Using rest in post-auth

Arran Cudbard-Bell a.cudbardb at
Mon Jun 13 05:08:01 CEST 2016

> On 12 Jun 2016, at 22:44, Pshem Kowalczyk <pshem.k at> wrote:
> Hi,
> This is more a philosophical question then a practical one, as our current
> setup works for us.
> We run a 'frontend' server that proxies requests to a number of backends,
> those backends reply with a number of attributes that define the service.
> We check the attributes to make sure they form a logical setup. One of
> those checks is quite convoluted and we've resorted to turning it into a
> REST call. Since the rlm_rest doesn't support post-proxy we make that call
> in post-auth.

You can do

post-proxy {

if you like...

> We only reject a session in unusual circumstances (generally we modify the
> attributes and admit the session, or drop it into a "walled-garden" setup),
> so every time we send a reject - we update Reply-Message that we log using
> linelog in "Post-Auth-Type Reject". That makes it easy to troubleshoot.
> Now, with the rlm_rest module as far a we can tell there is no way to
> reject a session and update the Reply-Message in one go. Even if we return
> 'Auth-Type := Reject' the session still get's admitted, if the code is 401
> - then the session is rejected, but the body is not parsed (as per the
> docs).
> For now we've settled on an internal attribute that signals that the
> session should be rejected, and we return it from REST (together with the
> Reply-Message), and later look for it to change Auth-Type to Reject.
> I was wondering if there is any simpler way of doing it.

Assuming you're not using the authentication behaviour elsewhere

post-auth {

Then you can return 401 and get the body decoded.


Arran Cudbard-Bell <a.cudbardb at>
FreeRADIUS Development Team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 872 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <>

More information about the Freeradius-Users mailing list