Hi all, we are using the rlm_rest module to make authentication decisions. we would like to pass the rejection reason our REST API came up with back to FreeRadius for logging with rlm_sqllog. We managed to pass attributes back when returning a JSON payload with http/200 (accept), but it doesn't work for http/401 (reject). Is there a way during a reject to signal some log message from the REST API back to freeradius (like it works during accept)? I've noticed that the documentation says the following: # Authorize/Authenticate # # Code Meaning Process body Module code # 401 unauthorized yes reject # 2xx successful yes ok/updated but also: # If the body is processed and found to contain attribute updated will be returned, # except in the case of a 401 code. As far as I understand, "Process body = yes" should mean that attributes are updated, except for the case of 401, where this doesn't happen. Here's a rough sketch of our setup and what we tried: We have configured a REST request in the authorize and post-auth sections. When a client is allowed into the network, a http/200 message with this payload (and corresponding content-type header) is returned from our REST API: { "Extreme-Netlogin-Extended-Vlan":"UvlanWhatever", "control:mycompany-vlan":"vlanWhatever" } FreeRADIUS correctly parses this and adds the VLAN tag in the response headed to the NAS, and the "control:" are available for use, like in the snippet below. server default { post-auth { if (&control:mycompany-vlan == "vlanSpecialCase") { update control { Auth-Type := Accept mycompany-reject-reason := "none" } } else { eap } } } we save some extra detail in `mycompany-reject-reason`. This is then stored in our logs. That works beautifully. However, when a client is rejected, we would like to also update `mycompany-reject-reason` but with the rejection message coming from the REST call, which returns a http/401 like this: { "control:mycompany-reason": "why the client was rejected" } we have tried to then update the `mycompany-reason` unlang attribute: server default { post-auth { Post-Auth-Type REJECT { update control { mycompany-reject-reason := &control:mycompany-reason } } } However, this does not work: no attributes are updated, and this gets pritned to the logs: Tue Mar 24 15:07:29 2026 : ERROR: (822634) rest: ERROR: Server returned: Tue Mar 24 15:07:29 2026 : ERROR: (822634) rest: ERROR: {"control:mycompany-reason":"the failure message"} Tue Mar 24 15:07:29 2026 : Auth: (822634) Rejected in post-auth: [user@example.com/<via Auth-Type = eap>] (from client nas01.example.com port 0 cli aabbccddeeff)