server inner-tunnel { listen { type = auth ipaddr = 127.0.0.1 port = 18120 } authorize { # Cargar credenciales/atributos del usuario desde SQL sql # Si está deshabilitado en SQL, rechazar antes de EAP if ("%{sql:SELECT COUNT(*) FROM radcheck WHERE username='%{User-Name}' AND attribute='Auth-Type' AND value='Reject'}" != "0") { reject } # En caso de que el módulo SQL no haya poblado Cleartext-Password, obténlo vía xlat update control { Cleartext-Password := "%{sql:SELECT value FROM radcheck WHERE username='%{User-Name}' AND attribute='Cleartext-Password' ORDER BY id DESC LIMIT 1}" } # Cargar atributos de respuesta desde SQL (VLAN y ancho de banda) para PEAP (se copian al outer) update reply { Tunnel-Type := "%{sql:SELECT value FROM radreply WHERE username='%{User-Name}' AND attribute='Tunnel-Type' ORDER BY id DESC LIMIT 1}" Tunnel-Medium-Type := "%{sql:SELECT value FROM radreply WHERE username='%{User-Name}' AND attribute='Tunnel-Medium-Type' ORDER BY id DESC LIMIT 1}" Tunnel-Private-Group-Id := "%{sql:SELECT value FROM radreply WHERE username='%{User-Name}' AND attribute='Tunnel-Private-Group-Id' ORDER BY id DESC LIMIT 1}" WISPr-Bandwidth-Max-Down := "%{sql:SELECT value FROM radreply WHERE username='%{User-Name}' AND attribute='WISPr-Bandwidth-Max-Down' ORDER BY id DESC LIMIT 1}" WISPr-Bandwidth-Max-Up := "%{sql:SELECT value FROM radreply WHERE username='%{User-Name}' AND attribute='WISPr-Bandwidth-Max-Up' ORDER BY id DESC LIMIT 1}" } # Fallback/local: también consultar backend 'files' files # Procesar EAP (PEAP) y MS-CHAPv2 eap mschap } authenticate { eap Auth-Type MS-CHAP { mschap } Auth-Type Reject { reject } } post-auth { # Nada: los atributos se copian fuera si use_tunneled_reply = yes } }