/etc/freeradius/3.0/policy.d/eap is in freeradius-config 3.0.12+dfsg-5+deb9u1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 | #
# Response caching to handle proxy failovers
#
Xeap.authorize {
cache_eap
if (ok) {
#
# Expire previous cache entry
#
if (&control:State) {
update control {
&Cache-TTL := 0
}
cache_eap
update control {
&State !* ANY
}
}
handled
}
else {
eap.authorize
}
}
#
# Populate cache with responses from the EAP module
#
Xeap.authenticate {
eap {
handled = 1
}
if (handled) {
cache_eap.authorize
handled
}
cache_eap.authorize
}
#
# Forbid all EAP types. Enable this by putting "forbid_eap"
# into the "authorize" section.
#
forbid_eap {
if (&EAP-Message) {
reject
}
}
#
# Forbid all non-EAP types outside of an EAP tunnel.
#
permit_only_eap {
if (!&EAP-Message) {
# We MAY be inside of a TTLS tunnel.
# PEAP and EAP-FAST require EAP inside of
# the tunnel, so this check is OK.
# If so, then there MUST be an outer EAP message.
if (!&outer.request || !&outer.request:EAP-Message) {
reject
}
}
}
#
# Remove Reply-Message from response if were doing EAP
#
# Be RFC 3579 2.6.5 compliant - EAP-Message and Reply-Message should
# not be present in the same response.
#
remove_reply_message_if_eap {
if (&reply:EAP-Message && &reply:Reply-Message) {
update reply {
&Reply-Message !* ANY
}
}
else {
noop
}
}
|