server default {

authorize {
    # Preprocess request attributes
	#filter_username
    common_ciscoavpair
    rewrite_called_station_id
    preprocess

	proxy_auth
	proxy_ssid

	chap

	mschap

    # check for ubiquity vendor group
	if (${vendor_group_enabled} == 1) {
	    vendor_group
	}

    if (&Eltex-Tls-Enabled && &Eltex-Tls-Enabled == 1) {
        eap-tls
    }
    elsif (&control:Eltex-Vendor-Group && &control:Eltex-Vendor-Group == "ubi") {
        eap-ubi
    }
    else {
        eap
    }

    if (ok) {
        return
    }

    # check Sim-Use at mongo pcrf.session
    if (${pcrf_enabled} == 1) {
        pcrf
    }

    update request {
	    # Save current time in request to compare with user attribute in database
        Eltex-User-Expires = "%l"
        Eltex-User-Deactivation-Expires = "%l"
    }

	sql

	if (noop) {
	    # User's check items are not matched
	    reject
	}

	if (notfound) {
	    # User not found in database
	    reject
	}

	#
	#  If no other module has claimed responsibility for
	#  authentication, then try to use PAP.  This allows the
	#  other modules listed above to add a "known good" password
	#  to the request, and to do nothing else.  The PAP module
	#  will then see that password, and use it to do PAP
	#  authentication.
	#
	#  This module should be listed last, so that the other modules
	#  get a chance to set Auth-Type for themselves.
	#
	pap

	Autz-Type Status-Server {
		# EAP module adds server certificate expiration date to response
		eap
		eap-tls

		# Respond with Access-Accept
		ok
	}
}

authenticate {
	Auth-Type PAP {
		pap
	}

	Auth-Type CHAP {
		chap
	}

	Auth-Type MS-CHAP {
		mschap
	}

    Auth-Type eap-tls {
        eap-tls

        if (&request:TLS-Client-Cert-Serial && &control:TLS-Client-Cert-Serial) {
            if (&request:TLS-Client-Cert-Serial != &control:TLS-Client-Cert-Serial) {
                reject
            }
        }
    }

    eap-ubi
    eap
}

preacct {
	preprocess

	acct_counters64

	acct_unique

	acct_ciscoavpair

	# Parse common cisco-avp ('domain' for example)
	common_ciscoavpair

    rewrite_called_station_id

    if (${pcrf_enabled} == 0) {
        fill_ap_domain
        fill_ssid_security
    }

	files
}

accounting {
    if (${pcrf_enabled} == 1) {

        # All accounting is handled by pcrf. So we do nothing.
        noop

    } else {
        if (Acct-Status-Type == "Stop") {
            update_quota
        }
    }

	sql

	attr_filter.accounting_response

	#
	#  See "Autz-Type Status-Server" for how this works.
	#
#	Acct-Type Status-Server {
#
#	}
}

#  Session database, used for checking Simultaneous-Use.
session {
    if (${pcrf_enabled} == 0) {
        sql
    }
}

post-auth {

    if (${pcrf_enabled} == 1) {
        pcrf
    }

#	sql

	#
	#  For EAP-TTLS and PEAP, add the cached attributes to the reply.
	#  The "session-state" attributes are automatically cached when
	#  an Access-Challenge is sent, and automatically retrieved
	#  when an Access-Request is received.
	#
	#  The session-state attributes are automatically deleted after
	#  an Access-Reject or Access-Accept is sent.
	#
	update {
		&reply: += &session-state:
	}

	update reply {
        Eltex-Simultaneous-Use := "%{Simultaneous-Use}"
    }

	#  Remove reply message if the response contains an EAP-Message
	remove_reply_message_if_eap

	#
	Post-Auth-Type REJECT {
	    if (${pcrf_enabled} == 1) {
            pcrf
        }

#		sql
		attr_filter.access_reject

		# Insert EAP-Failure message if the request was
		# rejected by policy instead of because of an
		# authentication failure
		eap

		#  Remove reply message if the response contains an EAP-Message
		remove_reply_message_if_eap
	}
}

pre-proxy {

}

post-proxy {
#	Post-Proxy-Type Fail-Accounting {
#			detail
#	}
}

listen {
    type = auth
    ipaddr = *
    port = ${auth_port}
    limit {
        max_connections = 16
        lifetime = 0
        idle_timeout = 30
    }
}

listen {
    type = auth
    ipv6addr = ::
    port = ${auth_port}
    limit {
        max_connections = 16
        lifetime = 0
        idle_timeout = 30
    }
}

# Uncomment this sections when pcrf_enabled=0
# listen {
#     ipaddr = *
#     port = ${acct_port}
#     type = acct
# }
#
# listen {
#     ipv6addr = ::
#     port = ${acct_port}
#     type = acct
# }

}
