<div dir="ltr"><div>Thank you for pointing out the rest module. At this moment we are on the 2.2.x version, but we will consider to move to version 3.0.0.</div><div><br></div><div>Regards,</div><div>Shurbann Martes</div><div>
<br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Fri, Jan 3, 2014 at 3:13 PM, Arran Cudbard-Bell <span dir="ltr"><<a href="mailto:a.cudbardb@freeradius.org" target="_blank">a.cudbardb@freeradius.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im"><br>
On 3 Jan 2014, at 18:32, Shurbann Martes <<a href="mailto:shurbann@gmail.com">shurbann@gmail.com</a>> wrote:<br>
<br>
> You're right when you're so deep into a problem you assume that the issue at hand is clear to everyone without sounding to cryptic. Let me try to explain the problem at hand little bit more. I'm trying not to bother you much with the details, but still be as clear as possible.<br>
><br>
> What' we're trying to accomplish here is to map (this was the typo ammped in the earlier message) every RADIUS call to an HTTP call on another system. We did not find any correct solution for this other that using the Perl module.<br>
<br>
</div>Um...<br>
<div class="im"><br>
> That's the reason we start using Perl module. So for example a Access-Request will call a URL using HTTP GET on the other system, with HTTP parameters containing the necessary info, i.e. user, Called-Station-Id etc. Based on the response i.e. HTTP status response 403, 401 or 202 received from this system, we will send a Access-Accept or Access-Reject back to the NAS. This is working OK, right now using the Auth-Type = Perl.<br>
<br>
</div>The REST module does exactly this (rlm_rest). It's included in 3.0.0. It will be *SIGNIFICANTLY* faster than  Perl, and is written in such a way to allow libcurl to do connection caching so you don't have the TCP connection setup/teardown after every request.<br>
<div class="im"><br>
> However with the introduction of the EAP-SIM module as part of the protocol we're going to use, I was wondering if I can have FreeRADIUS configured better, by trying not to use the Auth-Type. So I'm trying to find out what the correct way of doing this is.<br>
<br>
</div>IIRC (but you'll need to test), that if you call rlm_eap in post-auth reject {} it'll generate the correct eap failure message. Which means if the user is rejected by the HTTP server, FreeRADIUS will send an EAP-Failure with the Access-Reject.<br>
<br>
Call rest/perl in authorize.<br>
<br>
Call eap in authorize (it will set Auth-Type eap)<br>
<br>
Leave auth-type eap in authenticate.<br>
<br>
Call eap in post-auth reject {}.<br>
<br>
Simple.<br>
<div class="HOEnZb"><div class="h5"><br>
Arran Cudbard-Bell <<a href="mailto:a.cudbardb@freeradius.org">a.cudbardb@freeradius.org</a>><br>
FreeRADIUS Development Team<br>
<br>
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2<br>
<br>
</div></div><br>-<br>
List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a><br></blockquote></div><br></div>