policy eduroam { mac-addr = ([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2}) # bristolfixMYrealm { # if (User-Name =~ /(.+?@)my\\.bristol\\.ac\\.uk$/) { # update request { # UOB-Info-Type := 'REWR' # } # eduroaminfo # update request { # UOB-Info-Type !* "" # User-Name := "%{1}bristol.ac.uk" # } # } # } bristolrealmchecks { update request { UOB-Info-Type := 'BADR' } $INCLUDE conf.d/eduroam-realm-checks.conf update request { UOB-Info-Type !* "" } } # end of bristolrealmchecks eduroaminfo-rcvdpacket { update request { UOB-Info-Type := 'RCVD' } eduroaminfo update request { UOB-Info-Type !* "" } } # Add "rewrite.called_station_id" in the "authorize" and "preacct" # sections. #rewrite.called_station_id { #if((Called-Station-Id) && "%{Called-Station-Id}" =~ /^%{config:policy.mac-addr}(:(.+))?$/i) { #update request { #Called-Station-Id := "%{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}" #} # ## SSID component? #if ("%{7}") { #update request { #Called-Station-Id := "%{Called-Station-Id}:%{7}" #} #} #updated #} #else { #noop #} #} # Add "rewrite.calling_station_id" in the "authorize" and "preacct" # sections. create.uob-stripped-mac { if((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) { update request { UOB-Stripped-MAC := "%{tolower:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}" } updated } else { noop } } create.uob-crypted-mac { if((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) { update request { UOB-Crypted-MAC := "%{tolower:%{1}%{2}%{3}-%{md5:%{3}ae%{5}af%{6}b%{1}e%{4}cd%{2}fb}}" } } if((Called-Station-Id) && "%{Called-Station-Id}" =~ /^%{config:policy.mac-addr}(:eduroam)?$/i) { update request { UOB-Short-CSID := "%{tolower:%{1}%{2}%{3}%{4}%{5}%{6}}" } updated } else { noop } } do_not_respond { update control { Response-Packet-Type := Do-Not-Respond } handled } disable_session_resumption { update control { Allow-Session-Resumption := No } } blackberry-ssl-bug { if((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) { } } # Put this at the top of authorise for # any radius service we provide to another UOB # department or organisation, where it's possible # for things to get proxied to JANET # # These checks are only things that the partner org # can break / mis-configure - this doesn't check for # any user related stuff partner-eduroam-sanity-checks { create.uob-stripped-mac if (!(request:UOB-Stripped-MAC)) { update reply { Reply-Message := "Calling-Station-Id absent or invalid - Rejecting request (%{request:UOB-Stripped-MAC})" } reject } if (!(request:EAP-Message)) { update reply { Reply-Message := "No EAP-Message found - Rejecting request" } reject } if (!(request:Called-Station-Id)) { update reply { Reply-Message := "No Called-Station-Id found - Rejecting request (%{request:Called-Station-Id})" } reject } # if the SSID is indicated in any case if (request:Called-Station-Id =~ /:eduroam$/i) { # Ensure it is in fact lower case if (!(request:Called-Station-Id =~ /:eduroam$/)) { update reply { Reply-Message := "Apparently your eduroam SSID is not all lowercase - Rejecting request (%{request:Called-Station-Id})" } reject } } } } # end of policy