From: Arran Cudbard-Bell Date: Fri, 1 Jul 2011 08:02:23 +0000 (+0200) Subject: Fixup more formatting in polcy.conf and add policy to remove Reply-Messages if the... X-Git-Tag: release_3_0_0_beta0~739 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=268abe3c71521cd55a1ac6b88a1e2fc5efc50daa;p=thirdparty%2Ffreeradius-server.git Fixup more formatting in polcy.conf and add policy to remove Reply-Messages if the reply also contains an EAP-Message --- diff --git a/raddb/policy.conf b/raddb/policy.conf index 918c20d880f..369b9d542ee 100644 --- a/raddb/policy.conf +++ b/raddb/policy.conf @@ -32,10 +32,11 @@ policy { # So we rehash class with Acct-Session-ID to provide a truely unique session identifier. # # Using a Class/Session-ID combination is more robust than using elements in the - # Accounting-Request, which may be subject to change, such as NAS-IP-Address - # or Client-IP-Address and NAS-Port-ID/NAS-Port. - # So should ensure that session data is not affected if NAS IP addresses change, or - # the client roams to a different 'port' whilst maintaining its initial authentication + # Accounting-Request, which may be subject to change, such as NAS-IP-Address, + # Client-IP-Address and NAS-Port-ID/NAS-Port. + # + # This policy should ensure that session data is not affected if NAS IP addresses change, + # or the client roams to a different 'port' whilst maintaining its initial authentication # session (Common in a wireless environment). # if(Class =~ /auth_id:[0-9a-f]{32}/i) { @@ -71,7 +72,7 @@ policy { reject } } - + # # Forbid all non-EAP types outside of an EAP tunnel. # @@ -87,6 +88,23 @@ policy { } } + # + # Remove Reply-Message from response if were doing EAP + # + # Be RFC 3579 2.6.5 compliant - EAP-Message and Reply-Message should + # not be present in the same response. + # + remove_reply_message_if_eap { + if(reply:EAP-Message && reply:Reply-Message) { + update reply { + Reply-Message -= "%{reply:Reply-Message}" + } + } + else { + noop + } + } + # # Split User-Name in NAI format (RFC 4282) into components # @@ -133,7 +151,7 @@ policy { # # Filter the username # - # Force some sanity on User-Name.This helps to avoid issues + # Force some sanity on User-Name. This helps to avoid issues # issues where the back-end database is "forgiving" about # what constitutes a user name. # @@ -158,7 +176,6 @@ policy { # # The following policies are for the Chargeable-User-Identity # (CUI) configuration. - # # The policies below can be called as just 'cui' (not cui.authorize etc..) # from the various config sections. @@ -232,9 +249,10 @@ policy { # Normalize the MAC Addresses in the Calling/Called-Station-Id # mac-addr-regexp = ([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2}) - - # Add "rewrite_called_station_id" in the "authorize" and "preacct" - # sections. + + # + # Add "rewrite_called_station_id" in the "authorize" and "preacct" sections. + # rewrite_called_station_id { if(Called-Station-Id =~ /^%{config:policy.mac-addr-regexp}(:(.+))?$/i) { update request { @@ -254,8 +272,9 @@ policy { } } - # Add "rewrite_calling_station_id" in the "authorize" and "preacct" - # sections. + # + # Add "rewrite_calling_station_id" in the "authorize" and "preacct" sections. + # rewrite_calling_station_id { if(Calling-Station-Id =~ /^%{config:policy.mac-addr-regexp}$/i) { update request { diff --git a/raddb/sites-available/default b/raddb/sites-available/default index 9495c8a6219..2ca56e08a12 100644 --- a/raddb/sites-available/default +++ b/raddb/sites-available/default @@ -546,6 +546,9 @@ post-auth { # RFC 2865 behaviour for the class attribute. insert_acct_class + # Remove reply message if the response contains an EAP-Message + remove_reply_message_if_eap + # # Access-Reject packets are sent through the REJECT sub-section of the # post-auth section. @@ -557,6 +560,9 @@ post-auth { # log failed authentications in SQL, too. # sql attr_filter.access_reject + + # Remove reply message if the response contains an EAP-Message + remove_reply_message_if_eap } }