server inner-tunnel {
    listen {
        type = auth
        ipaddr = 127.0.0.1
        port = 18120
    }

    authorize {
        # Cargar credenciales/atributos del usuario desde SQL
        sql
        # Si está deshabilitado en SQL, rechazar antes de EAP
        if ("%{sql:SELECT COUNT(*) FROM radcheck WHERE username='%{User-Name}' AND attribute='Auth-Type' AND value='Reject'}" != "0") {
            reject
        }
        # En caso de que el módulo SQL no haya poblado Cleartext-Password, obténlo vía xlat
        update control {
            Cleartext-Password := "%{sql:SELECT value FROM radcheck WHERE username='%{User-Name}' AND attribute='Cleartext-Password' ORDER BY id DESC LIMIT 1}"
        }
        # Cargar atributos de respuesta desde SQL (VLAN y ancho de banda) para PEAP (se copian al outer)
        update reply {
            Tunnel-Type := "%{sql:SELECT value FROM radreply WHERE username='%{User-Name}' AND attribute='Tunnel-Type' ORDER BY id DESC LIMIT 1}"
            Tunnel-Medium-Type := "%{sql:SELECT value FROM radreply WHERE username='%{User-Name}' AND attribute='Tunnel-Medium-Type' ORDER BY id DESC LIMIT 1}"
            Tunnel-Private-Group-Id := "%{sql:SELECT value FROM radreply WHERE username='%{User-Name}' AND attribute='Tunnel-Private-Group-Id' ORDER BY id DESC LIMIT 1}"
            WISPr-Bandwidth-Max-Down := "%{sql:SELECT value FROM radreply WHERE username='%{User-Name}' AND attribute='WISPr-Bandwidth-Max-Down' ORDER BY id DESC LIMIT 1}"
            WISPr-Bandwidth-Max-Up := "%{sql:SELECT value FROM radreply WHERE username='%{User-Name}' AND attribute='WISPr-Bandwidth-Max-Up' ORDER BY id DESC LIMIT 1}"
        }
        # Fallback/local: también consultar backend 'files'
        files
        # Procesar EAP (PEAP) y MS-CHAPv2
        eap
        mschap
    }

    authenticate {
        eap
        Auth-Type MS-CHAP {
            mschap
        }
        Auth-Type Reject {
            reject
        }
    }

    post-auth {
        # Nada: los atributos se copian fuera si use_tunneled_reply = yes
    }
}
