Using rest in post-auth
a.cudbardb at freeradius.org
Mon Jun 13 05:08:01 CEST 2016
> On 12 Jun 2016, at 22:44, Pshem Kowalczyk <pshem.k at gmail.com> wrote:
> This is more a philosophical question then a practical one, as our current
> setup works for us.
> We run a 'frontend' server that proxies requests to a number of backends,
> those backends reply with a number of attributes that define the service.
> We check the attributes to make sure they form a logical setup. One of
> those checks is quite convoluted and we've resorted to turning it into a
> REST call. Since the rlm_rest doesn't support post-proxy we make that call
> in post-auth.
You can do
if you like...
> We only reject a session in unusual circumstances (generally we modify the
> attributes and admit the session, or drop it into a "walled-garden" setup),
> so every time we send a reject - we update Reply-Message that we log using
> linelog in "Post-Auth-Type Reject". That makes it easy to troubleshoot.
> Now, with the rlm_rest module as far a we can tell there is no way to
> reject a session and update the Reply-Message in one go. Even if we return
> 'Auth-Type := Reject' the session still get's admitted, if the code is 401
> - then the session is rejected, but the body is not parsed (as per the
> For now we've settled on an internal attribute that signals that the
> session should be rejected, and we return it from REST (together with the
> Reply-Message), and later look for it to change Auth-Type to Reject.
> I was wondering if there is any simpler way of doing it.
Assuming you're not using the authentication behaviour elsewhere
Then you can return 401 and get the body decoded.
Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS Development Team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 872 bytes
Desc: Message signed with OpenPGP using GPGMail
More information about the Freeradius-Users