Chetan Gaonker | 7f4bf74 | 2016-05-04 15:56:08 -0700 | [diff] [blame] | 1 | # |
| 2 | # Response caching to handle proxy failovers |
| 3 | # |
| 4 | Xeap.authorize { |
| 5 | cache_eap |
| 6 | if (ok) { |
| 7 | # |
| 8 | # Expire previous cache entry |
| 9 | # |
| 10 | if (control:State) { |
| 11 | update control { |
| 12 | Cache-TTL := 0 |
| 13 | } |
| 14 | cache_eap |
| 15 | |
| 16 | update control { |
| 17 | Cache-TTL !* ANY |
| 18 | State !* ANY |
| 19 | } |
| 20 | } |
| 21 | |
| 22 | handled |
| 23 | } |
| 24 | else { |
| 25 | eap.authorize |
| 26 | } |
| 27 | } |
| 28 | |
| 29 | # |
| 30 | # Populate cache with responses from the EAP module |
| 31 | # |
| 32 | Xeap.authenticate { |
| 33 | eap { |
| 34 | handled = 1 |
| 35 | } |
| 36 | if (handled) { |
| 37 | cache_eap.authorize |
| 38 | |
| 39 | handled |
| 40 | } |
| 41 | |
| 42 | cache_eap.authorize |
| 43 | } |
| 44 | |
| 45 | # |
| 46 | # Forbid all EAP types. Enable this by putting "forbid_eap" |
| 47 | # into the "authorize" section. |
| 48 | # |
| 49 | forbid_eap { |
| 50 | if (EAP-Message) { |
| 51 | reject |
| 52 | } |
| 53 | } |
| 54 | |
| 55 | # |
| 56 | # Forbid all non-EAP types outside of an EAP tunnel. |
| 57 | # |
| 58 | permit_only_eap { |
| 59 | if (!EAP-Message) { |
| 60 | # We MAY be inside of a TTLS tunnel. |
| 61 | # PEAP and EAP-FAST require EAP inside of |
| 62 | # the tunnel, so this check is OK. |
| 63 | # If so, then there MUST be an outer EAP message. |
| 64 | if (outer.request && outer.request:EAP-Message) { |
| 65 | reject |
| 66 | } |
| 67 | } |
| 68 | } |
| 69 | |
| 70 | # |
| 71 | # Remove Reply-Message from response if were doing EAP |
| 72 | # |
| 73 | # Be RFC 3579 2.6.5 compliant - EAP-Message and Reply-Message should |
| 74 | # not be present in the same response. |
| 75 | # |
| 76 | remove_reply_message_if_eap { |
| 77 | if(reply:EAP-Message && reply:Reply-Message) { |
| 78 | update reply { |
| 79 | Reply-Message !* ANY |
| 80 | } |
| 81 | } |
| 82 | else { |
| 83 | noop |
| 84 | } |
| 85 | } |
| 86 | |