freeradius 2.1.12+dfsg-1.2ubuntu8 / etc / freeradius / policy.txt

This file is indexed.

/etc/freeradius/policy.txt is in freeradius 2.1.12+dfsg-1.2ubuntu8.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below. 

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
#
#	Sample of a policy language for rlm_policy.
#
#	This is NOT the "unlang" policy, and has NO RELATION to "unlang"!
#	The syntax is different, and the functionality is different.
#

#	As of 2.0.0, the new configuration "un-language" is better
#	tested, has more features, and is better integrated into the
#	server than the rlm_policy module.  rlm_policy is deprecated,
#	and will likely be removed in a future release.
#
#	There is no documentation other than this file.
#
#	The syntax is odd, but it sort of works.
#
#	A number of sites are using it in production servers,
#	so it appears to be stable.  However, we cannot answer
#	questions about it, because we use "unlang", instead of
#	this file.	
#
#	$Id$
#
#  Debugging statements
#
#debug print_tokens	# as we're parsing this file
debug print_policy	# once the file has been parsed

# Using this requires code edits to rlm_policy/evaluate.c
#debug evaluate		# print limited information during evaluation

#
#  A named policy.
#
policy 3pm {
if (Time-Of-Day < "15:00") {
   #
   #  The general form of edits to the attribute lists:
   #
   #   name s-operator {
   #	    Attribute-Name = Value
   #   }
   #
   #  name is: request, reply, control, proxy-request, proxy-reply
   #
   #  s-operator is operator for section, not attributes:
   #
   #		=	append, using operators from attributes
   #		.=	append attributes, ignoring operators from attributes
   #		^=	add to head of list
   #		^==	add BEFORE matching attribute
   #		^.	append
   #		^.=	append BEFORE matching attribute
   #		$=	add AFTER  (same as =)
   #		$==	add AFTER matching attribute
   #		$.	add after  (same as .=)
   #		$.=	add after matching
   #
   #  If the above explanation confuses you, don't ask.  Try various
   #  configurations to see what happens.  The results are difficult
   #  to explain, but easy to understand once you see them in action.
   #
   #  The "matching attribute" text above refers to the syntax:
   #
   #   name s-operator (match) {
   #	    Attribute-Name = Value
   #   }
   #
   #  Where "match" is something like:	User-Name == "bob"
   #
   #  This lets you insert/edit/update attributes by selected
   #  position, which can be useful.
   #
   reply .= {
      # Use ARAP-Password for testing because it's an attribute
      # no one cares about.
      ARAP-Password = "< 15:00"
   }
}

}

#
#  A named policy, executed during the "authorize" phase,
#  because it's named "authorize". 
#
policy authorize {
  if (CHAP-Password) {
     if (!CHAP-Challenge) {
        print "Adding CHAP-Challenge = %{request:Packet-Authentication-Vector}\n"

        #
        #  Append all attributes to the specified list.
        #  The per-attribute operators MUST be '='
        #
        request .= {
           CHAP-Challenge = "%{request:Packet-Authentication-Vector}"
        }
     }

     #
     #  Use per-attribute operators to do override, replace, etc.
     #  It's "control", not "check items", because "check items"
     #  is a hold-over from the "users" file, and we no longer like that.
     #
     control = {
     	  Auth-Type := CHAP
     }
  }

#
#  This could just as well be "%{ldap: query...}" =~ ...
#
#  if ("%{User-Name}" =~ "^(b)") {
#     reply .= {
#	   Arap-Password = "Hello, %{1}"
#     }
#  }

  #
  #  Execute "3pm", as if it was in-line here.
  #
#  call 3pm
}

######################################################################
#
#  The following entries are for example purposes only.
#

#  Insert the attribute at the top of the list.
#
#reply ^= {
#  Attribute1 += "Value1"
#}


#  Insert attribute1 before Attribute2 if found, otherwise it behaves 
#  like ^=
#reply ^== ( Attribute2 == "Value2" ) {
#	Attribute1 += "Value1"
#}

# ^. and ^.= have the same difference as .= and =
# namely they append the attribute list instead of looking at the
# attribute operators.
#
# Otherwise they are the same.

#  Motivation:
#
#  Cisco NAS's will kick users who assign a VRF after assigning an IP 
#  address. The VRF must come first.
#
#  A sample policy to fix this is:
#
policy add_inter_vrf {
	#
	#	If there's a matching lcp:...,
	#	then add the vrf entry before it.
	#
	reply ^== ( reply:Cisco-Avpair =~ "lcp:interface-config") {
		Cisco-Avpair    += "lcp:interface-config=ip vrf forwarding CHL-PRIVATE"
	}

	#
	#	If there's no ip address thingy,
	#	add ip unnumbered after the vrf stuff.
	#
	if (!reply:Cisco-Avpair =~ "lcp:interface-config=ip address.*") {
	        reply $== (reply:Cisco-AVpair == "lcp:interface-config=ip vrf forwarding CHL-PRIVATE") {
        		Cisco-Avpair    += "lcp:interface-config=ip unnumbered l10"
	        }
	}

	#
	#	No IP address assigned through RADIUS, tell the Cisco
	#	NAS to assign it from it's own private IP pool.
	#
	if (!reply:Framed-IP-Address =* "") {
		reply = {
                	Cisco-Avpair    += "ip:addr-pool=privatepool"
		}
	}
}

APT Browse - Built by Thomas Orozco.