Added new "policy.conf" to permit simplified configuration of

	policies

diff --git a/raddb/Makefile b/raddb/Makefile
index 55d5da0..9f2d844 100644 (file)
--- a/raddb/Makefile
+++ b/raddb/Makefile
@@ -13,7 +13,7 @@ FILES = acct_users attrs attrs.access_reject attrs.accounting_response        \
        attrs.pre-proxy clients.conf dictionary eap.conf                \
        experimental.conf hints huntgroups ldap.attrmap otp.conf        \
        policy.txt preproxy_users proxy.conf radiusd.conf               \
-       snmp.conf sql.conf sqlippool.conf users         \
+       snmp.conf sql.conf sqlippool.conf users policy.conf     \
        sites-available/default sites-available/example \
        sites-available/README
 

diff --git a/raddb/policy.conf b/raddb/policy.conf
new file mode 100644 (file)
index 0000000..e2d44aa
--- /dev/null
+++ b/raddb/policy.conf
@@ -0,0 +1,55 @@
+# -*- text -*-
+##
+## policy.conf -- FreeRADIUS server configuration file.
+##
+##     http://www.freeradius.org/
+##     $Id$
+##
+
+#
+#  Policies are virtual modules, similar to those defined in the
+#  "instantate" section of radiusd.conf.
+#
+#  Defining a policy here means that it can be referenced in multiple
+#  places as a *name*, rather than as a series of conditions to match,
+#  and actions to take.
+#
+#  Policies are something like subroutines in a normal language, but
+#  they cannot be called recursively.  They MUST be defined in order.
+#  If policy A calls policy B, then B MUST be defined before A.
+#
+#
+policy {
+       #
+       #       Forbid all EAP types.
+       #
+       forbid_eap {
+               if ("%{EAP-Message}") {
+                       reject
+               }
+       }
+
+       #
+       #       Forbid all non-EAP types outside of an EAP tunnel.
+       #
+       permit_only_eap {
+               if (!"%{EAP-Message}") {
+                       #  We MAY be inside of a TTLS tunnel.
+                       #  PEAP and EAP-FAST require EAP inside of
+                       #  the tunnel, so this check is OK.
+                       #  If so, then there MUST be an outer EAP message.
+                       if (!"%{outer.request:EAP-Message}") {
+                               reject
+                       }
+               }
+       }
+
+       #
+       #       Forbid all attempts to login via realms.
+       #
+       deny_realms {
+               if ("%{User-Name}" =~ /@|\\/) {
+                       reject
+               }
+       }
+}

diff --git a/raddb/radiusd.conf.in b/raddb/radiusd.conf.in
index 331a2c8..c26e2f9 100644 (file)
--- a/raddb/radiusd.conf.in
+++ b/raddb/radiusd.conf.in
@@ -1817,6 +1817,15 @@ instantiate {
 
 ######################################################################
 #
+#      Policies that can be applied in multiple places are listed
+#      globally.  That way, they can be defined once, and referred
+#      to multiple times.
+#
+######################################################################
+$INCLUDE policy.conf
+
+######################################################################
+#
 #      As of 2.0.0, the "authorize", "authenticate", etc. sections
 #      are in separate configuration files, per virtual host.
 #