# -*- text -*-
######################################################################
#
#  This is a virtual server that handles incoming EAP for eduroam
#  It is mostly configured per
#  https://wiki.geant.org/display/H2eduroam/freeradius-sp and
#  https://wiki.geant.org/display/H2eduroam/freeradius-idp
#
#  authorize → authenticate → pre-proxy → [PROXY] → post-proxy → post-auth
#
# You can use https://github.com/CESNET/rad_eap_test to test your eduroam
# configuration like this:
#
#	$ rad_eap_test -H localhost -P 1812 -S testing123 -m WPA-EAP -e TTLS -2 PAP -A anonymous@example.ac.za -u nren_radius_test@example.ac.za -p PleaseChangeThisPassword
#
######################################################################

server eduroam {
	# Configure this virtual server to listen on all available
	# IPv4 and IPv6 addresses on the default ports for auth+acct
	#
	# This duplicates what's in sites-available/default, which is
	# enabled by default and thus is commented out here. You can
	# EITHER rely on the default virtual server to bind your ports,
	# OR you can disable it by deleting the symlink from
	# sites-enabled/default and then uncomment listen here.
#	listen {
#		type = "auth"
#		ipaddr = *
#		port = 0
#	}
#	listen {
#		type = "acct"
#		ipaddr = *
#		port = 0
#	}
#	listen {
#		type = "auth"
#		ipv6addr = ::
#		port = 0
#	}
#	listen {
#		type = "acct"
#		ipv6addr = ::
#		port = 0
#	}

	authorize {
		# only use filter_username from version > 3.0.7
		filter_username
		# these normalise MAC addresses
		rewrite_called_station_id
		rewrite_calling_station_id
		if ( "%{client:shortname}" != "za-flr-cpt" && "%{client:shortname}" != "za-flr-jnb" ) {
			update request {
				&Operator-Name := "1example.ac.za"
				# the literal number "1" above is an important prefix! Do not change it!
				&Eduroam-SP-Country := "ZA"
				control:Load-Balance-Key := &Calling-Station-ID
			}
		}
		cui
		# if you want detailed logging
		#auth_log
		suffix
		eap {
			ok = return
		}
		# RADIUS/TLS (or RadSec) connections
		Autz-Type New-TLS-Connection {
			ok
		}
	}

	authenticate {
		eap
	}

	preacct {
		rewrite_called_station_id
		rewrite_calling_station_id
		suffix
	}

	# eduroam doesn't really care about accounting for traffic, but you might
#	accounting {
#		radutmp
#	}
#	session {
#		radutmp
#	}

	post-auth {
		update {
			&reply: += &session-state:
		}
		#
		## uncomment the next section to use dynamic VLAN assignment
		## based on where a user is from. This is STRONGLY recommended!
		## The example uses standard RADIUS attributes. Your NAS or
		## wireless controller may require different attributes.
#		switch &Realm {
#			# VLAN settings for your local users
#			case "example.ac.za" {
#				update reply {
#					&Tunnel-Type := "VLAN"
#					&Tunnel-Medium-Type := "IEEE-802"
#					&Tunnel-Private-Group-Id = "2505"
#				}
#			}
#			# VLAN settings for visitors to your campus
#			case {
#				update reply {
#					&Tunnel-Type := "VLAN"
#					&Tunnel-Medium-Type := "IEEE-802"
#					&Tunnel-Private-Group-Id = "2506"
#				}
#			}
#		} # switch realm
		# if you want detailed logging
		#reply_log
		f_ticks
		remove_reply_message_if_eap
		Post-Auth-Type REJECT {
			# if you want detailed logging
			#reply_log
			f_ticks
			attr_filter.access_reject
			eap
			remove_reply_message_if_eap
		}
	}

	pre-proxy {
		cui
		# if you want detailed logging
		#pre_proxy_log
		if("%{Packet-Type}" != "Accounting-Request") {
			attr_filter.pre-proxy
		}
	}

	post-proxy {
		update control {
			# needed for log_eduroam_sp to log UTC timestamps
			&Tmp-Integer-1 := "%{%{integer:Event-Timestamp}:-%l}"
		}
		log_eduroam_sp
		# if you want detailed logging
		#post_proxy_log
		attr_filter.post-proxy
		eap
	}
} # eduroam server block
