HTTP headers

Stjepan Roić roic27 at gmail.com
Thu Dec 2 13:34:52 CET 2021


Thank you Matthew,

regarding your input I have previously tried placing that code inside the
authentication section of the default server but got this error:

-- Unit freeradius.service has begun starting up.
Dec 02 12:03:24 freeradius freeradius[7819]: FreeRADIUS Version 3.0.16
Dec 02 12:03:24 freeradius freeradius[7819]: Copyright (C) 1999-2017 The
FreeRADIUS server project and contributors
Dec 02 12:03:24 freeradius freeradius[7819]: There is NO warranty; not even
for MERCHANTABILITY or FITNESS FOR A
Dec 02 12:03:24 freeradius freeradius[7819]: PARTICULAR PURPOSE
Dec 02 12:03:24 freeradius freeradius[7819]: You may redistribute copies of
FreeRADIUS under the terms of the
Dec 02 12:03:24 freeradius freeradius[7819]: GNU General Public License
Dec 02 12:03:24 freeradius freeradius[7819]: For more information about
these matters, see the file named COPYRIGHT
Dec 02 12:03:24 freeradius freeradius[7819]: Starting - reading
configuration files ...
Dec 02 12:03:24 freeradius freeradius[7819]: Debugger not attached
Dec 02 12:03:24 freeradius freeradius[7819]: Creating attribute Unix-Group
Dec 02 12:03:24 freeradius freeradius[7819]: rlm_sql (sql): Driver
rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
Dec 02 12:03:24 freeradius freeradius[7819]: Creating attribute SQL-Group
Dec 02 12:03:24 freeradius freeradius[7819]: tls: Using cached TLS
configuration from previous invocation
Dec 02 12:03:24 freeradius freeradius[7819]: tls: Using cached TLS
configuration from previous invocation
Dec 02 12:03:24 freeradius freeradius[7819]:
[/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check item
"FreeRADIUS-Response-Delay"         found in filter list for realm
"DEFAULT".
Dec 02 12:03:24 freeradius freeradius[7819]:
[/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check item
"FreeRADIUS-Response-Delay-USec"         found in filter list for realm
"DEFAULT".
Dec 02 12:03:24 freeradius freeradius[7819]: rlm_rest: libcurl version:
libcurl/7.58.0 OpenSSL/1.1.1 zlib/1.2.11 libidn2/2.0.4 libpsl/0.19.1
(+libidn2/2.0.4) nghttp2/1.30.0 librtmp/2.3
Dec 02 12:03:24 freeradius freeradius[7819]: rlm_rest (rest): Initialising
connection pool
Dec 02 12:03:24 freeradius freeradius[7819]: rlm_sql_mysql: libmysql
version: 5.7.36
Dec 02 12:03:24 freeradius freeradius[7819]: rlm_sql (sql): Attempting to
connect to database "radius"
Dec 02 12:03:24 freeradius freeradius[7819]: rlm_sql (sql): Initialising
connection pool
Dec 02 12:03:24 freeradius freeradius[7819]: rlm_sql (sql): Processing
generate_sql_clients
Dec 02 12:03:24 freeradius freeradius[7819]: rlm_sql (sql) in
generate_sql_clients: query is SELECT id, nasname, shortname, type, secret,
server FROM nas
Dec 02 12:03:24 freeradius freeradius[7819]: rlm_sql (sql): 0 of 0
connections in use.  You  may need to increase "spare"
Dec 02 12:03:24 freeradius freeradius[7819]: rlm_sql (sql): Opening
additional connection (0), 1 of 1 pending slots used
Dec 02 12:03:24 freeradius freeradius[7819]: rlm_sql_mysql: Starting
connect to MySQL server
Dec 02 12:03:24 freeradius freeradius[7819]: rlm_sql (sql): Reserved
connection (0)
Dec 02 12:03:24 freeradius freeradius[7819]: rlm_sql (sql): Released
connection (0)
Dec 02 12:03:24 freeradius freeradius[7819]: rlm_mschap (mschap): using
internal authentication
Dec 02 12:03:24 freeradius freeradius[7819]: rlm_cache (cache_eap): Driver
rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked
Dec 02 12:03:24 freeradius freeradius[7819]: rlm_detail (auth_log):
'User-Password' suppressed, will not appear in detail output
*Dec 02 12:03:24 freeradius freeradius[7819]:
/etc/freeradius/3.0/sites-enabled/default[480]: Unknown Auth-Type "control"
in authenticate sub-section.*
Dec 02 12:03:24 freeradius systemd[1]: freeradius.service: Control process
exited, code=exited status=1
Dec 02 12:03:24 freeradius systemd[1]: freeradius.service: Failed with
result 'exit-code'.
Dec 02 12:03:24 freeradius systemd[1]: Failed to start FreeRADIUS
multi-protocol policy server.

Now I done it in the authorization section just before  "filter_username"
and although the server starts there is no difference in the output on the
rest server, no headers incoming.

Debug:
Ready to process requests
(0) Received Access-Request Id 59 from 127.0.0.1:33440 to 127.0.0.1:1812
length 79
(0)   User-Name = "rba_user1"
(0)   User-Password = "rba_user1"
(0)   NAS-IP-Address = 172.16.49.8
(0)   NAS-Port = 0
(0)   Message-Authenticator = 0x8204eb0ff20ae8b2ea0b4ed973d894c3
(0) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(0)   authorize {
(0)     policy filter_username {
(0)       if (&User-Name) {
(0)       if (&User-Name)  -> TRUE
(0)       if (&User-Name)  {
(0)         if (&User-Name =~ / /) {
(0)         if (&User-Name =~ / /)  -> FALSE
(0)         if (&User-Name =~ /@[^@]*@/ ) {
(0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(0)         if (&User-Name =~ /\.\./ ) {
(0)         if (&User-Name =~ /\.\./ )  -> FALSE
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE
(0)         if (&User-Name =~ /\.$/)  {
(0)         if (&User-Name =~ /\.$/)   -> FALSE
(0)         if (&User-Name =~ /@\./)  {
(0)         if (&User-Name =~ /@\./)   -> FALSE
(0)       } # if (&User-Name)  = notfound
(0)     } # policy filter_username = notfound
rlm_rest (rest): Reserved connection (0)
(0) rest: Expanding URI components
(0) rest: EXPAND https://6c14825b-a5cc-48a1-a0a7-723b78f0a90e.mock.pstmn.io
(0) rest:    --> https://6c14825b-a5cc-48a1-a0a7-723b78f0a90e.mock.pstmn.io
(0) rest: EXPAND /api/v1/auth/login
(0) rest:    --> /api/v1/auth/login
(0) rest: Sending HTTP POST to "
https://6c14825b-a5cc-48a1-a0a7-723b78f0a90e.mock.pstmn.io/api/v1/auth/login
"
(0) rest: EXPAND {"username": "%{urlquote:%{User-Name}}",  "password":
"%{urlquote:%{User-Password}}"}
(0) rest:    --> {"username": "rba_user1",  "password": "rba_user1"}
(0) rest: Processing response header
(0) rest:   Status : 200 (OK)
(0) rest:   Type   : json (application/json)
(0) rest: Parsing attribute "username"
(0) rest: WARNING: Failed parsing attribute: Invalid vendor name in
attribute name "username", skipping...
(0) rest: Parsing attribute "firstname"
(0) rest: WARNING: Failed parsing attribute: Invalid vendor name in
attribute name "firstname", skipping...
(0) rest: Parsing attribute "lastname"
(0) rest: WARNING: Failed parsing attribute: Invalid vendor name in
attribute name "lastname", skipping...
(0) rest: Parsing attribute "locationId"
(0) rest: WARNING: Failed parsing attribute: Invalid vendor name in
attribute name "locationId", skipping...
(0) rest: Parsing attribute "id"
(0) rest: WARNING: Failed parsing attribute: Invalid vendor name in
attribute name "id", skipping...
(0) rest: Parsing attribute "email"
(0) rest: WARNING: Failed parsing attribute: Invalid vendor name in
attribute name "email", skipping...
(0) rest: Parsing attribute "access_token"
(0) rest: WARNING: Failed parsing attribute: Invalid vendor name in
attribute name "access_token", skipping...
rlm_rest (rest): Released connection (0)
Need 5 more connections to reach 10 spares
rlm_rest (rest): Opening additional connection (5), 1 of 27 pending slots
used
rlm_rest (rest): Connecting to "
https://6c14825b-a5cc-48a1-a0a7-723b78f0a90e.mock.pstmn.io/api/v1/auth/login
"
(0)     [rest] = ok
(0)     [preprocess] = ok
(0) eap: No EAP-Message, not doing EAP
(0)     [eap] = noop
(0) files: users: Matched entry DEFAULT at line 176
(0)     [files] = ok
(0)     [expiration] = noop
(0)     [logintime] = noop
(0) pap: WARNING: No "known good" password found for the user.  Not setting
Auth-Type
(0) pap: WARNING: Authentication will fail unless a "known good" password
is available
(0)     [pap] = noop
(0)   } # authorize = ok
(0) Found Auth-Type = rest
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0)   authenticate {
rlm_rest (rest): Reserved connection (1)
(0) rest: Expanding URI components
(0) rest: EXPAND https://6c14825b-a5cc-48a1-a0a7-723b78f0a90e.mock.pstmn.io
(0) rest:    --> https://6c14825b-a5cc-48a1-a0a7-723b78f0a90e.mock.pstmn.io
(0) rest: EXPAND /api/v1/auth/login
(0) rest:    --> /api/v1/auth/login
(0) rest: Sending HTTP POST to "
https://6c14825b-a5cc-48a1-a0a7-723b78f0a90e.mock.pstmn.io/api/v1/auth/login
"
(0) rest: EXPAND {"username": "%{urlquote:%{User-Name}}",  "password":
"%{urlquote:%{User-Password}}"}
(0) rest:    --> {"username": "rba_user1",  "password": "rba_user1"}
(0) rest: Processing response header
(0) rest:   Status : 200 (OK)
(0) rest:   Type   : json (application/json)
(0) rest: Parsing attribute "username"
(0) rest: WARNING: Failed parsing attribute: Invalid vendor name in
attribute name "username", skipping...
(0) rest: Parsing attribute "firstname"
(0) rest: WARNING: Failed parsing attribute: Invalid vendor name in
attribute name "firstname", skipping...
(0) rest: Parsing attribute "lastname"
(0) rest: WARNING: Failed parsing attribute: Invalid vendor name in
attribute name "lastname", skipping...
(0) rest: Parsing attribute "locationId"
(0) rest: WARNING: Failed parsing attribute: Invalid vendor name in
attribute name "locationId", skipping...
(0) rest: Parsing attribute "id"
(0) rest: WARNING: Failed parsing attribute: Invalid vendor name in
attribute name "id", skipping...
(0) rest: Parsing attribute "email"
(0) rest: WARNING: Failed parsing attribute: Invalid vendor name in
attribute name "email", skipping...
(0) rest: Parsing attribute "access_token"
(0) rest: WARNING: Failed parsing attribute: Invalid vendor name in
attribute name "access_token", skipping...
rlm_rest (rest): Released connection (1)
Need 4 more connections to reach 10 spares
rlm_rest (rest): Opening additional connection (6), 1 of 26 pending slots
used
rlm_rest (rest): Connecting to "
https://6c14825b-a5cc-48a1-a0a7-723b78f0a90e.mock.pstmn.io/api/v1/auth/login
"
(0)     [rest] = ok
(0)   } # authenticate = ok
(0) # Executing section post-auth from file
/etc/freeradius/3.0/sites-enabled/default
(0)   post-auth {
(0)     update {
(0)       No attributes updated
(0)     } # update = noop
(0) sql: EXPAND .query
(0) sql:    --> .query
(0) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (1)
(0) sql: EXPAND %{User-Name}
(0) sql:    --> rba_user1
(0) sql: SQL-User-Name set to 'rba_user1'
(0) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate)
VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}',
'%{reply:Packet-Type}', '%S')
(0) sql:    --> INSERT INTO radpostauth (username, pass, reply, authdate)
VALUES ( 'rba_user1', 'rba_user1', 'Access-Accept', '2021-12-02 12:11:22')
(0) sql: Executing query: INSERT INTO radpostauth (username, pass, reply,
authdate) VALUES ( 'rba_user1', 'rba_user1', 'Access-Accept', '2021-12-02
12:11:22')
(0) sql: SQL query returned: success
(0) sql: 1 record(s) updated
rlm_sql (sql): Released connection (1)
Need 4 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (6), 1 of 26 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket,
server version 5.7.36-0ubuntu0.18.04.1, protocol version 10
(0)     [sql] = ok
(0)     [exec] = noop
(0)     policy remove_reply_message_if_eap {
(0)       if (&reply:EAP-Message && &reply:Reply-Message) {
(0)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(0)       else {
(0)         [noop] = noop
(0)       } # else = noop
(0)     } # policy remove_reply_message_if_eap = noop
(0)   } # post-auth = ok
(0) Sent Access-Accept Id 59 from 127.0.0.1:1812 to 127.0.0.1:33440 length 0
(0) Finished request
Waking up in 4.9 seconds.
(0) Cleaning up request packet ID 59 with timestamp +26

[image: image.png]

This is my whole authorize section in default server:

authorize {

        filter_username

        filter_password
        update control {
        &REST-HTTP-Header += "secret:
1f215f4a27653bd17ddc54e320a1c61e37949fe5"
        &REST-HTTP-Header += "uuid: 84ce0574-5074-4b53-9ddc-fcb2c935a1b1"
        &REST-HTTP-Header += "Content-Type: application/json"
        }

        rest

        preprocess

        eap {
                ok = return
#               updated = return
        }

unix

        files
        expiration
        logintime
        pap
}

While on a subject of authorization, do I need to have both authorization
and authentication configured to fetch user data from API endpoint in the
rest module? Because right now I'm sending double POST requests and from my
understanding authorize section should only be checking if there is a right
authentication method and correct atributes and setting the Auth type.

Thank you for your feedback,
kind regards



On Thu, 2 Dec 2021 at 11:53, Matthew Newton <mcn at freeradius.org> wrote:

> On 02/12/2021 10:40, Stjepan Roić wrote:
> > I'm new to this and I made a typo when you suggested different
> > operator which I didn't notice later and the debug didn't drop an error
> on
> > that part.
>
> The configuration is very flexible, so you can define your own settings
> and read them in other parts of the config. That means adding things in
> the "wrong" places isn't usually a config error.
>
> There are situations where the server will complain on startup (e.g.
> obsolete options still in use), but it can't complain about everything
> unusual that it sees.
>
>
> > You'll notice I'm getting Access-accept from the rest server but that's
> > only because I disabled those headers verification on the mock server. I
> > hope this debug can still provide info you need, if not please let me
> know
> > what to share.
>
> You've got this in your rest config:
>
>     update control {
>          &REST-HTTP-Header += ....
>     }
>
> It needs to go in the main virtual server config (e.g.
> sites-available/default), somewhere _before_ you call the "rest" module.
> In your situation probably just after the "filter_username" policy call.
>
> Module config defines things for each module. Requests pass through the
> appropriate virtual server, being altered and changed by modules on the
> way. If you want to add internal attributes that redefine how a module
> works they need to be set in the virtual server before that module is
> called.
>
> --
> Matthew
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 37937 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20211202/d27c6d5a/attachment-0001.png>


More information about the Freeradius-Users mailing list