server default {
    listen {
        type = auth
        ipaddr = *
        port = 1812
    }

    listen {
        type = acct
        ipaddr = *
        port = 1813
    }

    authorize {
        # Si es EAP (WPA-Enterprise), procesar EAP y salir para no interferir
        if (&EAP-Message) {
            eap
            return
        }
        # MAC-Auth / Portal: Llama a la API REST para decidir y añadir atributos
        rest
        # Laboratorio: aceptar todo en flujos no EAP
        update control {
            Auth-Type := Accept
        }
    }

    authenticate {
        # EAP para WPA-Enterprise
        eap
        # Aceptar todo cuando control:Auth-Type := Accept (no EAP)
        Auth-Type Accept {
            ok
        }
    }

    accounting {
        rest
        ok
    }

    post-auth {
        # Asignación de VLAN dinámica por usuario
        if (&User-Name == "user1") {
            update reply {
                Tunnel-Type := VLAN
                Tunnel-Medium-Type := IEEE-802
                Tunnel-Private-Group-Id := "2"
            }
        }
        elsif (&User-Name == "user2") {
            update reply {
                Tunnel-Type := VLAN
                Tunnel-Medium-Type := IEEE-802
                Tunnel-Private-Group-Id := "5"
            }
        }
        else {
            # Fallback opcional: comentar si no quieres valor por defecto
            update reply {
                Tunnel-Type := VLAN
                Tunnel-Medium-Type := IEEE-802
                Tunnel-Private-Group-Id := "2"
            }
        }
    }
}
