From af754e596a8dbb05ed8580c342e7fe02e08b28e0 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sat, 13 Apr 2024 16:11:00 +0200 Subject: Adding upstream version 3.2.3+dfsg. Signed-off-by: Daniel Baumann --- raddb/policy.d/eap | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 54 insertions(+) create mode 100644 raddb/policy.d/eap (limited to 'raddb/policy.d/eap') diff --git a/raddb/policy.d/eap b/raddb/policy.d/eap new file mode 100644 index 0000000..c8dac22 --- /dev/null +++ b/raddb/policy.d/eap @@ -0,0 +1,54 @@ +# +# Forbid all EAP types. Enable this by putting "forbid_eap" +# into the "authorize" section. +# +forbid_eap { + if (&EAP-Message) { + reject + } +} + +# +# Forbid all non-EAP types outside of an EAP tunnel. +# +permit_only_eap { + if (!&EAP-Message) { + # We MAY be inside of a TTLS tunnel. + # PEAP and EAP-FAST require EAP inside of + # the tunnel, so this check is OK. + # If so, then there MUST be an outer EAP message. + if (!&outer.request || !&outer.request:EAP-Message) { + reject + } + } +} + +# +# Remove Reply-Message from response if were doing EAP +# +# Be RFC 3579 2.6.5 compliant - EAP-Message and Reply-Message should +# not be present in the same response. +# +remove_reply_message_if_eap { + if (&reply:EAP-Message && &reply:Reply-Message) { + update reply { + &Reply-Message !* ANY + } + } + else { + noop + } +} + +verify_tls_client_common_name { + # + # If the User-Name is anonymized, then don't check it. + # + # But if User-Name is realm AND there's a certificate name, then check + # if they match. This is not always the case, but it is the case + # often enough that it matters. + # + if ((&User-Name !~ /^@/) && &TLS-Client-Cert-Common-Name && (&TLS-Client-Cert-Common-Name != &User-Name)) { + reject + } +} -- cgit v1.2.3