# -*- text -*-
######################################################################
#
#  This is a virtual server that handles *only* inner tunnel
#  requests for EAP-TTLS and PEAP types.
#  It is mostly configured per
#  https://wiki.geant.org/display/H2eduroam/freeradius-idp
#
#  authorize → authenticate → post-auth
#
######################################################################

server eduroam-inner-tunnel {

#
#  This next section is here to allow testing of the "inner-tunnel"
#  authentication methods, independently from the "eduroam" server.
#  It is listening on "localhost", so that it can only be used from
#  the same machine.
#
#	$ radtest USER PASSWORD 127.0.0.1:18121 0 testing123
#
#  If it works, you have configured the inner tunnel correctly.
#
#  To check if TTLS/PAP will work, use:
#
#	$ radtest -t pap USER PASSWORD 127.0.0.1:18121 0 testing123
#
#  To check if PEAP/MSCHAPv2 will work, use:
#
#	$ radtest -t mschap USER PASSWORD 127.0.0.1:18121 0 testing123
#
#  If the EAP type(s) you're expecting doesn't work, then
#
#	FIX THE INNER TUNNEL CONFIGURATION SO THAT IT WORKS.
#
#  Do NOT do any EAP tests.  It won't help.  Instead, concentrate
#  on fixing the inner tunnel configuration.  DO NOTHING ELSE.
#
	listen {
		ipaddr = 127.0.0.1
		port = 18121
		type = auth
	}

	authorize {
		# if you want detailed logging
		#auth_log
		filter_username
		# we use suffix here so that the authentication module (e.g.
		# LDAP) can specify it's own realm if needed, but that has
		# implications in the mods-config/files/authorize file
		suffix
		update control {
			&Proxy-To-Realm := LOCAL
			# needed for log_eduroam_idp to log UTC timestamps
			&Tmp-Integer-1 := "%{%{integer:Event-Timestamp}:-%l}"
		}
		eap {
			ok = return
		}
#		-ldap {
#			notfound = return
#		}
		files
		expiration
		logintime
		mschap
		pap
	}


	authenticate {
		Auth-Type PAP {
			pap
		}

		Auth-Type MS-CHAP {
			mschap
		}
		mschap

		# LDAP servers generally don't make good authentication backends
		# because they have no access to cleartext passwords. Thus by doing
		# this you are limiting the EAP authentication methods you support.
#		Auth-Type LDAP {
#			ldap
#		}

		eap
	}

	#  Session database, used for checking Simultaneous-Use. Either the radutmp
	#  or rlm_sql module can handle this. The rlm_sql module is *much* faster
	session {
		radutmp
	}

	post-auth {
		# This sets a Chargeable-User-Identity, remember to set cui_hash_key
		# in policy.d/cui so your users' privacy is preserved
		cui-inner

		log_eduroam_idp
		# if you want detailed logging
		#reply_log

		if (&outer.request:EAP-Message) {
			# This copies the real (inner) User-Name to the outer tunnel,
			# replacing any anonymous identity. This has privacy implications,
			# but can make debugging and accounting significantly easier
#			update outer.reply {
#				&User-Name = "%{request:User-Name}"
#			}

			# New way of doing use_tunneled_reply = yes
			# These attributes are for the inner-tunnel only
			# and MUST NOT be copied to the outer reply.
			update reply {
				&User-Name !* ANY
				&Message-Authenticator !* ANY
				&EAP-Message !* ANY
				&Proxy-State !* ANY
				&MS-MPPE-Encryption-Types !* ANY
				&MS-MPPE-Encryption-Policy !* ANY
				&MS-MPPE-Send-Key !* ANY
				&MS-MPPE-Recv-Key !* ANY
			}
			# Copy reply to outer session, and hence the outer.reply
			update {
				&outer.session-state: += &reply:
			}
		}
		Post-Auth-Type REJECT {
			log_eduroam_idp
			# if you want detailed logging
			#reply_log
			attr_filter.access_reject
			update outer.session-state {
				&Module-Failure-Message := &request:Module-Failure-Message
			}
		}
	}

} # eduroam-inner-tunnel server block
