blob: c8dac22f3dab51bdd2bf3474ab3637afb0983cc8 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
|
#
# Forbid all EAP types. Enable this by putting "forbid_eap"
# into the "authorize" section.
#
forbid_eap {
if (&EAP-Message) {
reject
}
}
#
# Forbid all non-EAP types outside of an EAP tunnel.
#
permit_only_eap {
if (!&EAP-Message) {
# We MAY be inside of a TTLS tunnel.
# PEAP and EAP-FAST require EAP inside of
# the tunnel, so this check is OK.
# If so, then there MUST be an outer EAP message.
if (!&outer.request || !&outer.request:EAP-Message) {
reject
}
}
}
#
# Remove Reply-Message from response if were doing EAP
#
# Be RFC 3579 2.6.5 compliant - EAP-Message and Reply-Message should
# not be present in the same response.
#
remove_reply_message_if_eap {
if (&reply:EAP-Message && &reply:Reply-Message) {
update reply {
&Reply-Message !* ANY
}
}
else {
noop
}
}
verify_tls_client_common_name {
#
# If the User-Name is anonymized, then don't check it.
#
# But if User-Name is realm AND there's a certificate name, then check
# if they match. This is not always the case, but it is the case
# often enough that it matters.
#
if ((&User-Name !~ /^@/) && &TLS-Client-Cert-Common-Name && (&TLS-Client-Cert-Common-Name != &User-Name)) {
reject
}
}
|
