/etc/freeradius/policy.conf is in freeradius 2.1.12+dfsg-1.2.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 | # -*- text -*-
##
## policy.conf -- FreeRADIUS server configuration file.
##
## http://www.freeradius.org/
## $Id$
##
#
# Policies are virtual modules, similar to those defined in the
# "instantate" section of radiusd.conf.
#
# Defining a policy here means that it can be referenced in multiple
# places as a *name*, rather than as a series of conditions to match,
# and actions to take.
#
# Policies are something like subroutines in a normal language, but
# they cannot be called recursively. They MUST be defined in order.
# If policy A calls policy B, then B MUST be defined before A.
#
policy {
#
# Forbid all EAP types.
#
forbid_eap {
if (EAP-Message) {
reject
}
}
#
# Forbid all non-EAP types outside of an EAP tunnel.
#
permit_only_eap {
if (!EAP-Message) {
# We MAY be inside of a TTLS tunnel.
# PEAP and EAP-FAST require EAP inside of
# the tunnel, so this check is OK.
# If so, then there MUST be an outer EAP message.
if (!"%{outer.request:EAP-Message}") {
reject
}
}
}
#
# Forbid all attempts to login via realms.
#
deny_realms {
if (User-Name =~ /@|\\/) {
reject
}
}
#
# If you want the server to pretend that it is dead,
# then use the "do_not_respond" policy.
#
do_not_respond {
update control {
Response-Packet-Type := Do-Not-Respond
}
handled
}
#
# Force some sanity on User-Name. This helps to avoid issues
# issues where the back-end database is "forgiving" about
# what constitutes a user name.
#
filter_username {
# spaces at the start: reject
if (User-Name =~ /^ /) {
reject
}
# spaces at the end: reject
if (User-Name =~ / $$/) {
reject
}
# Mixed case: reject
if (User-Name != "%{tolower:%{User-Name}}") {
reject
}
}
#
# The following policies are for the Chargeable-User-Identity
# (CUI) configuration.
#
#
# The client indicates it can do CUI by sending a CUI attribute
# containing one zero byte
#
cui_authorize {
update request {
Chargeable-User-Identity:='\\000'
}
}
#
# Add a CUI attribute based on the User-Name, and a secret key
# known only to this server.
#
cui_postauth {
if (FreeRadius-Proxied-To == 127.0.0.1) {
if (outer.request:Chargeable-User-Identity) {
update outer.reply {
Chargeable-User-Identity:="%{md5:%{config:cui_hash_key}%{User-Name}}"
}
}
}
else {
if (Chargeable-User-Identity) {
update reply {
Chargeable-User-Identity="%{md5:%{config:cui_hash_key}%{User-Name}}"
}
}
}
}
#
# If there is a CUI attribute in the reply, add it to the DB.
#
cui_updatedb {
if (reply:Chargeable-User-Identity) {
cui
}
}
#
# If we had stored a CUI for the User, add it to the request.
#
cui_accounting {
#
# If the CUI isn't in the packet, see if we can find it
# in the DB.
#
if (!Chargeable-User-Identity) {
update control {
Chargable-User-Identity := "%{cui: SELECT cui FROM cui WHERE clientipaddress = '%{Client-IP-Address}' AND callingstationid = '%{Calling-Station-Id}' AND username = '%{User-Name}'}"
}
}
#
# If it exists now, then write out when we last saw
# this CUI.
#
if (Chargeable-User-Identity && (Chargeable-User-Identity != "")) {
cui
}
}
#
# Normalize the MAC Addresses in the Calling/Called-Station-Id
#
mac-addr = ([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})
# Add "rewrite.called_station_id" in the "authorize" and "preacct"
# sections.
rewrite.called_station_id {
if((Called-Station-Id) && "%{Called-Station-Id}" =~ /^%{config:policy.mac-addr}(:(.+))?$/i) {
update request {
Called-Station-Id := "%{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}"
}
# SSID component?
if ("%{8}") {
update request {
Called-Station-Id := "%{Called-Station-Id}:%{8}"
}
}
updated
}
else {
noop
}
}
# Add "rewrite.calling_station_id" in the "authorize" and "preacct"
# sections.
rewrite.calling_station_id {
if((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) {
update request {
Calling-Station-Id := "%{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}"
}
updated
}
else {
noop
}
}
}
|