Using rest in post-auth

Pshem Kowalczyk pshem.k at
Mon Jun 13 04:44:59 CEST 2016


This is more a philosophical question then a practical one, as our current
setup works for us.

We run a 'frontend' server that proxies requests to a number of backends,
those backends reply with a number of attributes that define the service.
We check the attributes to make sure they form a logical setup. One of
those checks is quite convoluted and we've resorted to turning it into a
REST call. Since the rlm_rest doesn't support post-proxy we make that call
in post-auth.

We only reject a session in unusual circumstances (generally we modify the
attributes and admit the session, or drop it into a "walled-garden" setup),
so every time we send a reject - we update Reply-Message that we log using
linelog in "Post-Auth-Type Reject". That makes it easy to troubleshoot.

Now, with the rlm_rest module as far a we can tell there is no way to
reject a session and update the Reply-Message in one go. Even if we return
'Auth-Type := Reject' the session still get's admitted, if the code is 401
- then the session is rejected, but the body is not parsed (as per the
For now we've settled on an internal attribute that signals that the
session should be rejected, and we return it from REST (together with the
Reply-Message), and later look for it to change Auth-Type to Reject.

I was wondering if there is any simpler way of doing it.

kind regards

More information about the Freeradius-Users mailing list