# -*- text -*-
##
## policy.conf	-- FreeRADIUS server configuration file.
##
##	http://www.freeradius.org/
##	$Id: policy.conf,v 1.1 2007/12/26 16:34:08 aland Exp $
##

#
#  Policies are virtual modules, similar to those defined in the
#  "instantate" section of radiusd.conf.
#
#  Defining a policy here means that it can be referenced in multiple
#  places as a *name*, rather than as a series of conditions to match,
#  and actions to take.
#
#  Policies are something like subroutines in a normal language, but
#  they cannot be called recursively.  They MUST be defined in order.
#  If policy A calls policy B, then B MUST be defined before A.
#
#
policy {
	#
	#	Forbid all EAP types.
	#
	forbid_eap {
		if ("%{EAP-Message}") {
			reject
		}
	}

	#
	#	Forbid all non-EAP types outside of an EAP tunnel.
	#
	permit_only_eap {
		if (!"%{EAP-Message}") {
			#  We MAY be inside of a TTLS tunnel.
			#  PEAP and EAP-FAST require EAP inside of
			#  the tunnel, so this check is OK.
			#  If so, then there MUST be an outer EAP message.
			if (!"%{outer.request:EAP-Message}") {
				reject
			}
		}
	}

	#
	#	Forbid all attempts to login via realms.
	#
	deny_realms {
		if ("%{User-Name}" =~ /@|\\/) {
			reject
		}
	}
}