Configuring rlm_rest module in FreeRadius

freeradius

using FreeRADIUS I need to authenticate RADIUS users against a web backend and have been attempting to use the rlm_rest module to do it. See here.

In my site configuration I have something like this:

authorize {
    rest
}

and in the authentication section I've tried things like these:

authenticate {
    Auth-Type REST {
        rest
    }
}

authenticate {
    rest
}

In either case I get the following error: (2) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject

On my web server, I am returning the 204 code as it seems like that should authenticate the user without additional processes. See here. The authorization seems to work fine, but that error is returned once the authentication section is reached.

What I need to know is the combination of "users" file entry and sites-available entries that I need to allow the rlm_rest module to complete the authentication portion of the request. Thanks,

Best Answer

Rest doesn't set the Auth-Type, you have to do it manually.

authorize {
    rest
    if (ok) {
        update control {
            Auth-Type := rest
        }
    }
}

authenticate {
    rest
}

Auth-Types are automatically created for modules listed in authenticate (you don't actually need the Auth-Type stanza).

You don't need to call rest in authorize if you don't need to, something like this would also work fine:

authorize {
    if (User-Password) {
        update control {
            Auth-Type := rest
        }
    }
}

Edit:

Note: Prior to version 3.0.4 the REST module used control:Cleartext-Password to get the user's password, so in order for the module to work you'd need to copy the value over from request:User-Password:

authorize {
    if (User-Password) {
        update control {
            Cleartext-Password := &User-Password
            Auth-Type := rest
        }
    }
}

Versions 3.0.4 and later look for request:User-Password instead, which should just work in most cases.

Related Solutions

Centos – Freeradius authentication failed for unknown reason

I've always seen the Cleartext-Password attribute set, not Password, and using the := operator, not ==. Also, I believe that setting Auth-Type is almost always wrong, so I suggest that you remove that. Try the following in the database table:

username="test", attribute="Cleartext-Password", op=":=", value="test123"

Freeradius server adding additional check

...if my script returns Accept any other authorization request under is ignored

Yes. That is by design. You're telling FreeRADIUS to Accept that user. It won't bother with anything else in your authorize section. I believe you are correct in that you want your script to return a noop instead of an Accept if you want other authorization methods to be used in conjunction with it.

You should review the unlang manpage if you haven't already as well as the rlm_python manpage. Also read all comments in the configuration files.

You've haven't specified what you're trying to make FreeRADIUS do at a conceptual level so I'm not really sure how to advise you further. I however have had excellent results with the FreeRADIUS-Users mailing list. It is frequented by the developers and many people that have a deep understanding of FreeRADIUS and it's capability. I would read their FAQ prior to posting (users that don't are often banned), describe what you want to do both at a broad, conceptual level and at the implementation level (like you've done here) and make sure you submit the entirety of your debugging output.

The reason I suggest you go to the mailing list is I suspect there is a better way to accompish your goals but I'm not familiar enough with rlm_python to suggest a way forward. Regardless, it doesn't seem right to use the unlang rules to call a python script...

Best Answer

Related Solutions

Centos – Freeradius authentication failed for unknown reason

Freeradius server adding additional check

Related Topic