#
#       Forbid all EAP types.  Enable this by putting "forbid_eap"
#       into the "recv Access-Request" section.
#
forbid_eap {
	if (&EAP-Message) {
		reject
	}
}

#
#       Forbid all non-EAP types outside of an EAP tunnel.
#
permit_only_eap {
	if (!&EAP-Message) {
		#  We MAY be inside of a TTLS tunnel.
		#  PEAP and EAP-FAST require EAP inside of
		#  the tunnel, so this check is OK.
		#  If so, then there MUST be an outer EAP message.
		if (!&outer.request || !&outer.request.EAP-Message) {
			reject
		}
	}
}

#
#       Remove Reply-Message from response if were doing EAP
#
#  Be RFC 3579 2.6.5 compliant - EAP-Message and Reply-Message should
#  not be present in the same response.
#
remove_reply_message_if_eap {
	if (&reply.EAP-Message && &reply.Reply-Message) {
		&reply -= &Reply-Message[*]
	}
	else {
		noop
	}
}

#
#	Copy outer request attributes to the inner tunnel
#
#	Similar to the behaviour of the old PEAP and TTLS
#	configuration option of the same name, but attributes
#	to copy now have to be explicitly listed.
#
copy_request_to_tunnel {
	&request.Calling-Station-Id = &outer.request.Calling-Station-Id
	&request.Called-Station-Id = &outer.request.Called-Station-Id
}

#
#	Copy reply attributes to the outer session state
#
#	Emulates the behaviour of the old PEAP and TTLS
#	configuration option of the same name. See
#	sites-available/inner-tunnel for more details.
#
use_tunneled_reply {
	#
	#  These attributes are for the inner-tunnel only,
	#  and MUST NOT be copied to the outer reply.
	#
	&reply -= &User-Name[*]

	#
	#  Copy the remaining inner reply attributes to the outer
	#  session-state list.  This list is preserved across multiple
	#  Access-Request / Access-Challenge exchanges.
	#
	#  When the final Access-Accept is ready to be sent, The
	#  'send Access-Accept' policy in sites-available/default will
	#  copy the outer session-state list to the final reply.
	#
	&outer.session-state += &reply
}

