Thanks for the feedback, Alan. I have more questions to ask regarding the REST authentication. How does the freeRadius know that when to let the user to gain access to the resources after invoke REST authentication? Does it rely on the REST response http status? Eg. if the 3rd party application returns a http status 200 means that the user is authenticated and able to use the resource. However if the REST response returns a http status 401 means that he/she is unauthorized. Does the freeRadius interpret it this way? In order to use REST authentication only while the others like post-auth, authorize, and accounting using the sql, I only need to configure the REST for authentication. So my configuration would look like this? I just comment off post-auth, authorize, and accounting. Correct me if I am wrong. rest { tls { ... } authentication { } #authorize { #} #post-auth { #} #accounting { #} pool { ... } } So after authenticate is successful, freeRadius will do insertion of record to radpostauth and radacct table by itself? Our current usage of freeRadius is with mySQL. So we will insert record to radcheck and radreply table while the rest of the table will be handled by freeRadius. Now if we are using the REST for authentication, do we still need to insert record to radcheck and radreply? Do we still rely on the 'Auth-Type' in the radcheck table? Daniel. On Tue, Dec 18, 2018 at 7:57 PM Alan DeKok <aland@deployingradius.com> wrote:
On Dec 17, 2018, at 11:15 PM, Daniel Kong <daniel.kongyh@gmail.com> wrote:
I know you guys are very busy helping the rest but I hope you can help me with this. I would like freeradius to authenticate with 3rd party application via REST API. I do have the configuration like below.
connect_uri = "http://10.18.6.22:8081/apps/" authenticate { uri = "${..connect_uri}/user/%{User-Name}/%{User-Password}" method = "get" }
OK...
Problem is that I do not know what to be included in the request and response for every authenticate, authorize, post-auth, and accounting. For the response, I just include the HTTP status is sufficient for authentication? How about the response for authorize, post-auth, and accounting?
You don't need to include anything in the response. The documentation describes how the module works and what it does.
FreeRADIUS treats the REST API as just another database. There's no "requirement" to put anything into SQL, so there's no requirement to put anything in REST.
If the freeRadius is configured to use RESTful API, does other post-auth, authorize, and accounting can be use with mysql so that only authentication is using rest?
Yes. You just list "rest" in the authenticate section, and "sql" elsewhere.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html