server inner-tunnel { listen { ipaddr = 127.0.0.1 port = 18120 type = auth } authorize { filter_username chap suffix update control { &Proxy-To-Realm := LOCAL } eap { ok = return } ldap if (ok || updated) { update { control:Auth-Type := ldap } } expiration logintime pap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type LDAP { ldap } eap } session { radutmp } post-auth { -sql update reply { User-Name !* ANY Message-Authenticator !* ANY EAP-Message !* ANY Proxy-State !* ANY MS-MPPE-Encryption-Types !* ANY MS-MPPE-Encryption-Policy !* ANY MS-MPPE-Send-Key !* ANY MS-MPPE-Recv-Key !* ANY } update { &outer.session-state: += &reply: } Post-Auth-Type REJECT { -sql attr_filter.access_reject update outer.session-state { &Module-Failure-Message := &request:Module-Failure-Message } } if (LDAP-Group != "${wifi_access_role}") { reject } } pre-proxy { } post-proxy { eap } }