Subversion Repositories configs

Rev

Go to most recent revision | Details | Last modification | View Log | RSS feed

Rev Author Line No. Line
4 - 1 
# -*- text -*-
2 
##
3 
## policy.conf	-- FreeRADIUS server configuration file.
4 
##
5 
##	http://www.freeradius.org/
6 
##	$Id$
7 
##
8 
 
9 
#
10 
#  Policies are virtual modules, similar to those defined in the
11 
#  "instantate" section of radiusd.conf.
12 
#
13 
#  Defining a policy here means that it can be referenced in multiple
14 
#  places as a *name*, rather than as a series of conditions to match,
15 
#  and actions to take.
16 
#
17 
#  Policies are something like subroutines in a normal language, but
18 
#  they cannot be called recursively.  They MUST be defined in order.
19 
#  If policy A calls policy B, then B MUST be defined before A.
20 
#
21 
policy {
22 
	#
23 
	#	Forbid all EAP types.
24 
	#
25 
	forbid_eap {
26 
		if (EAP-Message) {
27 
			reject
28 
		}
29 
	}
30 
 
31 
	#
32 
	#	Forbid all non-EAP types outside of an EAP tunnel.
33 
	#
34 
	permit_only_eap {
35 
		if (!EAP-Message) {
36 
			#  We MAY be inside of a TTLS tunnel.
37 
			#  PEAP and EAP-FAST require EAP inside of
38 
			#  the tunnel, so this check is OK.
39 
			#  If so, then there MUST be an outer EAP message.
40 
			if (!"%{outer.request:EAP-Message}") {
41 
				reject
42 
			}
43 
		}
44 
	}
45 
 
46 
	#
47 
	#	Forbid all attempts to login via realms.
48 
	#
49 
	deny_realms {
50 
		if (User-Name =~ /@|\\/) {
51 
			reject
52 
		}
53 
	}
54 
 
55 
	#
56 
	#	If you want the server to pretend that it is dead,
57 
	#	then use the "do_not_respond" policy.
58 
	#
59 
	do_not_respond {
60 
		update control {
61 
			Response-Packet-Type := Do-Not-Respond
62 
		}
63 
 
64 
		handled
65 
	}
66 
 
67 
	#
68 
	#  Force some sanity on User-Name.  This helps to avoid issues
69 
	#  issues where the back-end database is "forgiving" about
70 
	#  what constitutes a user name.
71 
	#
72 
	filter_username {
73 
		# spaces at the start: reject
74 
		if (User-Name =~ /^ /) {
75 
			reject
76 
		}
77 
 
78 
		# spaces at the end: reject
79 
		if (User-Name =~ / $$/) {
80 
			reject
81 
		}
82 
 
83 
		# Mixed case: reject
84 
		if (User-Name != "%{tolower:%{User-Name}}") {
85 
			reject
86 
		}
87 
	}
88 
 
89 
 
90 
	#
91 
	#  The following policies are for the Chargeable-User-Identity
92 
	#  (CUI) configuration.
93 
	#
94 
 
95 
	#
96 
	#  The client indicates it can do CUI by sending a CUI attribute
97 
	#  containing one zero byte
98 
	#
99 
	cui_authorize {
100 
		update request {
101 
			Chargeable-User-Identity:='\\000'
102 
		}
103 
	}
104 
 
105 
	#
106 
	#  Add a CUI attribute based on the User-Name, and a secret key
107 
	#  known only to this server.
108 
	#
109 
	cui_postauth {
110 
		if (FreeRadius-Proxied-To == 127.0.0.1) {
111 
			if (outer.request:Chargeable-User-Identity) {
112 
				update outer.reply {
113 
					Chargeable-User-Identity:="%{md5:%{config:cui_hash_key}%{User-Name}}"
114 
				}
115 
			}
116 
		}
117 
		else {
118 
			if (Chargeable-User-Identity) {
119 
				update reply {
120 
					Chargeable-User-Identity="%{md5:%{config:cui_hash_key}%{User-Name}}"
121 
				}
122 
			}
123 
		}
124 
	}
125 
 
126 
	#
127 
	#  If there is a CUI attribute in the reply, add it to the DB.
128 
	#
129 
	cui_updatedb {
130 
		if (reply:Chargeable-User-Identity) {
131 
			cui
132 
		}
133 
	}
134 
 
135 
	#
136 
	#  If we had stored a CUI for the User, add it to the request.
137 
	#
138 
	cui_accounting {
139 
		#
140 
		#  If the CUI isn't in the packet, see if we can find it
141 
		#  in the DB.
142 
		#
143 
		if (!Chargeable-User-Identity) {
144 
			update control {
145 
				Chargable-User-Identity := "%{cui: SELECT cui FROM cui WHERE clientipaddress = '%{Client-IP-Address}' AND callingstationid = '%{Calling-Station-Id}' AND username = '%{User-Name}'}"
146 
			}
147 
		}
148 
 
149 
		#
150 
		#  If it exists now, then write out when we last saw
151 
		#  this CUI.
152 
		#
153 
		if (Chargeable-User-Identity && (Chargeable-User-Identity != "")) {
154 
			cui
155 
		}
156 
	}
157 
 
158 
	#
159 
	#  Normalize the MAC Addresses in the Calling/Called-Station-Id
160 
	#
161 
	mac-addr = ([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})
162 
 
163 
	#  Add "rewrite.called_station_id" in the "authorize" and "preacct"
164 
	#  sections.
165 
	rewrite.called_station_id {
166 
		if((Called-Station-Id) && "%{Called-Station-Id}" =~ /^%{config:policy.mac-addr}(:(.+))?$/i) {
167 
			update request {
168 
				Called-Station-Id := "%{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}"
169 
			}
170 
 
171 
			# SSID component?
172 
			if ("%{8}") {
173 
				update request {
174 
					Called-Station-Id := "%{Called-Station-Id}:%{8}"
175 
				}
176 
			}
177 
			updated
178 
		}
179 
		else {
180 
			noop
181 
		}
182 
	}
183 
 
184 
	#  Add "rewrite.calling_station_id" in the "authorize" and "preacct"
185 
	#  sections.
186 
	rewrite.calling_station_id {
187 
		if((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) {
188 
			update request {
189 
				Calling-Station-Id := "%{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}"
190 
			}
191 
			updated
192 
		}
193 
		else {
194 
			noop
195 
		}
196 
	}
197 
}