Hi all, FreeRADIUS v3.2.6 I'm trying to setup the rest module to authenticate with data to an API but using a fixed API token every time to authenticate the API request itself. I've configured the authenticate section of the rest config to have a username = xxx and password = yyy as per the example/docs. modules { rest { tls { check_cert = no check_cert_cn = no } connect_uri = https://xxx connect_timeout = 4.0 authenticate { uri = "${..connect_uri}/api/v1/auth" method = "post" body = "json" auth = "basic" username = "api-user123" password = "api-password123" data = '{"username": "%{User-Name}", "password": "%{User-Password}"}' tls = ${..tls} } } } But. the API post basic auth header always has the username and password of the end user being checked (%{User-Name}:%{User-Password}), not my configured static username and password (api-user123:api-password123). I'm not using an authorize section, but as a test I've also configured it as above and this correctly EXPANDs the configured static username and password in the auth header. The freeradius -X log shows them EXPANDed correctly in the authorize call, but not mentioned in the authenticate call. (0) authorize { rlm_rest (rest): Reserved connection (0) (0) rest: Expanding URI components (0) rest: EXPAND https://xxx (0) rest: --> https://xxx (0) rest: EXPAND /api/v1/auth (0) rest: --> /api/v1/auth (0) rest: Sending HTTP POST to https://xxx/api/v1/auth (0) rest: EXPAND api-user123 (0) rest: --> api-user123 (0) rest: EXPAND api-password123 (0) rest: --> api-password123 (0) rest: EXPAND {"username": "%{User-Name}", "password": "%{User-Password}"} (0) rest: --> {"username": "user555", "password": "pass555"} (0) rest: Processing response header (0) rest: Status : 204 (User authenticated successfully) But the authenticate section gives: (0) authenticate { rlm_rest (rest): Reserved connection (1) (0) rest: Expanding URI components (0) rest: EXPAND https://xxx (0) rest: --> https://xxx (0) rest: EXPAND /api/v1/auth (0) rest: --> /api/v1/auth (0) rest: Sending HTTP POST to https://xxx/api/v1/auth (0) rest: EXPAND {"username": "%{User-Name}", "password": "%{User-Password}"} (0) rest: --> {"username": "user555", "password": "pass555"} (0) rest: Processing response header (0) rest: Status : 401 (AUTHENTICATION FAILED) No EXPAND lines for the username or password this time. The example mods-available/rest file contains: # The following config items may be listed in any of the sections: <snip> # username - User to authenticate as, will be expanded. # password - Password to use for authentication, will be expanded. It says you can add them to 'any' of the sections but doesn't seen to work in authenticate. So. Q: Is there a way to configure the rest module authenticate section to use configured static credentials? And. One other idea I had was not to use the builtin auth and just add my own additional header containing the basic auth base64 static credentials. But no matter what I try in the authenticate (or authorize for that) section I can't get any additional headers to appear at all. I'm using: control:REST-HTTP-Header := "Authorization: Basic abc123<snip>==" control:REST-HTTP-Header := "X-KP-TEST: testing123" And even if I put an invalid value format for the header I don't get any config error or warning. Have I done something wrong here? Thanks all! Kev/.