Skip to content
Snippets Groups Projects
Select Git revision
  • ad3b2392bf1f532c7033462d3be802f2e815adca
  • master default protected
2 results

cui

Blame
  • Code owners
    Assign users and groups as approvers for specific file changes. Learn more.
    cui 3.76 KiB
    #
    #  The following policies are for the Chargeable-User-Identity
    #  (CUI) configuration.
    #
    #  The policies below can be called as just 'cui' (not
    #  cui.authorize etc..)  from the various config sections.
    #
    
    #
    #  cui_hash_key definition
    #  This key serves the purpose of protecting CUI values against
    #  dictionary attacks, therefore should be chosen as a "random"
    #  string and kept secret.
    #
    cui_hash_key = "changeme"
    
    #
    # cui_require_operator_name switch
    # If this is set to nonzero value then CUI will only be added
    # when a non-empty Operator-Name value is present in the request
    #
    cui_require_operator_name = "no"
    
    #
    #  The client indicates it can do CUI by sending a CUI attribute
    #  containing one zero byte.
    #  A non-empty value in Operator-Name can be an additional requirement.
    #  Normally CUI support is turned on only for such requests.
    #  CUI support can be used for local clients which do not
    #  supports CUI themselves, the server can simulate a CUI request
    #  adding the missing NUL CUI value and the Operator-Name attribute.
    #  Clients which are supposed to get this treatment should
    #  be marked by add_cui flag in clients.conf
    #  We assume that local clients are marked in the client.conf with
    #  add_cui flag, e.g.
    #  client xxxx {
    #    ...
    #    add_cui = yes
    #  }
    #
    cui.authorize {
    	if ("%{client:add_cui}" == 'yes') {
    		update request {
    			&Chargeable-User-Identity := 0x00
    		}
    	}
    }
    
    #
    #  Before proxing an Access-Request to a remote server, a NUL CUI
    #  attribute should be added, unless it is already present in the request.
    #
    cui.pre-proxy {
    	if (("%{request:Packet-Type}" == 'Access-Request') && ("%{client:add_cui}" == 'yes')) {
    		update proxy-request {
    			&Chargeable-User-Identity = 0x00
    		}
    	}
    }
    
    
    #
    #  Add a CUI attribute based on the User-Name, and a secret key
    #  known only to this server.
    #  For EAP-TTLS and EAP-PEAP methods
    #  use_tunneled_reply parameter MUST be set to yes
    #
    cui.post-auth {
    	if (!&control:Proxy-To-Realm && &Chargeable-User-Identity && !&reply:Chargeable-User-Identity && \
    	    (&Operator-Name || ('${policy.cui_require_operator_name}' != 'yes')) ) {
    		update reply {
    			&Chargeable-User-Identity = "%{sha1:${policy.cui_hash_key}%{tolower:%{User-Name}%{%{Operator-Name}:-}}}"
    		}
    	}
    
    	#
    	#  The section below will store a CUI for the User in the DB and remove the
    	#  User-Name attribute from the reply if a CUI is present.
    	#
    	#  You need to configure the cuisql module and your database for this to work.
    	#  If your NAS can do CUI based accounting themselves or you do not care about
    	#  accounting, comment out the 'cuisql' line below.
    	#
    	if (&reply:Chargeable-User-Identity) {
    		# Force User-Name to be the User-Name from the request
    		update {
    			&reply:User-Name := &request:User-Name
    		}
    		cuisql
    	}
    }
    
    
    cui-inner.post-auth {
    	if (&outer.request:Chargeable-User-Identity && \
    	    (&outer.request:Operator-Name || ('${policy.cui_require_operator_name}' != 'yes'))) {
    		update reply {
    			&Chargeable-User-Identity := "%{sha1:${policy.cui_hash_key}%{tolower:%{User-Name}%{%{outer.request:Operator-Name}:-}}}"
    		}
    	}
    }
    
    #
    #  If your NAS can do CUI based accounting or you do not care about
    #  accounting then just comment out the call to cui in ......
    #
    #  If we had stored a CUI for the User, add it to the request.
    #
    cui.accounting {
    	#
    	#  If the CUI isn't in the packet, see if we can find it
    	#  in the DB.
    	#
    	if (!&Chargeable-User-Identity) {
    		update request {
    			&Chargeable-User-Identity := "%{cuisql:\
    				SELECT cui FROM cui \
    				WHERE clientipaddress = '%{%{Packet-Src-IPv6-Address}:-%{Packet-Src-IP-Address}}' \
    				AND callingstationid = '%{Calling-Station-Id}' \
    				AND username = '%{User-Name}'}"
    		}
    	}
    
    	#
    	#  If it exists now, then write out when we last saw
    	#  this CUI.
    	#
    	if (&Chargeable-User-Identity && (&Chargeable-User-Identity != '')) {
    		cuisql
    	}
    }