Thank you Matthew, regarding your input I have previously tried placing that code inside the authentication section of the default server but got this error: -- Unit freeradius.service has begun starting up. Dec 02 12:03:24 freeradius freeradius[7819]: FreeRADIUS Version 3.0.16 Dec 02 12:03:24 freeradius freeradius[7819]: Copyright (C) 1999-2017 The FreeRADIUS server project and contributors Dec 02 12:03:24 freeradius freeradius[7819]: There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A Dec 02 12:03:24 freeradius freeradius[7819]: PARTICULAR PURPOSE Dec 02 12:03:24 freeradius freeradius[7819]: You may redistribute copies of FreeRADIUS under the terms of the Dec 02 12:03:24 freeradius freeradius[7819]: GNU General Public License Dec 02 12:03:24 freeradius freeradius[7819]: For more information about these matters, see the file named COPYRIGHT Dec 02 12:03:24 freeradius freeradius[7819]: Starting - reading configuration files ... Dec 02 12:03:24 freeradius freeradius[7819]: Debugger not attached Dec 02 12:03:24 freeradius freeradius[7819]: Creating attribute Unix-Group Dec 02 12:03:24 freeradius freeradius[7819]: rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked Dec 02 12:03:24 freeradius freeradius[7819]: Creating attribute SQL-Group Dec 02 12:03:24 freeradius freeradius[7819]: tls: Using cached TLS configuration from previous invocation Dec 02 12:03:24 freeradius freeradius[7819]: tls: Using cached TLS configuration from previous invocation Dec 02 12:03:24 freeradius freeradius[7819]: [/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT". Dec 02 12:03:24 freeradius freeradius[7819]: [/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT". Dec 02 12:03:24 freeradius freeradius[7819]: rlm_rest: libcurl version: libcurl/7.58.0 OpenSSL/1.1.1 zlib/1.2.11 libidn2/2.0.4 libpsl/0.19.1 (+libidn2/2.0.4) nghttp2/1.30.0 librtmp/2.3 Dec 02 12:03:24 freeradius freeradius[7819]: rlm_rest (rest): Initialising connection pool Dec 02 12:03:24 freeradius freeradius[7819]: rlm_sql_mysql: libmysql version: 5.7.36 Dec 02 12:03:24 freeradius freeradius[7819]: rlm_sql (sql): Attempting to connect to database "radius" Dec 02 12:03:24 freeradius freeradius[7819]: rlm_sql (sql): Initialising connection pool Dec 02 12:03:24 freeradius freeradius[7819]: rlm_sql (sql): Processing generate_sql_clients Dec 02 12:03:24 freeradius freeradius[7819]: rlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname, shortname, type, secret, server FROM nas Dec 02 12:03:24 freeradius freeradius[7819]: rlm_sql (sql): 0 of 0 connections in use. You may need to increase "spare" Dec 02 12:03:24 freeradius freeradius[7819]: rlm_sql (sql): Opening additional connection (0), 1 of 1 pending slots used Dec 02 12:03:24 freeradius freeradius[7819]: rlm_sql_mysql: Starting connect to MySQL server Dec 02 12:03:24 freeradius freeradius[7819]: rlm_sql (sql): Reserved connection (0) Dec 02 12:03:24 freeradius freeradius[7819]: rlm_sql (sql): Released connection (0) Dec 02 12:03:24 freeradius freeradius[7819]: rlm_mschap (mschap): using internal authentication Dec 02 12:03:24 freeradius freeradius[7819]: rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked Dec 02 12:03:24 freeradius freeradius[7819]: rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output *Dec 02 12:03:24 freeradius freeradius[7819]: /etc/freeradius/3.0/sites-enabled/default[480]: Unknown Auth-Type "control" in authenticate sub-section.* Dec 02 12:03:24 freeradius systemd[1]: freeradius.service: Control process exited, code=exited status=1 Dec 02 12:03:24 freeradius systemd[1]: freeradius.service: Failed with result 'exit-code'. Dec 02 12:03:24 freeradius systemd[1]: Failed to start FreeRADIUS multi-protocol policy server. Now I done it in the authorization section just before "filter_username" and although the server starts there is no difference in the output on the rest server, no headers incoming. Debug: Ready to process requests (0) Received Access-Request Id 59 from 127.0.0.1:33440 to 127.0.0.1:1812 length 79 (0) User-Name = "rba_user1" (0) User-Password = "rba_user1" (0) NAS-IP-Address = 172.16.49.8 (0) NAS-Port = 0 (0) Message-Authenticator = 0x8204eb0ff20ae8b2ea0b4ed973d894c3 (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound rlm_rest (rest): Reserved connection (0) (0) rest: Expanding URI components (0) rest: EXPAND https://6c14825b-a5cc-48a1-a0a7-723b78f0a90e.mock.pstmn.io (0) rest: --> https://6c14825b-a5cc-48a1-a0a7-723b78f0a90e.mock.pstmn.io (0) rest: EXPAND /api/v1/auth/login (0) rest: --> /api/v1/auth/login (0) rest: Sending HTTP POST to " https://6c14825b-a5cc-48a1-a0a7-723b78f0a90e.mock.pstmn.io/api/v1/auth/login " (0) rest: EXPAND {"username": "%{urlquote:%{User-Name}}", "password": "%{urlquote:%{User-Password}}"} (0) rest: --> {"username": "rba_user1", "password": "rba_user1"} (0) rest: Processing response header (0) rest: Status : 200 (OK) (0) rest: Type : json (application/json) (0) rest: Parsing attribute "username" (0) rest: WARNING: Failed parsing attribute: Invalid vendor name in attribute name "username", skipping... (0) rest: Parsing attribute "firstname" (0) rest: WARNING: Failed parsing attribute: Invalid vendor name in attribute name "firstname", skipping... (0) rest: Parsing attribute "lastname" (0) rest: WARNING: Failed parsing attribute: Invalid vendor name in attribute name "lastname", skipping... (0) rest: Parsing attribute "locationId" (0) rest: WARNING: Failed parsing attribute: Invalid vendor name in attribute name "locationId", skipping... (0) rest: Parsing attribute "id" (0) rest: WARNING: Failed parsing attribute: Invalid vendor name in attribute name "id", skipping... (0) rest: Parsing attribute "email" (0) rest: WARNING: Failed parsing attribute: Invalid vendor name in attribute name "email", skipping... (0) rest: Parsing attribute "access_token" (0) rest: WARNING: Failed parsing attribute: Invalid vendor name in attribute name "access_token", skipping... rlm_rest (rest): Released connection (0) Need 5 more connections to reach 10 spares rlm_rest (rest): Opening additional connection (5), 1 of 27 pending slots used rlm_rest (rest): Connecting to " https://6c14825b-a5cc-48a1-a0a7-723b78f0a90e.mock.pstmn.io/api/v1/auth/login " (0) [rest] = ok (0) [preprocess] = ok (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) files: users: Matched entry DEFAULT at line 176 (0) [files] = ok (0) [expiration] = noop (0) [logintime] = noop (0) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (0) pap: WARNING: Authentication will fail unless a "known good" password is available (0) [pap] = noop (0) } # authorize = ok (0) Found Auth-Type = rest (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) authenticate { rlm_rest (rest): Reserved connection (1) (0) rest: Expanding URI components (0) rest: EXPAND https://6c14825b-a5cc-48a1-a0a7-723b78f0a90e.mock.pstmn.io (0) rest: --> https://6c14825b-a5cc-48a1-a0a7-723b78f0a90e.mock.pstmn.io (0) rest: EXPAND /api/v1/auth/login (0) rest: --> /api/v1/auth/login (0) rest: Sending HTTP POST to " https://6c14825b-a5cc-48a1-a0a7-723b78f0a90e.mock.pstmn.io/api/v1/auth/login " (0) rest: EXPAND {"username": "%{urlquote:%{User-Name}}", "password": "%{urlquote:%{User-Password}}"} (0) rest: --> {"username": "rba_user1", "password": "rba_user1"} (0) rest: Processing response header (0) rest: Status : 200 (OK) (0) rest: Type : json (application/json) (0) rest: Parsing attribute "username" (0) rest: WARNING: Failed parsing attribute: Invalid vendor name in attribute name "username", skipping... (0) rest: Parsing attribute "firstname" (0) rest: WARNING: Failed parsing attribute: Invalid vendor name in attribute name "firstname", skipping... (0) rest: Parsing attribute "lastname" (0) rest: WARNING: Failed parsing attribute: Invalid vendor name in attribute name "lastname", skipping... (0) rest: Parsing attribute "locationId" (0) rest: WARNING: Failed parsing attribute: Invalid vendor name in attribute name "locationId", skipping... (0) rest: Parsing attribute "id" (0) rest: WARNING: Failed parsing attribute: Invalid vendor name in attribute name "id", skipping... (0) rest: Parsing attribute "email" (0) rest: WARNING: Failed parsing attribute: Invalid vendor name in attribute name "email", skipping... (0) rest: Parsing attribute "access_token" (0) rest: WARNING: Failed parsing attribute: Invalid vendor name in attribute name "access_token", skipping... rlm_rest (rest): Released connection (1) Need 4 more connections to reach 10 spares rlm_rest (rest): Opening additional connection (6), 1 of 26 pending slots used rlm_rest (rest): Connecting to " https://6c14825b-a5cc-48a1-a0a7-723b78f0a90e.mock.pstmn.io/api/v1/auth/login " (0) [rest] = ok (0) } # authenticate = ok (0) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default (0) post-auth { (0) update { (0) No attributes updated (0) } # update = noop (0) sql: EXPAND .query (0) sql: --> .query (0) sql: Using query template 'query' rlm_sql (sql): Reserved connection (1) (0) sql: EXPAND %{User-Name} (0) sql: --> rba_user1 (0) sql: SQL-User-Name set to 'rba_user1' (0) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') (0) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'rba_user1', 'rba_user1', 'Access-Accept', '2021-12-02 12:11:22') (0) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'rba_user1', 'rba_user1', 'Access-Accept', '2021-12-02 12:11:22') (0) sql: SQL query returned: success (0) sql: 1 record(s) updated rlm_sql (sql): Released connection (1) Need 4 more connections to reach 10 spares rlm_sql (sql): Opening additional connection (6), 1 of 26 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.7.36-0ubuntu0.18.04.1, protocol version 10 (0) [sql] = ok (0) [exec] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # post-auth = ok (0) Sent Access-Accept Id 59 from 127.0.0.1:1812 to 127.0.0.1:33440 length 0 (0) Finished request Waking up in 4.9 seconds. (0) Cleaning up request packet ID 59 with timestamp +26 [image: image.png] This is my whole authorize section in default server: authorize { filter_username filter_password update control { &REST-HTTP-Header += "secret: 1f215f4a27653bd17ddc54e320a1c61e37949fe5" &REST-HTTP-Header += "uuid: 84ce0574-5074-4b53-9ddc-fcb2c935a1b1" &REST-HTTP-Header += "Content-Type: application/json" } rest preprocess eap { ok = return # updated = return } unix files expiration logintime pap } While on a subject of authorization, do I need to have both authorization and authentication configured to fetch user data from API endpoint in the rest module? Because right now I'm sending double POST requests and from my understanding authorize section should only be checking if there is a right authentication method and correct atributes and setting the Auth type. Thank you for your feedback, kind regards On Thu, 2 Dec 2021 at 11:53, Matthew Newton <mcn@freeradius.org> wrote:
On 02/12/2021 10:40, Stjepan Roić wrote:
I'm new to this and I made a typo when you suggested different operator which I didn't notice later and the debug didn't drop an error on that part.
The configuration is very flexible, so you can define your own settings and read them in other parts of the config. That means adding things in the "wrong" places isn't usually a config error.
There are situations where the server will complain on startup (e.g. obsolete options still in use), but it can't complain about everything unusual that it sees.
You'll notice I'm getting Access-accept from the rest server but that's only because I disabled those headers verification on the mock server. I hope this debug can still provide info you need, if not please let me know what to share.
You've got this in your rest config:
update control { &REST-HTTP-Header += .... }
It needs to go in the main virtual server config (e.g. sites-available/default), somewhere _before_ you call the "rest" module. In your situation probably just after the "filter_username" policy call.
Module config defines things for each module. Requests pass through the appropriate virtual server, being altered and changed by modules on the way. If you want to add internal attributes that redefine how a module works they need to be set in the virtual server before that module is called.
-- Matthew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html