#
#       Forbid all EAP types.  Enable this by putting "forbid_eap"
#       into the "authorize" section.
#
forbid_eap {
	if (&EAP-Message) {
		reject
	}
}

#
#       Forbid all non-EAP types outside of an EAP tunnel.
#
permit_only_eap {
	if (!&EAP-Message) {
		#  We MAY be inside of a TTLS tunnel.
		#  PEAP and EAP-FAST require EAP inside of
		#  the tunnel, so this check is OK.
		#  If so, then there MUST be an outer EAP message.
		if (!&outer.request || !&outer.request:EAP-Message) {
			reject
		}
	}
}

#
#       Remove Reply-Message from response if were doing EAP
#
#  Be RFC 3579 2.6.5 compliant - EAP-Message and Reply-Message should
#  not be present in the same response.
#
remove_reply_message_if_eap {
	if (&reply:EAP-Message && &reply:Reply-Message) {
		update reply {
			&Reply-Message !* ANY
		}
	}
	else {
		noop
	}
}

verify_tls_client_common_name {
	#
	#  If the User-Name is anonymized, then don't check it.
	#
	#  But if User-Name is realm AND there's a certificate name, then check
	#  if they match.  This is not always the case, but it is the case
	#  often enough that it matters.
	#
	if ((&User-Name !~ /^@/) && &TLS-Client-Cert-Common-Name && (&TLS-Client-Cert-Common-Name != &User-Name)) {
		reject
	}
}