Using rest in post-auth

Pshem Kowalczyk pshem.k at
Mon Jun 13 05:39:38 CEST 2016


On Mon, 13 Jun 2016 at 15:09 Arran Cudbard-Bell <a.cudbardb at>

> {cut}

> > We run a 'frontend' server that proxies requests to a number of backends,
> > those backends reply with a number of attributes that define the service.
> > We check the attributes to make sure they form a logical setup. One of
> > those checks is quite convoluted and we've resorted to turning it into a
> > REST call. Since the rlm_rest doesn't support post-proxy we make that
> call
> > in post-auth.
> You can do
> post-proxy {
> }
> if you like...
Ok, this could help, but in our case is more cosmetic than anything (we
have some other stuff in post-auth anyway).


> > Now, with the rlm_rest module as far a we can tell there is no way to
> > reject a session and update the Reply-Message in one go. Even if we
> return
> > 'Auth-Type := Reject' the session still get's admitted, if the code is
> 401
> > - then the session is rejected, but the body is not parsed (as per the
> > docs).
> > For now we've settled on an internal attribute that signals that the
> > session should be rejected, and we return it from REST (together with the
> > Reply-Message), and later look for it to change Auth-Type to Reject.
> >
> > I was wondering if there is any simpler way of doing it.
> Assuming you're not using the authentication behaviour elsewhere
> post-auth {
>         rest.authenticate
> }
> Then you can return 401 and get the body decoded.
> ok, we use unlang to verify a number of conditions and only use REST if
the result returned by unlang is not conclusive enough to determine the
outcome (for example the data for the particular user is not cached locally
yet or the cache expired) . I don't have access to a test system right now,
but will 'rest.authenticate' allow us to reject from unlang as well (in

kind regards

More information about the Freeradius-Users mailing list