/etc/freeradius/3.0/policy.d/cui is in freeradius-config 3.0.12+dfsg-5+deb9u1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 | #
# The following policies are for the Chargeable-User-Identity
# (CUI) configuration.
#
# The policies below can be called as just 'cui' (not
# cui.authorize etc..) from the various config sections.
#
#
# cui_hash_key definition
# This key serves the purpose of protecting CUI values against
# dictionary attacks, therefore should be chosen as a "random"
# string and kept secret.
#
cui_hash_key = "changeme"
#
# cui_require_operator_name switch
# If this is set to nonzero value then CUI will only be added
# when a non-empty Operator-Name value is present in the request
#
cui_require_operator_name = "no"
#
# The client indicates it can do CUI by sending a CUI attribute
# containing one zero byte.
# A non-empty value in Operator-Name can be an additional requirement.
# Normally CUI support is turned on only for such requests.
# CUI support can be used for local clients which do not
# supports CUI themselves, the server can simulate a CUI request
# adding the missing NUL CUI value and the Operator-Name attribute.
# Clients which are supposed to get this treatment should
# be marked by add_cui flag in clients.conf
# We assume that local clients are marked in the client.conf with
# add_cui flag, e.g.
# client xxxx {
# ...
# add_cui = yes
# }
#
cui.authorize {
if ("%{client:add_cui}" == 'yes') {
update request {
&Chargeable-User-Identity := 0x00
}
}
}
#
# Before proxing an Access-Request to a remote server, a NUL CUI
# attribute should be added, unless it is already present in the request.
#
cui.pre-proxy {
if (("%{request:Packet-Type}" == 'Access-Request') && ("%{client:add_cui}" == 'yes')) {
update proxy-request {
&Chargeable-User-Identity = 0x00
}
}
}
#
# Add a CUI attribute based on the User-Name, and a secret key
# known only to this server.
# For EAP-TTLS and EAP-PEAP methods
# use_tunneled_reply parameter MUST be set to yes
#
cui.post-auth {
if (!&control:Proxy-To-Realm && &Chargeable-User-Identity && !&reply:Chargeable-User-Identity && \
(&Operator-Name || ('${policy.cui_require_operator_name}' != 'yes')) ) {
update reply {
&Chargeable-User-Identity = "%{sha1:${policy.cui_hash_key}%{tolower:%{User-Name}%{%{Operator-Name}:-}}}"
}
}
#
# The section below will store a CUI for the User in the DB and remove the
# User-Name attribute from the reply if a CUI is present.
#
# You need to configure the cuisql module and your database for this to work.
# If your NAS can do CUI based accounting themselves or you do not care about
# accounting, comment out the 'cuisql' line below.
#
if (&reply:Chargeable-User-Identity) {
# Force User-Name to be the User-Name from the request
update {
&reply:User-Name := &request:User-Name
}
cuisql
}
}
cui-inner.post-auth {
if (&outer.request:Chargeable-User-Identity && \
(&outer.request:Operator-Name || ('${policy.cui_require_operator_name}' != 'yes'))) {
update reply {
&Chargeable-User-Identity := "%{sha1:${policy.cui_hash_key}%{tolower:%{User-Name}%{%{outer.request:Operator-Name}:-}}}"
}
}
}
#
# If your NAS can do CUI based accounting or you do not care about
# accounting then just comment out the call to cui in ......
#
# If we had stored a CUI for the User, add it to the request.
#
cui.accounting {
#
# If the CUI isn't in the packet, see if we can find it
# in the DB.
#
if (!&Chargeable-User-Identity) {
update request {
&Chargeable-User-Identity := "%{cuisql:\
SELECT cui FROM cui \
WHERE clientipaddress = '%{%{Packet-Src-IPv6-Address}:-%{Packet-Src-IP-Address}}' \
AND callingstationid = '%{Calling-Station-Id}' \
AND username = '%{User-Name}'}"
}
}
#
# If it exists now, then write out when we last saw
# this CUI.
#
if (&Chargeable-User-Identity && (&Chargeable-User-Identity != '')) {
cuisql
}
}
|