REST module config options

Alan DeKok aland at deployingradius.com
Wed Nov 30 19:15:54 UTC 2022


On Nov 30, 2022, at 1:42 PM, James Narey via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> I'm working on an existing FreeRADIUS 3.0.25 implementation, in particular
> the REST module.
> 
> The current configuration sets the following config items in the tls block:
> 
> cacertdir
> cacertfile
> verify_cert
> 
> These don't appear in the default rest config for 3.0.x. The do appear in
> the NetworkRADIUS wiki, though the first two do not have descriptions. This
> page's 'Default Config' link goes to the same file - mods-available/rest in
> the 3.0.x branch.

  The TLS configuration for the "rest" module is documented in mods-available/rest.  Anything not documented there doesn't work.

  For EAP and RadSec, we've implemented all of the TLS bits ourselves.  Which means that there are a ton of configuration options for TLS.

  For the Rest module, we have to use the libcurl API.  And that exposes fewer configuration options for TLS.

> I'm unsure which names to be using and, while the names of the top two are
> descriptive, it would be helpful to see some documentation before
> continuing to rely on them.

  The documentation in mods-available/rest is up to date, and is correct.

> It would also be helpful to know whether there is a reason to use
> verify_cert vs check_cert, though it is clear at least that these do the
> same thing.

  You can't use them with the Rest module.

  For EAP and Radsec, these configuration items are documented in mods-available/eap, among other places.

  Alan DeKok.



More information about the Freeradius-Users mailing list