| 4 |
- |
1 |
#
|
|
|
2 |
# Sample of a policy language for rlm_policy.
|
|
|
3 |
#
|
|
|
4 |
# This is NOT the "unlang" policy, and has NO RELATION to "unlang"!
|
|
|
5 |
# The syntax is different, and the functionality is different.
|
|
|
6 |
#
|
|
|
7 |
|
|
|
8 |
# As of 2.0.0, the new configuration "un-language" is better
|
|
|
9 |
# tested, has more features, and is better integrated into the
|
|
|
10 |
# server than the rlm_policy module. rlm_policy is deprecated,
|
|
|
11 |
# and will likely be removed in a future release.
|
|
|
12 |
#
|
|
|
13 |
# There is no documentation other than this file.
|
|
|
14 |
#
|
|
|
15 |
# The syntax is odd, but it sort of works.
|
|
|
16 |
#
|
|
|
17 |
# A number of sites are using it in production servers,
|
|
|
18 |
# so it appears to be stable. However, we cannot answer
|
|
|
19 |
# questions about it, because we use "unlang", instead of
|
|
|
20 |
# this file.
|
|
|
21 |
#
|
| 34 |
- |
22 |
# $Id: 1f62c55ae236dc9359764f4729f7ea4a8d36e2df $
|
| 4 |
- |
23 |
#
|
|
|
24 |
# Debugging statements
|
|
|
25 |
#
|
|
|
26 |
#debug print_tokens # as we're parsing this file
|
|
|
27 |
debug print_policy # once the file has been parsed
|
|
|
28 |
|
|
|
29 |
# Using this requires code edits to rlm_policy/evaluate.c
|
|
|
30 |
#debug evaluate # print limited information during evaluation
|
|
|
31 |
|
|
|
32 |
#
|
|
|
33 |
# A named policy.
|
|
|
34 |
#
|
|
|
35 |
policy 3pm {
|
|
|
36 |
if (Time-Of-Day < "15:00") {
|
|
|
37 |
#
|
|
|
38 |
# The general form of edits to the attribute lists:
|
|
|
39 |
#
|
|
|
40 |
# name s-operator {
|
|
|
41 |
# Attribute-Name = Value
|
|
|
42 |
# }
|
|
|
43 |
#
|
|
|
44 |
# name is: request, reply, control, proxy-request, proxy-reply
|
|
|
45 |
#
|
|
|
46 |
# s-operator is operator for section, not attributes:
|
|
|
47 |
#
|
|
|
48 |
# = append, using operators from attributes
|
|
|
49 |
# .= append attributes, ignoring operators from attributes
|
|
|
50 |
# ^= add to head of list
|
|
|
51 |
# ^== add BEFORE matching attribute
|
|
|
52 |
# ^. append
|
|
|
53 |
# ^.= append BEFORE matching attribute
|
|
|
54 |
# $= add AFTER (same as =)
|
|
|
55 |
# $== add AFTER matching attribute
|
|
|
56 |
# $. add after (same as .=)
|
|
|
57 |
# $.= add after matching
|
|
|
58 |
#
|
|
|
59 |
# If the above explanation confuses you, don't ask. Try various
|
|
|
60 |
# configurations to see what happens. The results are difficult
|
|
|
61 |
# to explain, but easy to understand once you see them in action.
|
|
|
62 |
#
|
|
|
63 |
# The "matching attribute" text above refers to the syntax:
|
|
|
64 |
#
|
|
|
65 |
# name s-operator (match) {
|
|
|
66 |
# Attribute-Name = Value
|
|
|
67 |
# }
|
|
|
68 |
#
|
|
|
69 |
# Where "match" is something like: User-Name == "bob"
|
|
|
70 |
#
|
|
|
71 |
# This lets you insert/edit/update attributes by selected
|
|
|
72 |
# position, which can be useful.
|
|
|
73 |
#
|
|
|
74 |
reply .= {
|
|
|
75 |
# Use ARAP-Password for testing because it's an attribute
|
|
|
76 |
# no one cares about.
|
|
|
77 |
ARAP-Password = "< 15:00"
|
|
|
78 |
}
|
|
|
79 |
}
|
|
|
80 |
|
|
|
81 |
}
|
|
|
82 |
|
|
|
83 |
#
|
|
|
84 |
# A named policy, executed during the "authorize" phase,
|
|
|
85 |
# because it's named "authorize".
|
|
|
86 |
#
|
|
|
87 |
policy authorize {
|
|
|
88 |
if (CHAP-Password) {
|
|
|
89 |
if (!CHAP-Challenge) {
|
|
|
90 |
print "Adding CHAP-Challenge = %{request:Packet-Authentication-Vector}\n"
|
|
|
91 |
|
|
|
92 |
#
|
|
|
93 |
# Append all attributes to the specified list.
|
|
|
94 |
# The per-attribute operators MUST be '='
|
|
|
95 |
#
|
|
|
96 |
request .= {
|
|
|
97 |
CHAP-Challenge = "%{request:Packet-Authentication-Vector}"
|
|
|
98 |
}
|
|
|
99 |
}
|
|
|
100 |
|
|
|
101 |
#
|
|
|
102 |
# Use per-attribute operators to do override, replace, etc.
|
|
|
103 |
# It's "control", not "check items", because "check items"
|
|
|
104 |
# is a hold-over from the "users" file, and we no longer like that.
|
|
|
105 |
#
|
|
|
106 |
control = {
|
|
|
107 |
Auth-Type := CHAP
|
|
|
108 |
}
|
|
|
109 |
}
|
|
|
110 |
|
|
|
111 |
#
|
|
|
112 |
# This could just as well be "%{ldap: query...}" =~ ...
|
|
|
113 |
#
|
|
|
114 |
# if ("%{User-Name}" =~ "^(b)") {
|
|
|
115 |
# reply .= {
|
|
|
116 |
# Arap-Password = "Hello, %{1}"
|
|
|
117 |
# }
|
|
|
118 |
# }
|
|
|
119 |
|
|
|
120 |
#
|
|
|
121 |
# Execute "3pm", as if it was in-line here.
|
|
|
122 |
#
|
|
|
123 |
# call 3pm
|
|
|
124 |
}
|
|
|
125 |
|
|
|
126 |
######################################################################
|
|
|
127 |
#
|
|
|
128 |
# The following entries are for example purposes only.
|
|
|
129 |
#
|
|
|
130 |
|
|
|
131 |
# Insert the attribute at the top of the list.
|
|
|
132 |
#
|
|
|
133 |
#reply ^= {
|
|
|
134 |
# Attribute1 += "Value1"
|
|
|
135 |
#}
|
|
|
136 |
|
|
|
137 |
|
|
|
138 |
# Insert attribute1 before Attribute2 if found, otherwise it behaves
|
|
|
139 |
# like ^=
|
|
|
140 |
#reply ^== ( Attribute2 == "Value2" ) {
|
|
|
141 |
# Attribute1 += "Value1"
|
|
|
142 |
#}
|
|
|
143 |
|
|
|
144 |
# ^. and ^.= have the same difference as .= and =
|
|
|
145 |
# namely they append the attribute list instead of looking at the
|
|
|
146 |
# attribute operators.
|
|
|
147 |
#
|
|
|
148 |
# Otherwise they are the same.
|
|
|
149 |
|
|
|
150 |
# Motivation:
|
|
|
151 |
#
|
|
|
152 |
# Cisco NAS's will kick users who assign a VRF after assigning an IP
|
|
|
153 |
# address. The VRF must come first.
|
|
|
154 |
#
|
|
|
155 |
# A sample policy to fix this is:
|
|
|
156 |
#
|
|
|
157 |
policy add_inter_vrf {
|
|
|
158 |
#
|
|
|
159 |
# If there's a matching lcp:...,
|
|
|
160 |
# then add the vrf entry before it.
|
|
|
161 |
#
|
|
|
162 |
reply ^== ( reply:Cisco-Avpair =~ "lcp:interface-config") {
|
|
|
163 |
Cisco-Avpair += "lcp:interface-config=ip vrf forwarding CHL-PRIVATE"
|
|
|
164 |
}
|
|
|
165 |
|
|
|
166 |
#
|
|
|
167 |
# If there's no ip address thingy,
|
|
|
168 |
# add ip unnumbered after the vrf stuff.
|
|
|
169 |
#
|
|
|
170 |
if (!reply:Cisco-Avpair =~ "lcp:interface-config=ip address.*") {
|
|
|
171 |
reply $== (reply:Cisco-AVpair == "lcp:interface-config=ip vrf forwarding CHL-PRIVATE") {
|
|
|
172 |
Cisco-Avpair += "lcp:interface-config=ip unnumbered l10"
|
|
|
173 |
}
|
|
|
174 |
}
|
|
|
175 |
|
|
|
176 |
#
|
|
|
177 |
# No IP address assigned through RADIUS, tell the Cisco
|
|
|
178 |
# NAS to assign it from it's own private IP pool.
|
|
|
179 |
#
|
|
|
180 |
if (!reply:Framed-IP-Address =* "") {
|
|
|
181 |
reply = {
|
|
|
182 |
Cisco-Avpair += "ip:addr-pool=privatepool"
|
|
|
183 |
}
|
|
|
184 |
}
|
|
|
185 |
}
|