Alan DeKok aland at
Wed Dec 19 14:36:01 CET 2018

On Dec 18, 2018, at 11:01 PM, Daniel Kong <daniel.kongyh at> wrote:
> Thanks for the feedback, Alan. I have more questions to ask regarding the
> REST authentication. How does the freeRadius know that when to let the user
> to gain access to the resources after invoke REST authentication?

  The server doesn't "let the user gain access to resources".  The server *authenticates* the user.  By sending an Access-Accept with various attributes in it.

  It's important to understand how it works.  If you have misconceptions about how the server works, then you won't be asking the right questions, and you won't be doing the right things.

> Does it
> rely on the REST response http status? Eg. if the 3rd party application
> returns a http status 200 means that the user is authenticated and able to
> use the resource. However if the REST response returns a http status 401
> means that he/she is unauthorized. Does the freeRadius interpret it this
> way?

  Go read raddb/mods-available/rest.  This *is* documented.

  The configuration file tells you how the http status return codes map to the FreeRADIUS codes that are used to process packets.

  Then... read the FreeRADIUS documentation to see how it works.  I suggest starting here:

  Read the "technical guide" to get a good overview of how the server works.

> In order to use REST authentication only while the others like post-auth,
> authorize, and accounting using the sql, I only need to configure the REST
> for authentication. So my configuration would look like this? I just
> comment off post-auth, authorize, and accounting. Correct me if I am wrong.

 You can read the documentation to see how the rest module works.  Your questions are answered there.

> So after authenticate is successful, freeRadius will do insertion of record
> to radpostauth and radacct table by itself?

  No.  This isn't magic.

  The sql module puts data into radpostauth and radacct... if you configure the server to use the SQL module in "post-auth" and "accounting".

  The default configuration files go through this in great detail.

> Our current usage of freeRadius is with mySQL. So we will insert record to
> radcheck and radreply table while the rest of the table will be handled by
> freeRadius.

  I have no idea what that means.

> Now if we are using the REST for authentication, do we still
> need to insert record to radcheck and radreply? Do we still rely on the
> 'Auth-Type' in the radcheck table?

  The radcheck and radreply tables are used by the SQL module.  If you're not using the SQL module, then those tables aren't used.

  Your questions seem to be coming from a mindset that the server is magic, and magically "knows" how to do things.  It isn't.  It has a lot going on, and a lot of configuration files.  But in the end it's just a whole bunch of simple things put together in gradually more complex ways.

  If you want to use radcheck / radreply, configure the SQL module.  And be sure that the SQL module is listed in the virtual server.  See sites-available/default for many, many, examples.

  Go read the technical guide  I think many of your misconceptions are addressed there.

  Alan DeKok.

More information about the Freeradius-Users mailing list