EAP-PEAP REST Authorize Multiple API Calls

Alan DeKok aland at deployingradius.com
Wed Jan 9 16:51:46 CET 2019

On Jan 9, 2019, at 10:31 AM, Emile Swarts <emile at madetech.com> wrote:
> I use the rest module to authenticate with a custom API backend with
> It works well apart from the fact that each request hits the backend API 3
> times.

  With EAP, even the inner tunnel uses multiple round trips, and therefore multiple packets.

> I have no rest calls in my default virtual server, just the inner-tunnel.
> Does anyone have any ideas on how to fix this?

  Do the REST call only once. :)

  But more helpfully, do the rest call only if it wasn't already done.  If you're using a recent version of server, you can use the "session-state" list to remember things across multiple packets.

> This is what my inner-tunnel virtual server looks like:
> server inner-tunnel {
>  authorize {
>    filter_username
>    rest

  Do something like:

	if (!session-state.Tmp-String-0) {
		update session-state {
			Tmp-String-0 := "done rest"
			... and copy the attributes returned from rest to session-state!
	} else {
		update control {
			... copy REST attributes from session-state to wherever...

  There's a bit of glue to be done, but it should be clear enough.

  Alan DeKok.

More information about the Freeradius-Users mailing list