Daniel Kong daniel.kongyh at
Wed Dec 19 05:01:30 CET 2018

Thanks for the feedback, Alan. I have more questions to ask regarding the
REST authentication. How does the freeRadius know that when to let the user
to gain access to the resources after invoke REST authentication? Does it
rely on the REST response http status? Eg. if the 3rd party application
returns a http status 200 means that the user is authenticated and able to
use the resource. However if the REST response returns a http status 401
means that he/she is unauthorized. Does the freeRadius interpret it this

In order to use REST authentication only while the others like post-auth,
authorize, and accounting using the sql, I only need to configure the REST
for authentication. So my configuration would look like this? I just
comment off post-auth, authorize, and accounting. Correct me if I am wrong.

rest {
    tls {

    authentication {

    #authorize {

    #post-auth {

    #accounting {

    pool {

So after authenticate is successful, freeRadius will do insertion of record
to radpostauth and radacct table by itself?

Our current usage of freeRadius is with mySQL. So we will insert record to
radcheck and radreply table while the rest of the table will be handled by
freeRadius. Now if we are using the REST for authentication, do we still
need to insert record to radcheck and radreply? Do we still rely on the
'Auth-Type' in the radcheck table?


On Tue, Dec 18, 2018 at 7:57 PM Alan DeKok <aland at>

> > On Dec 17, 2018, at 11:15 PM, Daniel Kong <daniel.kongyh at>
> wrote:
> >
> > I know you guys are very busy helping the rest but I hope you can help me
> > with this. I would like freeradius to authenticate with 3rd party
> > application via REST API. I do have the configuration like below.
> >
> > connect_uri = ""
> > authenticate {
> > uri = "${..connect_uri}/user/%{User-Name}/%{User-Password}"
> > method = "get"
> > }
>   OK...
> > Problem is that I do not know what to be included in the request and
> > response for every authenticate, authorize, post-auth, and accounting.
> For
> > the response, I just include the HTTP status is sufficient for
> > authentication? How about the response for authorize, post-auth, and
> > accounting?
>   You don't need to include anything in the response.  The documentation
> describes how the module works and what it does.
>   FreeRADIUS treats the REST API as just another database.  There's no
> "requirement" to put anything into SQL, so there's no requirement to put
> anything in REST.
> > If the freeRadius is configured to use RESTful API, does other post-auth,
> > authorize, and accounting can be use with mysql so that only
> authentication
> > is using rest?
>   Yes.  You just list "rest" in the authenticate section, and "sql"
> elsewhere.
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list