From 3182652dc38323b3e6d566f4df01872a6a8ab249 Mon Sep 17 00:00:00 2001 From: Sam Hartman Date: Thu, 12 Mar 2015 14:43:47 -0400 Subject: [PATCH] Updates to abfab policy * Move policy from pre-proxy to authorize because we need to run some of the updates prior to realm because they now influence generated trust router requests. * Include setting reply messages --- raddb/policy.d/abfab-tr | 12 +++++++++--- raddb/sites-available/abfab-tr-idp | 10 +++++++--- 2 files changed, 16 insertions(+), 6 deletions(-) diff --git a/raddb/policy.d/abfab-tr b/raddb/policy.d/abfab-tr index b55adc8210e3..8a43ff3f1a32 100644 --- a/raddb/policy.d/abfab-tr +++ b/raddb/policy.d/abfab-tr @@ -15,29 +15,35 @@ psk_authorize { # do things here } else { + update reply { + Reply-Message = "RP not authorized for this ABFAB request" + } reject } } } -abfab_pre_proxy { +abfab_client_check { # check that the acceptor host name is correct if ("%{client:gss_acceptor_host_name}" && "%{gss-acceptor-host-name}") { if ("%{client:gss_acceptor_host_name}" != "%{gss-acceptor-host-name}") { + update reply { + Reply-Message = "GSS-Acceptor-Host-Name incorrect" + } reject } } # set trust-router-coi attribute from the client configuration if ("%{client:trust_router_coi}") { - update proxy-request { + update request { Trust-Router-COI := "%{client:trust_router_coi}" } } # set gss-acceptor-realm-name attribute from the client configuration if ("%{client:gss_acceptor_realm_name}") { - update proxy-request { + update request { GSS-Acceptor-Realm-Name := "%{client:gss_acceptor_realm_name}" } } diff --git a/raddb/sites-available/abfab-tr-idp b/raddb/sites-available/abfab-tr-idp index 9a66b59cccd7..7a057fb29755 100644 --- a/raddb/sites-available/abfab-tr-idp +++ b/raddb/sites-available/abfab-tr-idp @@ -13,6 +13,7 @@ server abfab-idp { authorize { psk_authorize + abfab_client_check filter_username preprocess @@ -95,8 +96,12 @@ post-auth { # Insert EAP-Failure message if the request was # rejected by policy instead of because of an - # authentication failure - eap + # authentication failure And already has an EAP message + # For non-ABFAB, we insert the failure all the time, but for ABFAB + # It's more desirable to preserve reply-message when we can +if &reply:Eap-Message { + eap + } # Remove reply message if the response contains an EAP-Message remove_reply_message_if_eap @@ -116,7 +121,6 @@ pre-proxy { # No need to uncomment this if you have already enabled this in # the authorize section. # operator-name - abfab_pre_proxy # The client requests the CUI by sending a CUI attribute # containing one zero byte.