# This is a simple server for the MS SoH requests generated by the
# peap module - see "eap.conf" for more info

# Requests are ONLY passed through the authorize section, and cannot
# current be proxied (in any event, the radius attributes used are
# internal).

server soh-server {
	authorize {
		if (SoH-Supported == no) {
			# client NAKed our request for SoH - not supported, or turned off
			update config {
				Auth-Type = Accept
			}
		}
		else {
			# client replied; check something - this is a local policy issue!
			if (SoH-MS-Windows-Health-Status =~ /antivirus (warn|error) /) {
				update config {
					Auth-Type = Reject
				}
				update reply {
					Reply-Message = "You must have antivirus enabled & installed!"
				}
			}
			else {
				update config {
					Auth-Type = Accept
				}
			}
		}
	}
}