{{ ansible_managed | comment }}

server default {

    listen {
        type = auth
        ipaddr = *
        port = 0
        limit {
            max_connections = 16
            lifetime = 0
            idle_timeout = 30
        }
    }

    listen {
        type = auth
        ipv6addr = *
        port = 0
        limit {
            max_connections = 16
            lifetime = 0
            idle_timeout = 30
        }
    }

    authorize {
        filter_username # TODO
        preprocess # TODO
        suffix
        eap
    }

    authenticate {
        eap
    }

    preacct {
    }

    accounting {
    }

    post-auth {
        if (session-state:User-Name && reply:User-Name \
                && request:User-Name \
                && (reply:User-Name == request:User-Name)) {
            update reply {
                &User-Name !* ANY
            }
        }
        update {
            &reply: += &session-state:
        }
        Post-Auth-Type REJECT {
            attr_filter.access_reject
            eap
            remove_reply_message_if_eap
        }
        remove_reply_message_if_eap
    }

    pre-proxy {
    }

    post-proxy {
        eap
    }

}