# Filename: advanced.conf
# Description: Example config file for peapod - EAPOL Proxy Daemon
#
# Scenario: Proxy only EAPOL-EAP (EAP packets) between eth0 and eth1.
#           The authenticator is priority tagging, but the supplicant isn't.
#           Automatically restart the system's DHCP client when the EAPOL
#               authentication succeeds.
#           Log failed authentication attempts.
#
# Demonstrates more advanced usage. Impersonate a supplicant, also inserting
# priority tags into its EAPOL packets. Run scripts to "borrow" supplicant's
# DHCP assignment and log any failed authentication attempts.

# Network with an EAPOL authenticator
iface eth0 {
    ingress {
        # Proxy only EAPOL-EAP (EAP packets) from authenticator
        filter start, logoff, key, encapsulated-asf-alert, mka,
               announcement-generic, announcement-specific,
               announcement-req;

        # Runs when EAP-Success received from authenticator
        # restartdhcp.sh restarts the system's DHCP client on eth0
        exec success "/path/to/restartdhcp.sh";

        # Runs when EAP-Failure received
        # exec failure "/path/to/logfailure.sh";
    };
    egress {
        # All packets sent to authenticator will be tagged priority 7
        dot1q {
            priority 7;
        };
    };
};

# Supplicant behind proxy
iface eth1 {
    ingress {
        # Proxy only EAPOL-EAP (EAP packets) from supplicant
        # Equivalent ingress filters defined on both interfaces
        filter start, logoff, key, encapsulated-asf-alert, mka;
        filter announcement-generic, announcement-specific;
        filter announcement-req;
    };
    egress {
        # Runs when EAP-Failure sent to supplicant
        # logfailure.sh is written so as to ensure that running
        # it here as an egress script on eth1 is equivalent to
        # running it above as an ingress script on eth0
        exec failure "/path/to/logfailure.sh";
    };
};