67 lines
1.7 KiB
Plaintext
67 lines
1.7 KiB
Plaintext
server default {
|
|
listen {
|
|
type = auth
|
|
ipaddr = *
|
|
port = 1812
|
|
}
|
|
|
|
listen {
|
|
type = acct
|
|
ipaddr = *
|
|
port = 1813
|
|
}
|
|
|
|
# Listen for incoming CoA/Disconnect-Request (for testing / tooling)
|
|
listen {
|
|
type = coa
|
|
ipaddr = *
|
|
port = 3799
|
|
}
|
|
|
|
authorize {
|
|
# Si es EAP (WPA-Enterprise)
|
|
if (&EAP-Message) {
|
|
# Si el usuario está deshabilitado según SQL, rechazar antes de llamar a eap
|
|
if ("%{sql:SELECT COUNT(*) FROM radcheck WHERE username='%{User-Name}' AND attribute='Auth-Type' AND value='Reject'}" != "0") {
|
|
reject
|
|
}
|
|
eap
|
|
return
|
|
}
|
|
# Cargar atributos desde SQL (VLAN/bw, etc.)
|
|
sql
|
|
# Si está deshabilitado en SQL, rechazar
|
|
if ("%{sql:SELECT COUNT(*) FROM radcheck WHERE username='%{User-Name}' AND attribute='Auth-Type' AND value='Reject'}" != "0") {
|
|
reject
|
|
}
|
|
# Laboratorio: aceptar todo en flujos no EAP
|
|
update control {
|
|
Auth-Type := Accept
|
|
}
|
|
}
|
|
|
|
authenticate {
|
|
# EAP para WPA-Enterprise
|
|
eap
|
|
Auth-Type Reject {
|
|
reject
|
|
}
|
|
# Aceptar todo cuando control:Auth-Type := Accept (no EAP)
|
|
Auth-Type Accept {
|
|
ok
|
|
}
|
|
}
|
|
|
|
accounting {
|
|
# Enviar eventos de accounting al dashboard (solo logging)
|
|
rest
|
|
ok
|
|
}
|
|
|
|
post-auth {
|
|
# Log de eventos post-auth al dashboard (no modifica la respuesta)
|
|
rest.post-auth
|
|
# Para EAP, los atributos del túnel interno se copian (use_tunneled_reply = yes)
|
|
}
|
|
}
|