dynamic-clients with rest (v.3.2)

Wed Dec 6 23:58:41 UTC 2023

Dear All

I followed the step from
https://networkradius.com/packages/#fr32-debian-bullseye

```
root at freeradius32apt ~# freeradius -v
radiusd: FreeRADIUS Version 3.2.3 (git #db3d1924d), for host
x86_64-pc-linux-gnu
FreeRADIUS Version 3.2.3
Copyright (C) 1999-2022 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT

```

I'm trying to do dynamic-clients with rest

so I did (as root)
```
apt install freeradius-rest
```
and here is freeradius/mods-enabled/rest
```
rest {
#
#  This subsection configures the tls related items
#  that control how FreeRADIUS connects to a HTTPS
#  server.
#
tls {
}

# rlm_rest will open a connection to the server specified in connect_uri
# to populate the connection cache, ready for the first request.
# The server will not start if the server specified is unreachable.
#
# If you wish to disable this pre-caching and reachability check,
# comment out the configuration item below.
# connect_uri = "http://127.0.0.1/"

#
#  How long before new connection attempts timeout, defaults to 4.0 seconds.
#
connect_timeout = 10.0

#
# Specify HTTP protocol version to use. one of '1.0', '1.1', '2.0',
'2.0+auto',
# '2.0+tls' or 'default'. (libcurl option CURLOPT_HTTP_VERSION)
#
# http_negotiation = 1.1
authorize {
uri = "http://192.168.56.1:5000/radius/authorize"
method = 'post'
body = 'JSON'
}
authenticate {
uri = "http://192.168.56.1:5000/radius/authenticate"
method = 'post'
body = JSON
}

preacct {
}
accounting {
uri = "http://192.168.56.1:5000/radius/accounting"
method = 'post'
body = JSON
}
post-auth {
}
pre-proxy {
}
post-proxy {
}

#  Options for calling rest xlats
#  uri and method will be derived from the string provided to the xlat
xlat {
body_uri_encode = yes
}

#
#  The connection pool is used to pool outgoing connections.
#
pool {
#  Connections to create during module instantiation.
#  If the server cannot create specified number of
#  connections during instantiation it will exit.
#  Set to 0 to allow the server to start without the
#  web service being available.
start = ${thread[pool].start_servers}

#  Minimum number of connections to keep open
min = ${thread[pool].min_spare_servers}

#  Maximum number of connections
#
#  If these connections are all in use and a new one
#  is requested, the request will NOT get a connection.
#
#  Setting 'max' to LESS than the number of threads means
#  that some threads may starve, and you will see errors
#  like 'No connections available and at max connection limit'
#
#  Setting 'max' to MORE than the number of threads means
#  that there are more connections than necessary.
max = ${thread[pool].max_servers}

#  Spare connections to be left idle
#
#  NOTE: Idle connections WILL be closed if "idle_timeout"
#  is set.  This should be less than or equal to "max" above.
spare = ${thread[pool].max_spare_servers}

#  Number of uses before the connection is closed
#
# 0 means "infinite"
uses = 0

#  The number of seconds to wait after the server tries
#  to open a connection, and fails.  During this time,
#  no new connections will be opened.
retry_delay = 30

#  The lifetime (in seconds) of the connection
lifetime = 0

#  idle timeout (in seconds).  A connection which is
#  unused for this length of time will be closed.
idle_timeout = 60

#  NOTE: All configuration settings are enforced.  If a
#  connection is closed because of "idle_timeout",
#  "uses", or "lifetime", then the total number of
#  connections MAY fall below "min".  When that
#  happens, it will open a new connection.  It will
#  also log a WARNING message.
#
#  The solution is to either lower the "min" connections,
#  or increase lifetime/idle_timeout.
}
}

```

my sites-enabled/default
```

server default {
listen {
type = auth
ipaddr = 192.168.56.110
port = 0
limit {
     #
     #  Limit the number of simultaneous TCP connections to the socket
     #
     #  The default is 16.
     #  Setting this to 0 means "no limit"
     max_connections = 16

     #  The per-socket "max_requests" option does not exist.

     #
     #  The lifetime, in seconds, of a TCP connection.  After
     #  this lifetime, the connection will be closed.
     #
     #  Setting this to 0 means "forever".
     lifetime = 0

     #
     #  The idle timeout, in seconds, of a TCP connection.
     #  If no packets have been received over the connection for
     #  this time, the connection will be closed.
     #
     #  Setting this to 0 means "no timeout".
     #
     #  We STRONGLY RECOMMEND that you set an idle timeout.
     #
     idle_timeout = 30
}
}

#
#  This second "listen" section is for listening on the accounting
#  port, too.
#
listen {
ipaddr = 192.168.56.110
port = 0
type = acct

limit {
#  The number of packets received can be rate limited via the
#  "max_pps" configuration item.  When it is set, the server
#  tracks the total number of packets received in the previous
#  second.  If the count is greater than "max_pps", then the
#  new packet is silently discarded.  This helps the server
#  deal with overload situations.
#
#  The packets/s counter is tracked in a sliding window.  This
#  means that the pps calculation is done for the second
#  before the current packet was received.  NOT for the current
#  wall-clock second, and NOT for the previous wall-clock second.
#
#  Useful values are 0 (no limit), or 100 to 10000.
#  Values lower than 100 will likely cause the server to ignore
#  normal traffic.  Few systems are capable of handling more than
#  10K packets/s.
#
#  It is most useful for accounting systems.  Set it to 50%
#  more than the normal accounting load, and you can be sure that
#  the server will never get overloaded
#
# max_pps = 0

# Only for "proto = tcp". These are ignored for "udp" sockets.
#
# idle_timeout = 0
# lifetime = 0
# max_connections = 0
}
}

# IPv6 versions of the above - read their full config to understand options
authorize {
filter_username
preprocess
rest
chap
mschap
}

authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
mschap
}

#
#  Pre-accounting.  Decide which accounting type to use.
#
preacct {
preprocess
acct_unique
}

#
#  Accounting.  Log the accounting data.
#
accounting {
rest
}

#  Session database, used for checking Simultaneous-Use. Either the radutmp
#  or rlm_sql module can handle this.
#  The rlm_sql module is *much* faster
session {
}

#  Post-Authentication
#  Once we KNOW that the user has been authenticated, there are
#  additional steps we can take.
post-auth {
Post-Auth-Type REJECT {
}

#
#  Filter access challenges.
#
Post-Auth-Type Challenge {
}

Post-Auth-Type Client-Lost {
}

#
#  If the client sends EAP-Key-Name in the request,
#  then echo the real value back in the reply.
#
}

#
#  When the server decides to proxy a request to a home server,
#  the proxied request is first passed through the pre-proxy
#  stage.  This stage can re-write the request, or decide to
#  cancel the proxy.
#
#  Only a few modules currently have this method.
#
pre-proxy {
}

#
#  When the server receives a reply to a request it proxied
#  to a home server, the request may be massaged here, in the
#  post-proxy stage.
#
post-proxy {
}
}
```
below is my freeradius/sites-enabled/dynamic-clients
```
# -*- text -*-
#
#  Define a network where clients may be dynamically defined.
client dynamic {
#
#  You MUST specify a netmask!
#  IPv4 /32 or IPv6 /128 are NOT allowed!
ipaddr = 192.168.56.0/24
dynamic_clients = dynamic_clients
lifetime = 3600
}

#
#  This is the virtual server referenced above by "dynamic_clients".
server dynamic_clients {

#
#  The only contents of the virtual server is the "authorize" section.
authorize {
        rest
#
#  Tell the caller that the client was defined properly.
#
#  If the authorize section does NOT return "ok", then
#  the new client is ignored.
ok
}
}

```

When I try to connect my pppoe client to my pppoe-server, freeradius said
that the client (pppoe-server) is unknown

some Output from --> freeradius -XXX
```
Wed Dec  6 23:08:21 2023 : Debug: (0) server dynamic_clients {
Wed Dec  6 23:08:21 2023 : Debug: (0) # Executing section authorize from
file /etc/freeradius/sites-enabled/dynamic-clients
Wed Dec  6 23:08:21 2023 : Debug: (0)   authorize {
Wed Dec  6 23:08:21 2023 : Debug: (0)     modsingle[authorize]: calling
rest (rlm_rest)
Wed Dec  6 23:08:21 2023 : Debug: rlm_rest (rest): Reserved connection (0)
Wed Dec  6 23:08:21 2023 : Debug: (0) rest: Expanding URI components
Wed Dec  6 23:08:21 2023 : Debug: http://192.168.56.1:5000
Wed Dec  6 23:08:21 2023 : Debug: Parsed xlat tree:
Wed Dec  6 23:08:21 2023 : Debug: literal --> http://192.168.56.1:5000
Wed Dec  6 23:08:21 2023 : Debug: (0) rest: EXPAND http://192.168.56.1:5000
Wed Dec  6 23:08:21 2023 : Debug: (0) rest:    --> http://192.168.56.1:5000
Wed Dec  6 23:08:21 2023 : Debug: /radius/authorize
Wed Dec  6 23:08:21 2023 : Debug: Parsed xlat tree:
Wed Dec  6 23:08:21 2023 : Debug: literal --> /radius/authorize
Wed Dec  6 23:08:21 2023 : Debug: (0) rest: EXPAND /radius/authorize
Wed Dec  6 23:08:21 2023 : Debug: (0) rest:    --> /radius/authorize
Wed Dec  6 23:08:21 2023 : Debug: (0) rest: Sending HTTP POST to "
http://192.168.56.1:5000/radius/authorize"
Wed Dec  6 23:08:21 2023 : Debug: (0) rest: Adding custom headers:
Wed Dec  6 23:08:21 2023 : Debug: (0) rest:   X-FreeRADIUS-Section:
authorize
Wed Dec  6 23:08:21 2023 : Debug: (0) rest:   X-FreeRADIUS-Server:
dynamic_clients
Wed Dec  6 23:08:21 2023 : Debug: (0) rest: Request body content-type will
be "application/json"
Wed Dec  6 23:08:21 2023 : Debug: (0) rest: JSON Data: {}
Wed Dec  6 23:08:21 2023 : Debug: (0) rest: Returning 2 bytes of JSON data
Wed Dec  6 23:08:21 2023 : Debug: (0) rest: Processing response header
Wed Dec  6 23:08:21 2023 : Debug: (0) rest:   Status : 500 (INTERNAL SERVER
ERROR)
Wed Dec  6 23:08:21 2023 : Debug: (0) rest:   Type   : json
(application/json)
Wed Dec  6 23:08:21 2023 : Debug: (0) rest: Adding
reply:REST-HTTP-Status-Code = "500"
Wed Dec  6 23:08:21 2023 : ERROR: (0) rest: Server returned:
Wed Dec  6 23:08:21 2023 : ERROR: (0) rest: {}
Wed Dec  6 23:08:21 2023 : Debug: rlm_rest (rest): Released connection (0)

```

Kindly please look at line 22 of debug lines
```
Wed Dec  6 23:08:21 2023 : Debug: (0) rest: JSON Data: {}
```
I think freeradius did not wrap any data to json body

Is that a bug?
if not, kindly please tell me how to fix

Sincerely
-bino-