2 # This file represents a server that is implementing an identity
3 # provider for GSS-EAP (RFC 7055) using the trust router
4 # protocol for dynamic realm discovery. Any ABFAB identity
5 # provider is also an ABFAB relying party proxy.
7 # This file does not include a TLS listener; see abfab-tls for a simple
8 # example of a RADSEC listener for ABFAB.
20 # If you intend to use CUI and you require that the Operator-Name
21 # be set for CUI generation and you want to generate CUI also
22 # for your local clients then uncomment the operator-name
23 # below and set the operator-name for your clients in clients.conf
27 # If you want to generate CUI for some clients that do not
28 # send proper CUI requests, then uncomment the
29 # cui below and set "add_cui = yes" for these clients in clients.conf
47 # Allow EAP authentication.
52 # Once we KNOW that the user has been authenticated, there are
53 # additional steps we can take.
56 # For EAP-TTLS and PEAP, add the cached attributes to the reply.
57 # The "session-state" attributes are automatically cached when
58 # an Access-Challenge is sent, and automatically retrieved
59 # when an Access-Request is received.
61 # The session-state attributes are automatically deleted after
62 # an Access-Reject or Access-Accept is sent.
65 &reply: += &session-state:
68 # Create the CUI value and add the attribute to Access-Accept.
69 # Uncomment the line below if *returning* the CUI.
73 # If you want to have a log of authentication replies,
74 # un-comment the following line, and enable the
75 # 'detail reply_log' module.
78 # After authenticating the user, do another SQL query.
80 # See "Authentication Logging Queries" in sql.conf
84 # Un-comment the following if you want to modify the user's object
85 # in LDAP after a successful login.
89 # For Exec-Program and Exec-Program-Wait
91 # Remove reply message if the response contains an EAP-Message
92 remove_reply_message_if_eap
94 # Uncomment to enable logging of certain Moonshot attributes. See
95 # mods-available/moonshot_custom_linelog.
96 # log_moonshot_authn_rp_proxy
98 # Access-Reject packets are sent through the REJECT sub-section of the
101 # Add the ldap module name (or instance) if you have set
102 # 'edir_account_policy_check = yes' in the ldap module configuration
104 Post-Auth-Type REJECT {
105 # Uncomment to enable logging of certain Moonshot attributes. See
106 # mods-available/moonshot_custom_linelog.
107 # log_moonshot_authn_rp_proxy
109 # log failed authentications in SQL, too.
111 attr_filter.access_reject
113 # Insert EAP-Failure message if the request was
114 # rejected by policy instead of because of an
115 # authentication failure And already has an EAP message
116 # For non-ABFAB, we insert the failure all the time, but for ABFAB
117 # It's more desirable to preserve reply-message when we can
118 if (&reply:Eap-Message) {
122 # Remove reply message if the response contains an EAP-Message
123 remove_reply_message_if_eap
126 # Uncomment to enable logging of certain Moonshot attributes. See
127 # mods-available/moonshot_custom_linelog.
128 # log_moonshot_authn_rp_proxy
131 # When the server decides to proxy a request to a home server,
132 # the proxied request is first passed through the pre-proxy
133 # stage. This stage can re-write the request, or decide to
136 # Only a few modules currently have this method.
139 # Before proxing the request add an Operator-Name attribute identifying
140 # if the operator-name is found for this client.
141 # No need to uncomment this if you have already enabled this in
142 # the authorize section.
145 # The client requests the CUI by sending a CUI attribute
146 # containing one zero byte.
147 # Uncomment the line below if *requesting* the CUI.
150 # Uncomment the following line if you want to change attributes
151 # as defined in the preproxy_users file.
154 # Uncomment the following line if you want to filter requests
155 # sent to remote servers based on the rules defined in the
156 # 'attrs.pre-proxy' file.
157 # attr_filter.pre-proxy
159 # If you want to have a log of packets proxied to a home
160 # server, un-comment the following line, and the
161 # 'detail pre_proxy_log' section, above.
165 # When the server receives a reply to a request it proxied
166 # to a home server, the request may be massaged here, in the
171 # If you want to have a log of replies from a home server,
172 # un-comment the following line, and the 'detail post_proxy_log'
176 # Uncomment the following line if you want to filter replies from
177 # remote proxies based on the rules defined in the 'attrs' file.
178 # attr_filter.post-proxy
181 # If you are proxying LEAP, you MUST configure the EAP
182 # module, and you MUST list it here, in the post-proxy
185 # You MUST also use the 'nostrip' option in the 'realm'
186 # configuration. Otherwise, the User-Name attribute
187 # in the proxied request will not match the user name
188 # hidden inside of the EAP packet, and the end server will
189 # reject the EAP request.