--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/conf/radpxy.eap.testbed.aaa/freeradius/policy.conf	Thu Sep 16 14:23:42 2010 +0900
@@ -0,0 +1,54 @@
+# -*- text -*-
+##
+## policy.conf	-- FreeRADIUS server configuration file.
+##
+##	http://www.freeradius.org/
+##	$Id: policy.conf,v 1.2 2008/01/15 16:29:55 aland Exp $
+##
+
+#
+#  Policies are virtual modules, similar to those defined in the
+#  "instantate" section of radiusd.conf.
+#
+#  Defining a policy here means that it can be referenced in multiple
+#  places as a *name*, rather than as a series of conditions to match,
+#  and actions to take.
+#
+#  Policies are something like subroutines in a normal language, but
+#  they cannot be called recursively.  They MUST be defined in order.
+#  If policy A calls policy B, then B MUST be defined before A.
+#
+policy {
+	#
+	#	Forbid all EAP types.
+	#
+##	forbid_eap {
+##		if (EAP-Message) {
+##			reject
+##		}
+##	}
+
+	#
+	#	Forbid all non-EAP types outside of an EAP tunnel.
+	#
+##	permit_only_eap {
+##		if (!EAP-Message) {
+			#  We MAY be inside of a TTLS tunnel.
+			#  PEAP and EAP-FAST require EAP inside of
+			#  the tunnel, so this check is OK.
+			#  If so, then there MUST be an outer EAP message.
+##			if (!"%{outer.request:EAP-Message}") {
+##				reject
+##			}
+##		}
+##	}
+
+	#
+	#	Forbid all attempts to login via realms.
+	#
+##	deny_realms {
+##		if (User-Name =~ /@|\\/) {
+##			reject
+##		}
+##	}
+}