server default {

authorize {
    # Preprocess request attributes
	#filter_username
    preprocess

    eap-tls

    if (ok) {
        eaplinelog
        return
    }


	if (noop) {
	    # User's check items are not matched
	    eaplinelog
	    reject
	}

	Autz-Type Status-Server {
		# EAP module adds server certificate expiration date to response
		eap-tls

		# Respond with Access-Accept
		eaplinelog
		ok
	}
}

authenticate {
    Auth-Type eap-tls {
        eap-tls

        if (&request:TLS-Client-Cert-Serial && &control:TLS-Client-Cert-Serial) {
            if (&request:TLS-Client-Cert-Serial != &control:TLS-Client-Cert-Serial) {
                reject
            }
        }

        eaplinelog
    }

}

preacct {
	preprocess

	files
}

#  Session database, used for checking Simultaneous-Use.
session {

}

post-auth {
	update reply {
        Eltex-Simultaneous-Use := "%{Simultaneous-Use}"
    }

	#  Remove reply message if the response contains an EAP-Message
	#  Do not remove EAP-Message for task #156683
	#  remove_reply_message_if_eap

	Post-Auth-Type REJECT {

		attr_filter.access_reject

		# Insert EAP-Failure message if the request was
		# rejected by policy instead of because of an
		# authentication failure
		eap-tls

		#  Remove reply message if the response contains an EAP-Message
		#  Do not remove EAP-Message for task #156683
		#  remove_reply_message_if_eap

	    eaplinelog
	}
}

pre-proxy {

}

post-proxy {
#	Post-Proxy-Type Fail-Accounting {
#			detail
#	}
}

listen {
    type = auth
    ipaddr = *
    port = ${auth_port}
    limit {
        max_connections = 16
        lifetime = 0
        idle_timeout = 30
    }
}

listen {
    type = auth
    ipv6addr = ::
    port = ${auth_port}
    limit {
        max_connections = 16
        lifetime = 0
        idle_timeout = 30
    }
}

# listen {
#     ipaddr = *
#     port = ${acct_port}
#     type = acct
# }
#
# listen {
#     ipv6addr = ::
#     port = ${acct_port}
#     type = acct
# }

}
