--- /dev/null
+#
+# Cache EAP responses for resiliancy on intermediary proxy failover
+#
+cache cache_eap {
+ key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
+
+ ttl = 15
+
+ update reply {
+ reply: += reply:
+ control:State := request:State
+ }
+}
--- /dev/null
+#
+# Response caching to handle proxy failovers
+#
+eap.authorize {
+ cache_eap
+ if (ok) {
+ #
+ # Expire previous cache entry
+ #
+ if (control:State) {
+ update control {
+ Cache-TTL := 0
+ }
+ cache_eap
+
+ update control {
+ Cache-TTL !* ANY
+ State !* ANY
+ }
+ }
+
+ handled
+ }
+ else {
+ eap.authorize
+ }
+}
+
+#
+# Populate cache with responses from the EAP module
+#
+eap.authenticate {
+ eap {
+ handled = 1
+ }
+ if (handled) {
+ cache_eap
+
+ handled
+ }
+
+ cache_eap
+}
+
+#
+# Forbid all EAP types. Enable this by putting "forbid_eap"
+# into the "authorize" section.
+#
+forbid_eap {
+ if (EAP-Message) {
+ reject
+ }
+}
+
+#
+# Forbid all non-EAP types outside of an EAP tunnel.
+#
+permit_only_eap {
+ if (!EAP-Message) {
+ # We MAY be inside of a TTLS tunnel.
+ # PEAP and EAP-FAST require EAP inside of
+ # the tunnel, so this check is OK.
+ # If so, then there MUST be an outer EAP message.
+ if (!"%{outer.request:EAP-Message}") {
+ reject
+ }
+ }
+}
+
+#
+# Remove Reply-Message from response if were doing EAP
+#
+# Be RFC 3579 2.6.5 compliant - EAP-Message and Reply-Message should
+# not be present in the same response.
+#
+remove_reply_message_if_eap {
+ if(reply:EAP-Message && reply:Reply-Message) {
+ update reply {
+ Reply-Message !* ANY
+ }
+ }
+ else {
+ noop
+ }
+}
+