summaryrefslogtreecommitdiffstats
path: root/raddb/policy.d/eap
diff options
context:
space:
mode:
Diffstat (limited to 'raddb/policy.d/eap')
-rw-r--r--raddb/policy.d/eap54
1 files changed, 54 insertions, 0 deletions
diff --git a/raddb/policy.d/eap b/raddb/policy.d/eap
new file mode 100644
index 0000000..c8dac22
--- /dev/null
+++ b/raddb/policy.d/eap
@@ -0,0 +1,54 @@
+#
+# Forbid all EAP types. Enable this by putting "forbid_eap"
+# into the "authorize" section.
+#
+forbid_eap {
+ if (&EAP-Message) {
+ reject
+ }
+}
+
+#
+# Forbid all non-EAP types outside of an EAP tunnel.
+#
+permit_only_eap {
+ if (!&EAP-Message) {
+ # We MAY be inside of a TTLS tunnel.
+ # PEAP and EAP-FAST require EAP inside of
+ # the tunnel, so this check is OK.
+ # If so, then there MUST be an outer EAP message.
+ if (!&outer.request || !&outer.request:EAP-Message) {
+ reject
+ }
+ }
+}
+
+#
+# Remove Reply-Message from response if were doing EAP
+#
+# Be RFC 3579 2.6.5 compliant - EAP-Message and Reply-Message should
+# not be present in the same response.
+#
+remove_reply_message_if_eap {
+ if (&reply:EAP-Message && &reply:Reply-Message) {
+ update reply {
+ &Reply-Message !* ANY
+ }
+ }
+ else {
+ noop
+ }
+}
+
+verify_tls_client_common_name {
+ #
+ # If the User-Name is anonymized, then don't check it.
+ #
+ # But if User-Name is realm AND there's a certificate name, then check
+ # if they match. This is not always the case, but it is the case
+ # often enough that it matters.
+ #
+ if ((&User-Name !~ /^@/) && &TLS-Client-Cert-Common-Name && (&TLS-Client-Cert-Common-Name != &User-Name)) {
+ reject
+ }
+}