summaryrefslogtreecommitdiffstats
path: root/raddb/sites-available/abfab-tr-idp
diff options
context:
space:
mode:
Diffstat (limited to 'raddb/sites-available/abfab-tr-idp')
-rw-r--r--raddb/sites-available/abfab-tr-idp198
1 files changed, 198 insertions, 0 deletions
diff --git a/raddb/sites-available/abfab-tr-idp b/raddb/sites-available/abfab-tr-idp
new file mode 100644
index 0000000..be98568
--- /dev/null
+++ b/raddb/sites-available/abfab-tr-idp
@@ -0,0 +1,198 @@
+#
+# This file represents a server that is implementing an identity
+# provider for GSS-EAP (RFC 7055) using the trust router
+# protocol for dynamic realm discovery. Any ABFAB identity
+# provider is also an ABFAB relying party proxy.
+#
+# This file does not include a TLS listener; see abfab-tls for a simple
+# example of a RADSEC listener for ABFAB.
+#
+# $Id$
+#
+
+server abfab-idp {
+authorize {
+ psk_authorize
+ abfab_client_check
+ filter_username
+ preprocess
+
+ # If you intend to use CUI and you require that the Operator-Name
+ # be set for CUI generation and you want to generate CUI also
+ # for your local clients then uncomment the operator-name
+ # below and set the operator-name for your clients in clients.conf
+# operator-name
+
+ #
+ # If you want to generate CUI for some clients that do not
+ # send proper CUI requests, then uncomment the
+ # cui below and set "add_cui = yes" for these clients in clients.conf
+# cui
+
+ #
+ # Do RFC 7542 bang path routing. If you want to only do standard
+ # RADIUS NAI routing, comment out the below line.
+ rfc7542
+
+ # Standard RADIUS NAI routing
+ if (!updated) {
+ suffix {
+ updated = 1
+ noop = reject
+ }
+ }
+
+ eap {
+ ok = return
+ }
+
+ expiration
+ logintime
+}
+
+authenticate {
+ #
+ # Allow EAP authentication.
+ eap
+}
+
+# Post-Authentication
+# Once we KNOW that the user has been authenticated, there are
+# additional steps we can take.
+post-auth {
+ #
+ # For EAP-TTLS and PEAP, add the cached attributes to the reply.
+ # The "session-state" attributes are automatically cached when
+ # an Access-Challenge is sent, and automatically retrieved
+ # when an Access-Request is received.
+ #
+ # The session-state attributes are automatically deleted after
+ # an Access-Reject or Access-Accept is sent.
+ #
+ # If both session-state and reply contain a User-Name attribute, remove
+ # the one in the reply if it is just a copy of the one in the request, so
+ # we don't end up with two User-Name attributes.
+
+ if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) {
+ update reply {
+ &User-Name !* ANY
+ }
+ }
+ update {
+ &reply: += &session-state:
+ }
+
+ # Create the CUI value and add the attribute to Access-Accept.
+ # Uncomment the line below if *returning* the CUI.
+# cui
+
+ #
+ # If you want to have a log of authentication replies,
+ # un-comment the following line, and enable the
+ # 'detail reply_log' module.
+# reply_log
+
+ #
+ # After authenticating the user, do another SQL query.
+ #
+ # See "Authentication Logging Queries" in `mods-config/sql/main/$driver/queries.conf`
+ -sql
+
+ #
+ # Un-comment the following if you want to modify the user's object
+ # in LDAP after a successful login.
+ #
+# ldap
+
+ # For Exec-Program and Exec-Program-Wait
+ exec
+ # Remove reply message if the response contains an EAP-Message
+ remove_reply_message_if_eap
+ # Access-Reject packets are sent through the REJECT sub-section of the
+ # post-auth section.
+ #
+ # Add the ldap module name (or instance) if you have set
+ # 'edir = yes' in the ldap module configuration
+ #
+ Post-Auth-Type REJECT {
+ # log failed authentications in SQL, too.
+ -sql
+ attr_filter.access_reject
+
+ # Insert EAP-Failure message if the request was
+ # rejected by policy instead of because of an
+ # authentication failure And already has an EAP message
+ # For non-ABFAB, we insert the failure all the time, but for ABFAB
+ # It's more desirable to preserve reply-message when we can
+ if (&reply:Eap-Message) {
+ eap
+ }
+
+ # Remove reply message if the response contains an EAP-Message
+ remove_reply_message_if_eap
+ }
+}
+#
+# When the server decides to proxy a request to a home server,
+# the proxied request is first passed through the pre-proxy
+# stage. This stage can re-write the request, or decide to
+# cancel the proxy.
+#
+# Only a few modules currently have this method.
+#
+pre-proxy {
+ # Before proxing the request add an Operator-Name attribute identifying
+ # if the operator-name is found for this client.
+ # No need to uncomment this if you have already enabled this in
+ # the authorize section.
+# operator-name
+
+ # The client requests the CUI by sending a CUI attribute
+ # containing one zero byte.
+ # Uncomment the line below if *requesting* the CUI.
+# cui
+
+ # Uncomment the following line if you want to change attributes
+ # as defined in the preproxy_users file.
+# files
+
+ # Uncomment the following line if you want to filter requests
+ # sent to remote servers based on the rules defined in the
+ # 'attrs.pre-proxy' file.
+# attr_filter.pre-proxy
+
+ # If you want to have a log of packets proxied to a home
+ # server, un-comment the following line, and the
+ # 'detail pre_proxy_log' section, above.
+# pre_proxy_log
+}
+#
+# When the server receives a reply to a request it proxied
+# to a home server, the request may be massaged here, in the
+# post-proxy stage.
+#
+post-proxy {
+
+ # If you want to have a log of replies from a home server,
+ # un-comment the following line, and the 'detail post_proxy_log'
+ # section, above.
+# post_proxy_log
+
+ # Uncomment the following line if you want to filter replies from
+ # remote proxies based on the rules defined in the 'attrs' file.
+# attr_filter.post-proxy
+
+ #
+ # If you are proxying LEAP, you MUST configure the EAP
+ # module, and you MUST list it here, in the post-proxy
+ # stage.
+ #
+ # You MUST also use the 'nostrip' option in the 'realm'
+ # configuration. Otherwise, the User-Name attribute
+ # in the proxied request will not match the user name
+ # hidden inside of the EAP packet, and the end server will
+ # reject the EAP request.
+ #
+ eap
+}
+}