diff --git a/ops/nixos/bvm-radius/raddb/policy.d/cuirecv b/ops/nixos/bvm-radius/raddb/policy.d/cuirecv new file mode 100644 index 0000000000..6b72a26e9e --- /dev/null +++ b/ops/nixos/bvm-radius/raddb/policy.d/cuirecv @@ -0,0 +1,46 @@ +# +# The following policies are for the Chargeable-User-Identity +# (CUI) configuration. +# +# The policies below can be called as just 'cui' (not +# cui.authorize etc..) from the various config sections. +# + +## This is a limited configuration for Visited-only sites. + +# +# The client indicates it can do CUI by sending a CUI attribute +# containing one zero byte. +# A non-empty value in Operator-Name can be an additional requirement. +# Normally CUI support is turned on only for such requests. +# CUI support can be used for local clients which do not +# supports CUI themselves, the server can simulate a CUI request +# adding the missing NUL CUI value and the Operator-Name attribute. +# Clients which are supposed to get this treatment should +# be marked by add_cui flag in clients.conf +# We assume that local clients are marked in the client.conf with +# add_cui flag, e.g. +# client xxxx { +# ... +# add_cui = yes +# } +# +cui.authorize { + if ("%{client:add_cui}" == 'yes') { + update request { + &Chargeable-User-Identity := 0x00 + } + } +} + +# +# Before proxing an Access-Request to a remote server, a NUL CUI +# attribute should be added, unless it is already present in the request. +# +cui.pre-proxy { + if (("%{request:Packet-Type}" == 'Access-Request') && ("%{client:add_cui}" == 'yes')) { + update proxy-request { + &Chargeable-User-Identity = 0x00 + } + } +}