this check is OK.
+ # If so, then there MUST be an outer EAP message.
+ if (!"%{outer.request:EAP-Message}") {
+ reject
+ }
+ }
+ }
+
+ #
+ # Forbid all attempts to login via realms.
+ #
+ deny_realms {
+ if ("%{User-Name}" =~ /@|\\/) {
+ reject
+ }
+ }
+}
######################################################################
#
+# Policies that can be applied in multiple places are listed
+# globally. That way, they can be defined once, and referred
+# to multiple times.
+#
+######################################################################
+$INCLUDE policy.conf
+
+######################################################################
+#
# As of 2.0.0, the "authorize", "authenticate", etc. sections
# are in separate configuration files, per virtual host.
#