Alan DeKok aland at
Wed Jan 2 15:33:47 CET 2019

On Jan 2, 2019, at 4:39 AM, Daniel Kong <daniel.kongyh at> wrote:

  Please edit your replies.  There's no need to include 100's of lines of the previous message at the bottom of your post.  We've seen it already, and we don't need to see it again.

> I get status 401 (unauthorized) is because the site is protected. By
> disabling the rest security on the 3rd party application, it can
> successfully send the request and get the response, which I have posted
> previously by including the username and password for http basic
> authentication.

  OK... I'm not sure why you're "protecting" a REST API from FreeRADIUS.  But whatever...

> connect_uri = ""
> authenticate {
>   uri = "${..connect_uri}/user/%{User-Name}/%{User-Password}"
>   method = "get"
>   force_to = "json"
>  * require_auth = yes*
> *   auth = "basic"*
> *   username = "test"*
> *   password = "password123"*
>   tls = ${..tls}
> }
> Since by specifying those required attributes is not working,

  What does that mean?  You should be able to look at either the FreeRADIUS logs, or the REST server logs to see what's going on.

> so I have
> tried to include REST-HTTP-Header, but it doesn't work as well.
> connect_uri = ""
> authenticate {
>   uri = "${..connect_uri}/user/%{User-Name}/%{User-Password}"
>   method = "get"
>   force_to = "json"
>  * REST-HTTP-Header = "Authorization: Basic aW5ldHVzZXI6cGFzc3dvcmQxYXBw"*
>   tls = ${..tls}
> }
> I am also getting a 401 while trying to send the request. Where is the
> problem?

  Without detailed information (i.e. logs), there's no way to tell.  You have to figure out what's going on.  You can't just change the configuration and hope it will now magically work.

> I have tried very hard to understand the return json format from the API
> itself, but the information provided is insufficient. I understand it has a
> pair of value which consist of attribute and value. That's why in my above
> tryout which I tried to put a "result" and "message" attribute. But radius
> doesn't recognize this two vendor attribute.

  You need to have the API return json, in the format described in mods-available/rest.  Something like this should work:

	"User-Name": {

> So my question is what is actually needed to pass back to radius? Is it by
> specifying 200 (OK) and 401 (Unauthorized) is sufficient for radius to
> process?

  The REST module documentation describes what HTTP codes the REST server should return.  I've already said this.  Please read the documentation.

  Alan DeKok.

More information about the Freeradius-Users mailing list