Chetan Gaonker | 7f4bf74 | 2016-05-04 15:56:08 -0700 | [diff] [blame] | 1 | # |
| 2 | # The following policies are for the Chargeable-User-Identity |
| 3 | # (CUI) configuration. |
| 4 | # |
| 5 | # The policies below can be called as just 'cui' (not |
| 6 | # cui.authorize etc..) from the various config sections. |
| 7 | # |
| 8 | |
| 9 | # |
| 10 | # cui_hash_key definition |
| 11 | # This key serves the purpose of protecting CUI values against |
| 12 | # dictionary attacks, therefore should be chosen as a "random" |
| 13 | # string and kept secret. |
| 14 | # |
| 15 | cui_hash_key = "changeme" |
| 16 | |
| 17 | # |
| 18 | # cui_require_operator_name switch |
| 19 | # If this is set to nonzero value then CUI will only be added |
| 20 | # when a non-empty Operator-Name value is present in the request |
| 21 | # |
| 22 | cui_require_operator_name = "no" |
| 23 | |
| 24 | # |
| 25 | # The client indicates it can do CUI by sending a CUI attribute |
| 26 | # containing one zero byte. |
| 27 | # A non-empty value in Operator-Name can be an additional requirement. |
| 28 | # Normally CUI support is turned on only for such requests. |
| 29 | # CUI support can be used for local clients which do not |
| 30 | # supports CUI themselves, the server can simulate a CUI request |
| 31 | # adding the missing NUL CUI value and the Operator-Name attribute. |
| 32 | # Clients which are supposed to get this treatment should |
| 33 | # be marked by add_cui flag in clients.conf |
| 34 | # We assume that local clients are marked in the client.conf with |
| 35 | # add_cui flag, e.g. |
| 36 | # client xxxx { |
| 37 | # ... |
| 38 | # add_cui = yes |
| 39 | # } |
| 40 | # |
| 41 | cui.authorize { |
| 42 | if ("%{client:add_cui}" == 'yes') { |
| 43 | update request { |
| 44 | Chargeable-User-Identity := '\\000' |
| 45 | } |
| 46 | } |
| 47 | } |
| 48 | |
| 49 | # |
| 50 | # Before proxing an Access-Request to a remote server, a NUL CUI |
| 51 | # attribute should be added, unless it is already present in the request. |
| 52 | # |
| 53 | cui.pre-proxy { |
| 54 | if (("%{request:Packet-Type}" == 'Access-Request') && ("%{client:add_cui}" == 'yes')) { |
| 55 | update proxy-request { |
| 56 | Chargeable-User-Identity = '\\000' |
| 57 | } |
| 58 | } |
| 59 | } |
| 60 | |
| 61 | |
| 62 | # |
| 63 | # Add a CUI attribute based on the User-Name, and a secret key |
| 64 | # known only to this server. |
| 65 | # For EAP-TTLS and EAP-PEAP methods |
| 66 | # use_tunneled_reply parameter MUST be set to yes |
| 67 | # |
| 68 | cui.post-auth { |
| 69 | if (!control:Proxy-To-Realm && Chargeable-User-Identity && !reply:Chargeable-User-Identity && \ |
| 70 | (Operator-Name || ('${policy.cui_require_operator_name}' != 'yes')) ) { |
| 71 | update reply { |
| 72 | Chargeable-User-Identity = "%{sha1:${policy.cui_hash_key}%{tolower:%{User-Name}%{%{Operator-Name}:-}}}" |
| 73 | } |
| 74 | } |
| 75 | |
| 76 | update reply { |
| 77 | User-Name !* ANY # remove User-Name from the reply for security |
| 78 | } |
| 79 | |
| 80 | # |
| 81 | # The section below will store a CUI for the User in the DB. |
| 82 | # You need to configure the cuisql module and your database for this to work. |
| 83 | # If your NAS can do CUI based accounting themselves or you do not care about |
| 84 | # accounting, comment out the three lines below. |
| 85 | # |
| 86 | if (reply:Chargeable-User-Identity) { |
| 87 | cuisql |
| 88 | } |
| 89 | } |
| 90 | |
| 91 | |
| 92 | cui-inner.post-auth { |
| 93 | if (outer.request:Chargeable-User-Identity && \ |
| 94 | (outer.request:Operator-Name || ('${policy.cui_require_operator_name}' != 'yes'))) { |
| 95 | update reply { |
| 96 | Chargeable-User-Identity := "%{sha1:${policy.cui_hash_key}%{tolower:%{User-Name}%{%{outer.request:Operator-Name}:-}}}" |
| 97 | } |
| 98 | } |
| 99 | } |
| 100 | |
| 101 | # |
| 102 | # If your NAS can do CUI based accounting or you do not care about |
| 103 | # accounting then just comment out the call to cui in ...... |
| 104 | # |
| 105 | # If we had stored a CUI for the User, add it to the request. |
| 106 | # |
| 107 | cui.accounting { |
| 108 | # |
| 109 | # If the CUI isn't in the packet, see if we can find it |
| 110 | # in the DB. |
| 111 | # |
| 112 | if (!Chargeable-User-Identity) { |
| 113 | update request { |
| 114 | Chargeable-User-Identity := "%{cuisql:\ |
| 115 | SELECT cui FROM cui \ |
| 116 | WHERE clientipaddress = '%{%{Packet-Src-IPv6-Address}:-%{Packet-Src-IP-Address}}' \ |
| 117 | AND callingstationid = '%{Calling-Station-Id}' \ |
| 118 | AND username = '%{User-Name}'}" |
| 119 | } |
| 120 | } |
| 121 | |
| 122 | # |
| 123 | # If it exists now, then write out when we last saw |
| 124 | # this CUI. |
| 125 | # |
| 126 | if (Chargeable-User-Identity && (Chargeable-User-Identity != '')) { |
| 127 | cuisql |
| 128 | } |
| 129 | } |