# -*- text -*-
##
## policy.conf -- FreeRADIUS server configuration file.
##
## http://www.freeradius.org/
## $Id$
##
#
# Policies are virtual modules, similar to those defined in the
# "instantate" section of radiusd.conf.
#
# Defining a policy here means that it can be referenced in multiple
# places as a *name*, rather than as a series of conditions to match,
# and actions to take.
#
# Policies are something like subroutines in a normal language, but
# they cannot be called recursively. They MUST be defined in order.
# If policy A calls policy B, then B MUST be defined before A.
#
policy {
#
# Forbid all EAP types.
#
forbid_eap {
if (EAP-Message) {
reject
}
}
#
# Forbid all non-EAP types outside of an EAP tunnel.
#
permit_only_eap {
if (!EAP-Message) {
# We MAY be inside of a TTLS tunnel.
# PEAP and EAP-FAST require EAP inside of
# the tunnel, so this check is OK.
# If so, then there MUST be an outer EAP message.
if (!"%{outer.request:EAP-Message}") {
reject
}
}
}
#
# Forbid all attempts to login via realms.
#
deny_realms {
if (User-Name =~ /@|\\/) {
reject
}
}
}