post-auth { # Include Stingray postauth access policies # Default update reply that apply to everyone. update reply { Tunnel-Type := VLAN Tunnel-Private-Group-Id := 666 Tunnel-Medium-Type := 6 Idle-Timeout := 60 Session-Timeout := 60 Termination-Action := RADIUS-Request } # We send update reply to devops users only for Juniper/Network related stuff if (Ldap-Group == "DevOpsUsers") { update reply { Juniper-Local-User-Name := "SU" Juniper-Junosspace-Profile := "devops_users" } } # We rewrite calling_station_id in order to do mac checkup rewrite_calling_station_id # Check against the authorized_macs file authorized_macs if (!ok) { update reply { Tunnel-Type := 13 Tunnel-Medium-Type := 6 Tunnel-Private-Group-Id := 155 } } else { update reply { Tunnel-Type := 13 Tunnel-Medium-Type := 6 Tunnel-Private-Group-Id := 157 } } # For Exec-Program and Exec-Program-Wait exec # Remove reply message if the response contains an EAP-Message remove_reply_message_if_eap # # Access-Reject packets are sent through the REJECT sub-section of the # post-auth section. # # Add the ldap module name (or instance) if you have set # 'edir_account_policy_check = yes' in the ldap module configuration # Post-Auth-Type REJECT { # log failed authentications in SQL, too. -sql attr_filter.access_reject # Insert EAP-Failure message if the request was # rejected by policy instead of because of an # authentication failure eap # Remove reply message if the response contains an EAP-Message remove_reply_message_if_eap } }