#
#	Forbid all EAP types.  Enable this by putting "forbid_eap"
#	into the "authorize" section.
#
forbid_eap {
	if (EAP-Message) {
		reject
	}
}

#
#	Forbid all non-EAP types outside of an EAP tunnel.
#
permit_only_eap {
	if (!EAP-Message) {
		#  We MAY be inside of a TTLS tunnel.
		#  PEAP and EAP-FAST require EAP inside of
		#  the tunnel, so this check is OK.
		#  If so, then there MUST be an outer EAP message.
		if (!"%{outer.request:EAP-Message}") {
			reject
		}
	}
}

#
#	Remove Reply-Message from response if were doing EAP
#
#  Be RFC 3579 2.6.5 compliant - EAP-Message and Reply-Message should
#  not be present in the same response.
#
remove_reply_message_if_eap {
	if(reply:EAP-Message && reply:Reply-Message) {
		update reply {
			Reply-Message !* ANY
		}
	}
	else {
		noop
	}
}

#
#	Example of forbidding all attempts to login via
#	realms.
#
deny_realms {
	if (User-Name =~ /@|\\/) {
		reject
	}
}

#
#	Filter the username
#
#  Force some sanity on User-Name. This helps to avoid issues
#  issues where the back-end database is "forgiving" about
#  what constitutes a user name.
#
filter_username {
	#
	#  reject mixed case
	#  e.g. "UseRNaMe"
	#
	if (User-Name != "%{tolower:%{User-Name}}") {
		reject
	}

	#
	#  reject all whitespace
	#  e.g. "user@ site.com", or "us er", or " user", or "user "
	#
	if (User-Name =~ / /) {
		update reply {
			Reply-Message += "Rejected: Username contains whitespace"
		}
		reject
	}

	#
	#  reject Multiple @'s
	#  e.g. "user@site.com@site.com"
	#
	if(User-Name =~ /@.*@/ ) {
		update reply {
			Reply-Message += "Rejected: Multiple @ in username"
		}
		reject
	}

	#
	#  reject double dots
	#  e.g. "user@site..com"
	#
	if (User-Name =~ /\\.\\./ ) {
		update reply {
			Reply-Message += "Rejected: Username comtains ..s"
		}
		reject
	}

	#
	#  must have at least 1 string-dot-string after @
	#  e.g. "user@site.com"
	#
	if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))  {
		update reply {
			Reply-Message += "Rejected: Realm does not have at least one dot separator"
		}
		reject
	}

	#
	#  Realm ends with a dot
	#  e.g. "user@site.com."
	#
	if (User-Name =~ /\\.$/)  {
		update reply {
			Reply-Message += "Rejected: Realm ends with a dot"
		}
		reject
	}

	#
	#  Realm begins with a dot
	#  e.g. "user@.site.com"
	#
	if (User-Name =~ /@\\./)  {
		update reply {
			Reply-Message += "Rejected: Realm begins with a dot"
		}
		reject
	}
}

