# # This file represents a server that is implementing an identity # provider for GSS-EAP (RFC 7055) using the trust router # protocol for dynamic realm discovery. Any ABFAB identity # provider is also an ABFAB relying party proxy. # # This file does not include a TLS listener; see abfab-tls for a simple # example of a RADSEC listener for ABFAB. # # $Id: be98568d3b16a163fdcd1803b171450a7b7d42da $ # server abfab-idp { authorize { psk_authorize abfab_client_check filter_username preprocess # If you intend to use CUI and you require that the Operator-Name # be set for CUI generation and you want to generate CUI also # for your local clients then uncomment the operator-name # below and set the operator-name for your clients in clients.conf # operator-name # # If you want to generate CUI for some clients that do not # send proper CUI requests, then uncomment the # cui below and set "add_cui = yes" for these clients in clients.conf # cui # # Do RFC 7542 bang path routing. If you want to only do standard # RADIUS NAI routing, comment out the below line. rfc7542 # Standard RADIUS NAI routing if (!updated) { suffix { updated = 1 noop = reject } } eap { ok = return } expiration logintime } authenticate { # # Allow EAP authentication. eap } # Post-Authentication # Once we KNOW that the user has been authenticated, there are # additional steps we can take. post-auth { # # For EAP-TTLS and PEAP, add the cached attributes to the reply. # The "session-state" attributes are automatically cached when # an Access-Challenge is sent, and automatically retrieved # when an Access-Request is received. # # The session-state attributes are automatically deleted after # an Access-Reject or Access-Accept is sent. # # If both session-state and reply contain a User-Name attribute, remove # the one in the reply if it is just a copy of the one in the request, so # we don't end up with two User-Name attributes. if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) { update reply { &User-Name !* ANY } } update { &reply: += &session-state: } # Create the CUI value and add the attribute to Access-Accept. # Uncomment the line below if *returning* the CUI. # cui # # If you want to have a log of authentication replies, # un-comment the following line, and enable the # 'detail reply_log' module. # reply_log # # After authenticating the user, do another SQL query. # # See "Authentication Logging Queries" in `mods-config/sql/main/$driver/queries.conf` -sql # # Un-comment the following if you want to modify the user's object # in LDAP after a successful login. # # ldap # For Exec-Program and Exec-Program-Wait exec # Remove reply message if the response contains an EAP-Message remove_reply_message_if_eap # Access-Reject packets are sent through the REJECT sub-section of the # post-auth section. # # Add the ldap module name (or instance) if you have set # 'edir = yes' in the ldap module configuration # Post-Auth-Type REJECT { # log failed authentications in SQL, too. -sql attr_filter.access_reject # Insert EAP-Failure message if the request was # rejected by policy instead of because of an # authentication failure And already has an EAP message # For non-ABFAB, we insert the failure all the time, but for ABFAB # It's more desirable to preserve reply-message when we can if (&reply:Eap-Message) { eap } # Remove reply message if the response contains an EAP-Message remove_reply_message_if_eap } } # # When the server decides to proxy a request to a home server, # the proxied request is first passed through the pre-proxy # stage. This stage can re-write the request, or decide to # cancel the proxy. # # Only a few modules currently have this method. # pre-proxy { # Before proxing the request add an Operator-Name attribute identifying # if the operator-name is found for this client. # No need to uncomment this if you have already enabled this in # the authorize section. # operator-name # The client requests the CUI by sending a CUI attribute # containing one zero byte. # Uncomment the line below if *requesting* the CUI. # cui # Uncomment the following line if you want to change attributes # as defined in the preproxy_users file. # files # Uncomment the following line if you want to filter requests # sent to remote servers based on the rules defined in the # 'attrs.pre-proxy' file. # attr_filter.pre-proxy # If you want to have a log of packets proxied to a home # server, un-comment the following line, and the # 'detail pre_proxy_log' section, above. # pre_proxy_log } # # When the server receives a reply to a request it proxied # to a home server, the request may be massaged here, in the # post-proxy stage. # post-proxy { # If you want to have a log of replies from a home server, # un-comment the following line, and the 'detail post_proxy_log' # section, above. # post_proxy_log # Uncomment the following line if you want to filter replies from # remote proxies based on the rules defined in the 'attrs' file. # attr_filter.post-proxy # # If you are proxying LEAP, you MUST configure the EAP # module, and you MUST list it here, in the post-proxy # stage. # # You MUST also use the 'nostrip' option in the 'realm' # configuration. Otherwise, the User-Name attribute # in the proxied request will not match the user name # hidden inside of the EAP packet, and the end server will # reject the EAP request. # eap } }