On 12 Jun 2016, at 22:44, Pshem Kowalczyk <pshem.k@gmail.com> wrote:
Hi,
This is more a philosophical question then a practical one, as our current setup works for us.
We run a 'frontend' server that proxies requests to a number of backends, those backends reply with a number of attributes that define the service. We check the attributes to make sure they form a logical setup. One of those checks is quite convoluted and we've resorted to turning it into a REST call. Since the rlm_rest doesn't support post-proxy we make that call in post-auth.
You can do post-proxy { rest.post-auth } if you like...
We only reject a session in unusual circumstances (generally we modify the attributes and admit the session, or drop it into a "walled-garden" setup), so every time we send a reject - we update Reply-Message that we log using linelog in "Post-Auth-Type Reject". That makes it easy to troubleshoot.
Now, with the rlm_rest module as far a we can tell there is no way to reject a session and update the Reply-Message in one go. Even if we return 'Auth-Type := Reject' the session still get's admitted, if the code is 401 - then the session is rejected, but the body is not parsed (as per the docs). For now we've settled on an internal attribute that signals that the session should be rejected, and we return it from REST (together with the Reply-Message), and later look for it to change Auth-Type to Reject.
I was wondering if there is any simpler way of doing it.
Assuming you're not using the authentication behaviour elsewhere post-auth { rest.authenticate } Then you can return 401 and get the body decoded. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2