RESTful API

Daniel Kong daniel.kongyh at gmail.com
Thu Dec 27 10:48:11 CET 2018


Hi, thanks for the guidance. However, I encounter a problem in the rest
basic http authentication even though I have provided in the configuration
file.

connect_uri = "http://10.18.6.22:8081/apps"
authenticate {
   uri = "${..connect_uri}/user/%{User-Name}/%{User-Password}"
   method = "get"
   force_to = "json"
   require_auth = yes
   auth = "basic"
   username = "test"
   password = "password123"
   tls = ${..tls}
}

I have added the following lines to the default configuration file.

authorize {
   if (&User-Password) {
update control {
Auth-Type := 'rest'
}
}
}

authenticate {
   rest
}

And here is my radius output

(3) Received Access-Request Id 53 from 127.0.0.1:42150 to 127.0.0.1:1812
length 47
(3)   User-Name = "user1"
(3)   User-Password = "password1"
(3) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
(3)   authorize {
(3)     policy filter_username {
(3)       if (&User-Name) {
(3)       if (&User-Name)  -> TRUE
(3)       if (&User-Name)  {
(3)         if (&User-Name =~ / /) {
(3)         if (&User-Name =~ / /)  -> FALSE
(3)         if (&User-Name =~ /@[^@]*@/ ) {
(3)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(3)         if (&User-Name =~ /\.\./ ) {
(3)         if (&User-Name =~ /\.\./ )  -> FALSE
(3)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(3)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE
(3)         if (&User-Name =~ /\.$/)  {
(3)         if (&User-Name =~ /\.$/)   -> FALSE
(3)         if (&User-Name =~ /@\./)  {
(3)         if (&User-Name =~ /@\./)   -> FALSE
(3)       } # if (&User-Name)  = notfound
(3)     } # policy filter_username = notfound
(3)     [preprocess] = ok
(3)     [chap] = noop
(3)     [mschap] = noop
(3)     [digest] = noop
(3) suffix: Checking for suffix after "@"
(3) suffix: No '@' in User-Name = "user1", looking up realm NULL
(3) suffix: No such realm "NULL"
(3)     [suffix] = noop
(3) eap: No EAP-Message, not doing EAP
(3)     [eap] = noop
(3)     [files] = noop
(3)     [expiration] = noop
(3)     [logintime] = noop
(3)     if (&User-Password) {
(3)     if (&User-Password)  -> TRUE
(3)     if (&User-Password)  {
(3)       update control {
(3)         Auth-Type := rest
(3)       } # update control = noop
(3)     } # if (&User-Password)  = noop
(3)   } # authorize = ok
(3) Found Auth-Type = rest
(3) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(3)   authenticate {
rlm_rest (rest): Closing connection (6): Hit idle_timeout, was idle for 134
seconds
rlm_rest (rest): You probably need to lower "min"
rlm_rest (rest): Closing connection (1): Hit idle_timeout, was idle for 111
seconds
rlm_rest (rest): You probably need to lower "min"
rlm_rest (rest): Closing connection (7): Hit idle_timeout, was idle for 111
seconds
rlm_rest (rest): You probably need to lower "min"
rlm_rest (rest): 0 of 0 connections in use.  You  may need to increase
"spare"
rlm_rest (rest): Opening additional connection (8), 1 of 32 pending slots
used
rlm_rest (rest): Connecting to "http://10.18.6.22:8081/apps"
rlm_rest (rest): Reserved connection (8)
(3) rest: Expanding URI components
(3) rest: EXPAND http://10.18.6.22:8081
(3) rest:    --> http://10.18.6.22:8081
(3) rest: EXPAND /apps/user/%{User-Name}/%{User-Password}
(3) rest:    --> /apps/user/user1/password1
(3) rest: Sending HTTP GET to "
http://10.18.6.22:8081/apps/user/user1/password1"
(3) rest: Processing response header
(3) rest:   Status : 401 (Unauthorized)
(3) rest:   Type   : json (application/json)
(3) rest: Parsing attribute "result"
(3) rest: WARNING: Failed parsing attribute: Invalid vendor name in
attribute name "result", skipping...
(3) rest: Parsing attribute "message"
(3) rest: WARNING: Failed parsing attribute: Invalid vendor name in
attribute name "message", skipping...
rlm_rest (rest): Released connection (8)
Need 2 more connections to reach min connections (3)
rlm_rest (rest): Opening additional connection (9), 1 of 31 pending slots
used
rlm_rest (rest): Connecting to "http://10.18.6.22:8081/apps"
(3)     [rest] = reject
(3)   } # authenticate = reject
(3) Failed to authenticate the user
(3) Using Post-Auth-Type Reject
(3) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(3)   Post-Auth-Type REJECT {
(3) attr_filter.access_reject: EXPAND %{User-Name}
(3) attr_filter.access_reject:    --> user1
(3) attr_filter.access_reject: Matched entry DEFAULT at line 11
(3)     [attr_filter.access_reject] = updated
(3)     [eap] = noop
(3)     policy remove_reply_message_if_eap {
(3)       if (&reply:EAP-Message && &reply:Reply-Message) {
(3)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(3)       else {
(3)         [noop] = noop
(3)       } # else = noop
(3)     } # policy remove_reply_message_if_eap = noop
(3)   } # Post-Auth-Type REJECT = updated
(3) Login incorrect: [user1/password1] (from client localhost port 0)
(3) Delaying response for 1.000000 seconds
Waking up in 0.2 seconds.
Waking up in 0.7 seconds.
(3) Sending delayed response
(3) Sent Access-Reject Id 53 from 127.0.0.1:1812 to 127.0.0.1:42150 length
20
Waking up in 3.9 seconds.
(3) Cleaning up request packet ID 53 with timestamp +189
Ready to process requests

Please let me know where did I go wrong.

On Wed, Dec 19, 2018 at 9:58 PM Alan DeKok <aland at deployingradius.com>
wrote:

> On Dec 18, 2018, at 11:01 PM, Daniel Kong <daniel.kongyh at gmail.com> wrote:
> >
> > Thanks for the feedback, Alan. I have more questions to ask regarding the
> > REST authentication. How does the freeRadius know that when to let the
> user
> > to gain access to the resources after invoke REST authentication?
>
>   The server doesn't "let the user gain access to resources".  The server
> *authenticates* the user.  By sending an Access-Accept with various
> attributes in it.
>
>   It's important to understand how it works.  If you have misconceptions
> about how the server works, then you won't be asking the right questions,
> and you won't be doing the right things.
>
> > Does it
> > rely on the REST response http status? Eg. if the 3rd party application
> > returns a http status 200 means that the user is authenticated and able
> to
> > use the resource. However if the REST response returns a http status 401
> > means that he/she is unauthorized. Does the freeRadius interpret it this
> > way?
>
>   Go read raddb/mods-available/rest.  This *is* documented.
>
>   The configuration file tells you how the http status return codes map to
> the FreeRADIUS codes that are used to process packets.
>
>   Then... read the FreeRADIUS documentation to see how it works.  I
> suggest starting here:
>
> https://networkradius.com/freeradius-documentation/
>
>   Read the "technical guide" to get a good overview of how the server
> works.
>
> > In order to use REST authentication only while the others like post-auth,
> > authorize, and accounting using the sql, I only need to configure the
> REST
> > for authentication. So my configuration would look like this? I just
> > comment off post-auth, authorize, and accounting. Correct me if I am
> wrong.
>
>  You can read the documentation to see how the rest module works.  Your
> questions are answered there.
>
> > So after authenticate is successful, freeRadius will do insertion of
> record
> > to radpostauth and radacct table by itself?
>
>   No.  This isn't magic.
>
>   The sql module puts data into radpostauth and radacct... if you
> configure the server to use the SQL module in "post-auth" and "accounting".
>
>   The default configuration files go through this in great detail.
>
> > Our current usage of freeRadius is with mySQL. So we will insert record
> to
> > radcheck and radreply table while the rest of the table will be handled
> by
> > freeRadius.
>
>   I have no idea what that means.
>
> > Now if we are using the REST for authentication, do we still
> > need to insert record to radcheck and radreply? Do we still rely on the
> > 'Auth-Type' in the radcheck table?
>
>   The radcheck and radreply tables are used by the SQL module.  If you're
> not using the SQL module, then those tables aren't used.
>
>   Your questions seem to be coming from a mindset that the server is
> magic, and magically "knows" how to do things.  It isn't.  It has a lot
> going on, and a lot of configuration files.  But in the end it's just a
> whole bunch of simple things put together in gradually more complex ways.
>
>   If you want to use radcheck / radreply, configure the SQL module.  And
> be sure that the SQL module is listed in the virtual server.  See
> sites-available/default for many, many, examples.
>
>   Go read the technical guide  I think many of your misconceptions are
> addressed there.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html


More information about the Freeradius-Users mailing list