summaryrefslogtreecommitdiffstats
path: root/raddb/policy.d/cui
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-13 14:11:00 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-13 14:11:00 +0000
commitaf754e596a8dbb05ed8580c342e7fe02e08b28e0 (patch)
treeb2f334c2b55ede42081aa6710a72da784547d8ea /raddb/policy.d/cui
parentInitial commit. (diff)
downloadfreeradius-af754e596a8dbb05ed8580c342e7fe02e08b28e0.tar.xz
freeradius-af754e596a8dbb05ed8580c342e7fe02e08b28e0.zip
Adding upstream version 3.2.3+dfsg.upstream/3.2.3+dfsg
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'raddb/policy.d/cui')
-rw-r--r--raddb/policy.d/cui131
1 files changed, 131 insertions, 0 deletions
diff --git a/raddb/policy.d/cui b/raddb/policy.d/cui
new file mode 100644
index 0000000..08b2c91
--- /dev/null
+++ b/raddb/policy.d/cui
@@ -0,0 +1,131 @@
+#
+# The following policies are for the Chargeable-User-Identity
+# (CUI) configuration.
+#
+# The policies below can be called as just 'cui' (not
+# cui.authorize etc..) from the various config sections.
+#
+
+#
+# cui_hash_key definition
+# This key serves the purpose of protecting CUI values against
+# dictionary attacks, therefore should be chosen as a "random"
+# string and kept secret.
+#
+cui_hash_key = "changeme"
+
+#
+# cui_require_operator_name switch
+# If this is set to nonzero value then CUI will only be added
+# when a non-empty Operator-Name value is present in the request
+#
+cui_require_operator_name = "no"
+
+#
+# The client indicates it can do CUI by sending a CUI attribute
+# containing one zero byte.
+# A non-empty value in Operator-Name can be an additional requirement.
+# Normally CUI support is turned on only for such requests.
+# CUI support can be used for local clients which do not
+# supports CUI themselves, the server can simulate a CUI request
+# adding the missing NUL CUI value and the Operator-Name attribute.
+# Clients which are supposed to get this treatment should
+# be marked by add_cui flag in clients.conf
+# We assume that local clients are marked in the client.conf with
+# add_cui flag, e.g.
+# client xxxx {
+# ...
+# add_cui = yes
+# }
+#
+cui.authorize {
+ if ("%{client:add_cui}" == 'yes') {
+ update request {
+ &Chargeable-User-Identity := 0x00
+ }
+ }
+}
+
+#
+# Before proxing an Access-Request to a remote server, a NUL CUI
+# attribute should be added, unless it is already present in the request.
+#
+cui.pre-proxy {
+ if (("%{request:Packet-Type}" == 'Access-Request') && ("%{client:add_cui}" == 'yes')) {
+ update proxy-request {
+ &Chargeable-User-Identity = 0x00
+ }
+ }
+}
+
+
+#
+# Add a CUI attribute based on the User-Name, and a secret key
+# known only to this server.
+# For EAP-TTLS and EAP-PEAP methods
+# use_tunneled_reply parameter MUST be set to yes
+#
+cui.post-auth {
+ if (!&control:Proxy-To-Realm && &Chargeable-User-Identity && !&reply:Chargeable-User-Identity && \
+ (&Operator-Name || ('${policy.cui_require_operator_name}' != 'yes')) ) {
+ update reply {
+ &Chargeable-User-Identity = "%{sha1:${policy.cui_hash_key}%{tolower:%{User-Name}%{%{Operator-Name}:-}}}"
+ }
+ }
+
+ #
+ # The section below will store a CUI for the User in the DB and remove the
+ # User-Name attribute from the reply if a CUI is present.
+ #
+ # You need to configure the cuisql module and your database for this to work.
+ # If your NAS can do CUI based accounting themselves or you do not care about
+ # accounting, comment out the 'cuisql' line below.
+ #
+ if (&reply:Chargeable-User-Identity) {
+ # Force User-Name to be the User-Name from the request
+ update {
+ &reply:User-Name := &request:User-Name
+ }
+ cuisql
+ }
+}
+
+
+cui-inner.post-auth {
+ if (&outer.request:Chargeable-User-Identity && \
+ (&outer.request:Operator-Name || ('${policy.cui_require_operator_name}' != 'yes'))) {
+ update reply {
+ &Chargeable-User-Identity := "%{sha1:${policy.cui_hash_key}%{tolower:%{User-Name}%{%{outer.request:Operator-Name}:-}}}"
+ }
+ }
+}
+
+#
+# If your NAS can do CUI based accounting or you do not care about
+# accounting then just comment out the call to cui in ......
+#
+# If we had stored a CUI for the User, add it to the request.
+#
+cui.accounting {
+ #
+ # If the CUI isn't in the packet, see if we can find it
+ # in the DB.
+ #
+ if (!&Chargeable-User-Identity) {
+ update request {
+ &Chargeable-User-Identity := "%{cuisql:\
+ SELECT cui FROM cui \
+ WHERE clientipaddress = '%{%{Packet-Src-IPv6-Address}:-%{Packet-Src-IP-Address}}' \
+ AND callingstationid = '%{Calling-Station-Id}' \
+ AND username = '%{User-Name}'}"
+ }
+ }
+
+ #
+ # If it exists now, then write out when we last saw
+ # this CUI.
+ #
+ if (&Chargeable-User-Identity && (&Chargeable-User-Identity != '')) {
+ cuisql
+ }
+}