2 # Sample of a policy language for rlm_policy.
4 # This is NOT the "unlang" policy, and has NO RELATION to "unlang"!
5 # The syntax is different, and the functionality is different.
8 # As of 2.0.0, the new configuration "un-language" is better
9 # tested, has more features, and is better integrated into the
10 # server than the rlm_policy module. rlm_policy is deprecated,
11 # and will likely be removed in a future release.
13 # There is no documentation other than this file.
15 # The syntax is odd, but it sort of works.
17 # A number of sites are using it in production servers,
18 # so it appears to be stable. However, we cannot answer
19 # questions about it, because we use "unlang", instead of
24 # Debugging statements
26 #debug print_tokens # as we're parsing this file
27 debug print_policy # once the file has been parsed
29 # Using this requires code edits to rlm_policy/evaluate.c
30 #debug evaluate # print limited information during evaluation
36 if (Time-Of-Day < "15:00") {
38 # The general form of edits to the attribute lists:
41 # Attribute-Name = Value
44 # name is: request, reply, control, proxy-request, proxy-reply
46 # s-operator is operator for section, not attributes:
48 # = append, using operators from attributes
49 # .= append attributes, ignoring operators from attributes
50 # ^= add to head of list
51 # ^== add BEFORE matching attribute
53 # ^.= append BEFORE matching attribute
54 # $= add AFTER (same as =)
55 # $== add AFTER matching attribute
56 # $. add after (same as .=)
57 # $.= add after matching
59 # If the above explanation confuses you, don't ask. Try various
60 # configurations to see what happens. The results are difficult
61 # to explain, but easy to understand once you see them in action.
63 # The "matching attribute" text above refers to the syntax:
65 # name s-operator (match) {
66 # Attribute-Name = Value
69 # Where "match" is something like: User-Name == "bob"
71 # This lets you insert/edit/update attributes by selected
72 # position, which can be useful.
75 # Use ARAP-Password for testing because it's an attribute
77 ARAP-Password = "< 15:00"
84 # A named policy, executed during the "authorize" phase,
85 # because it's named "authorize".
89 if (!CHAP-Challenge) {
90 print "Adding CHAP-Challenge = %{request:Packet-Authentication-Vector}\n"
93 # Append all attributes to the specified list.
94 # The per-attribute operators MUST be '='
97 CHAP-Challenge = "%{request:Packet-Authentication-Vector}"
102 # Use per-attribute operators to do override, replace, etc.
103 # It's "control", not "check items", because "check items"
104 # is a hold-over from the "users" file, and we no longer like that.
112 # This could just as well be "%{ldap: query...}" =~ ...
114 # if ("%{User-Name}" =~ "^(b)") {
116 # Arap-Password = "Hello, %{1}"
121 # Execute "3pm", as if it was in-line here.
126 ######################################################################
128 # The following entries are for example purposes only.
131 # Insert the attribute at the top of the list.
134 # Attribute1 += "Value1"
138 # Insert attribute1 before Attribute2 if found, otherwise it behaves
140 #reply ^== ( Attribute2 == "Value2" ) {
141 # Attribute1 += "Value1"
144 # ^. and ^.= have the same difference as .= and =
145 # namely they append the attribute list instead of looking at the
146 # attribute operators.
148 # Otherwise they are the same.
152 # Cisco NAS's will kick users who assign a VRF after assigning an IP
153 # address. The VRF must come first.
155 # A sample policy to fix this is:
157 policy add_inter_vrf {
159 # If there's a matching lcp:...,
160 # then add the vrf entry before it.
162 reply ^== ( reply:Cisco-Avpair =~ "lcp:interface-config") {
163 Cisco-Avpair += "lcp:interface-config=ip vrf forwarding CHL-PRIVATE"
167 # If there's no ip address thingy,
168 # add ip unnumbered after the vrf stuff.
170 if (!reply:Cisco-Avpair =~ "lcp:interface-config=ip address.*") {
171 reply $== (reply:Cisco-AVpair == "lcp:interface-config=ip vrf forwarding CHL-PRIVATE") {
172 Cisco-Avpair += "lcp:interface-config=ip unnumbered l10"
177 # No IP address assigned through RADIUS, tell the Cisco
178 # NAS to assign it from it's own private IP pool.
180 if (!reply:Framed-IP-Address =* "") {
182 Cisco-Avpair += "ip:addr-pool=privatepool"