server inner-tunnel {

authorize {
	#
	#  Take a User-Name, and perform some checks on it, for spaces and other
	#  invalid characters.  If the User-Name appears invalid, reject the
	#  request.
	#
	#  See policy.d/filter for the definition of the filter_username policy.
	#
	#filter_username

	preprocess

    # If request is going to be proxied, local processing is pointless
    if (&control:Proxy-To-Realm) {
        handled
    }

	chap

	mschap

	# check for ubiquity vendor group
    if (${vendor_group_enabled} == 1) {
    	vendor_group
    }

    if (&Eltex-Tls-Enabled && &Eltex-Tls-Enabled == 1) {
        eap-tls
    }
    elsif (&control:Eltex-Vendor-Group && &control:Eltex-Vendor-Group == "ubi") {
        eap-ubi
    }
    else {
        eap
    }

    # check Sim-Use at mongo pcrf.session
    if (${pcrf_enabled} == 1) {
        pcrf
    }

    update request {
	    # Save current time in request to compare with user attribute in database
        Eltex-User-Expires = "%l"
        Eltex-User-Deactivation-Expires = "%l"
    }

	sql

	if (noop) {
	    # User's check items are not matched
	    reject
	}

	if (notfound) {
	    # User not found in database
	    reject
	}

    if(&control:Calling-Station-Id) { # if there is any of Calling-Station-Id in radcheck - need to check sta mac address
        foreach &control:Calling-Station-Id {
            if (&request:Calling-Station-Id == "%{Foreach-Variable-0}") {
                update control {
                    Tmp-String-1 := "1"  # mac address found flag
                }
            break
            }
        }
        if (!&control:Tmp-String-1) {  # if mac address not found
            reject
        }
    }

	#
	#  If no other module has claimed responsibility for
	#  authentication, then try to use PAP.  This allows the
	#  other modules listed above to add a "known good" password
	#  to the request, and to do nothing else.  The PAP module
	#  will then see that password, and use it to do PAP
	#  authentication.
	#
	#  This module should be listed last, so that the other modules
	#  get a chance to set Auth-Type for themselves.
	#
	pap

	#
	#  If "status_server = yes", then Status-Server messages are passed
	#  through the following section, and ONLY the following section.
	#  This permits you to do DB queries, for example.  If the modules
	#  listed here return "fail", then NO response is sent.
	#
#	Autz-Type Status-Server {
#
#	}
}

post-auth {
	Post-Auth-Type REJECT {
#		sql
		attr_filter.access_reject

		# Insert EAP-Failure message if the request was
		# rejected by policy instead of because of an
		# authentication failure
		eap

		#  Remove reply message if the response contains an EAP-Message
		remove_reply_message_if_eap
	}
}

authenticate {
	Auth-Type PAP {
		pap
	}

	Auth-Type CHAP {
		chap
	}

	Auth-Type MS-CHAP {
		mschap
	}

    eap-tls
    eap-ubi
    eap
}

#  Session database, used for checking Simultaneous-Use.
session {
    if (${pcrf_enabled} == 0) {
        sql
    }
}

pre-proxy {

}

post-proxy {
	#
	#  If you are proxying LEAP, you MUST configure the EAP
	#  module, and you MUST list it here, in the post-proxy
	#  stage.
	#
	#  You MUST also use the 'nostrip' option in the 'realm'
	#  configuration.  Otherwise, the User-Name attribute
	#  in the proxied request will not match the user name
	#  hidden inside of the EAP packet, and the end server will
	#  reject the EAP request.
	#
	eap

#	Post-Proxy-Type Fail-Accounting {
#			detail
#	}
}

#  This next section is here to allow testing of the "inner-tunnel"
#  authentication methods, independently from the "default" server.
#  It is listening on "localhost", so that it can only be used from
#  the same machine.
listen {
    ipaddr = 127.0.0.1
    port = ${inner_tunnel_port}
    type = auth
}

}
