server labitat-inner {

	authorize {
		filter_username
		filter_inner_identity
		suffix

		update control {
			&Proxy-To-Realm := LOCAL
		}

		eap {
			ok = return
		}

		python
		expiration
		logintime
		pap
	}

	authenticate {
		Auth-Type PAP {
			pap
		}

		python
		eap
	}

	post-auth {
		Post-Auth-Type REJECT {
			attr_filter.access_reject

			update outer.session-state {
				&Module-Failure-Message := &request:Module-Failure-Message
			}
		}
	}

	pre-proxy {
	}

	post-proxy {
		eap
	}
}