# -*- text -*- policy rainbow { #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ #~ RADIUS service check #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # service-check { if (User-name == "radiustest") { if (!EAP-Message){ update control { Auth-Type := Accept } updated } else { reject } } updated = return } #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ #~ AUTHZ SECTION #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # A Pair of policies that query different databases for a rainbow class, the return codes allow # for use of load-balancing / redundancy. # done using resilient sql queries (because sql xlat doesn't work with virtual modules) mac-rainbow-class { update request { UOB-Rainbow-Class := "%{rainbowsql:select class from mac_authz where mac = '%{Calling-Station-Id}'::macaddr}" } ok } rainbow-policy { # Looks like mac-auth if (Service-Type == 'Call-Check'){ # Is mac-auth if (User-Name =~ /[0-9a-f]{12}/){ # Do the DB lookup mac-rainbow-class # Now fails if empty if (UOB-Rainbow-Class == ""){ reject } # Always accept mac-auths update control { Auth-Type := Accept } } } # Proper auth if (EAP-Message){ # Machine auth if (User-Name =~ /^host\//){ update request { UOB-Rainbow-Class := "public" } } else { # Do the DB lookup, is this defunct? mac-rainbow-class # If unset, set to default if (UOB-Rainbow-Class == ""){ update request { UOB-Rainbow-Class := "guest" } } } } } #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ #~ POST-AUTH SECTION #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # # Re-direct policy # url-redirect { update reply { Tunnel-Type := "VLAN" Tunnel-Medium-Type := "IEEE-802" Tunnel-Private-Group-Id := "private" Cisco-AVPair += "url-redirect=http://netmon.isys.bris.ac.uk/static/eek.html" Cisco-AVPair += "url-redirect-acl=ACL-REDIRECT" #Cisco-AVPair += "ip:inacl#1=permit ip any 137.222.12.0 255.255.255.0" } } # # Set rainbow class # set-rainbow-reply { update reply { Tunnel-Type := "VLAN" Tunnel-Medium-Type := "IEEE-802" Tunnel-Private-Group-Id := "%{UOB-Rainbow-Class}" } } # # Set wired vlan response # vlan_response { # Exists but empty, ie has gone through mac-auth [not currently used] if (UOB-Rainbow-Class == ""){ url-redirect } # Exists and valid elsif (UOB-Rainbow-Class){ set-rainbow-reply } } #END }