#  -*- text -*-
#
#
#  $Id: 9d7b28010b405e39fff242db7aa46c99fef056e8 $

#######################################################################
#
#  = ABFAB: Trust Router
#
#  This file represents a server that is implementing an identity provider
#  for `GSS-EAP` (RFC 7055) using the trust router protocol for dynamic realm
#  discovery.  Any ABFAB identity provider is also an ABFAB relying party proxy.
#
#  NOTE: This file does not include a TLS listener. Please see `abfab-tls`
#  for a simple example of a RADSEC listener for ABFAB.
#

#
#  ## Default Instance
#

#
#  ## server { ... }
#
server abfab-idp {

	#
	#  ### recv Access-Request
	#
	#  Run these rules when receiving an `Access-Request`
	#
	recv Access-Request {
		#
		#  .Please see the `policy.d/abfab-tr` for full documentation.
		#
		abfab_psk_authorize
		abfab_client_check

		#
		#  .Please see the `policy.d/filter` for full documentation.
		#
		filter_username

		#
		#  If you intend to use CUI and you require that the `Operator-Name`
		#  be set for CUI generation and you want to generate CUI also
		#  for your local clients then uncomment the operator-name below and
		#  set the operator-name for your clients in `clients.conf`
		#
	#	operator-name

		#
		#  If you want to generate CUI for some clients that do not send proper
		#  CUI requests, then uncomment the cui below and set `add_cui = yes`
		#  for these clients in `clients.conf`
		#
	#	cui

		#
		#  For EAP requests.
		#
		eap {
			ok = return
		}

		#
		#  .Please see the `mods-available/expiration` for full documentation.
		#
		expiration
	}

	#
	#  EAP authentication.
	#
	authenticate eap {
		#
		#  Allow EAP authentication.
		#
		eap
	}

	#
	#  ### send Access-Accept
	#
	#  Run these rules when sending an `Access-Accept`
	#
	send Access-Accept {
		#
		#  For `EAP-TTLS` and `PEAP`, add the cached attributes to the reply.
		#  The `session-state` attributes are automatically cached when
		#  an `Access-Challenge` is sent, and automatically retrieved
		#  when an `Access-Request` is received.
		#
		#  The `session-state` attributes are automatically deleted after
		#  an `Access-Reject` or `Access-Accept` is sent.
		#
		&reply += &session-state

		#
		#  Create the `CUI` value and add the attribute to `Access-Accept`.
		#  Uncomment the line below if *returning* the CUI.
		#
#		cui

		#
		#  If you want to have a log of authentication replies, uncomment the
		#  following line, and enable the `detail reply_log` module.
		#
#		reply_log

		#
		#  After authenticating the user, do another SQL query.
		#
		#  See "Authentication Logging Queries" in mods-available/sql
		#
		-sql

		#
		#  Instead of sending the query to the SQL server,
		#  write it into a log file.
		#
#		sql_log

		#
		#  Uncomment the following if you want to modify the user's object
		#  in LDAP after a successful login.
		#
#		ldap

		#
		#  .Please see the `exec` for full documentation.
		#
		exec

		#
		#  Remove reply message if the response contains an `EAP-Message`.
		#
		#  .Please see the `policy.d/eap` for full documentation.
		#
		remove_reply_message_if_eap
	}

	#
	#  ### send Access-Reject
	#
	#  Run these rules for sending an `Access-Reject`.
	#
	#  NOTE: if you have set `edir = yes` in the `ldap` module configuration,
	#  please remember to add the ldap module name (or instance).
	#
	send Access-Reject {
		#
		#  .Log failed authentications in SQL, too.
		#
		-sql

		#
		#  .Please see the `attr_filter` for full documentation.
		#
		attr_filter.access_reject

		#
		#  NOTE: Insert `EAP-Failure` message if the request was rejected by policy instead of
		#  because of an authentication failure And already has an `EAP` message For non-ABFAB,
		#  we insert the failure all the time, but for ABFAB It's more desirable to preserve
		#  `Reply-Message` when we can.
		#
		if (&reply.Eap-Message) {
			eap
		}

		#
		#  .Remove reply message if the response contains an `EAP-Message`.
		#
		remove_reply_message_if_eap
	}
}
