rest module to send simple API call to Infoblox for Mac Auth

Alan DeKok aland at deployingradius.com
Thu Sep 26 07:00:42 UTC 2024 

On Sep 26, 2024, at 8:53 AM, <dominic.stalder at unibe.ch> <dominic.stalder at unibe.ch> wrote:
> This broke my configuration: I had two copies of the file /etc/freeradius/policy.d/canonicalization as backup archives in the exact same directory (w/o the new custom attribute in there).

  Use "git" for revision control..  Copying text files into multiple locations is a bad idea.  You lose track of what's going on, and the server will usually load ALL files in a directory.

> 1. I always did / do copies of old freeradius configuration files like this in the original directory: cp xyz xyz.{yyyymmdd}. This was never a problem, but I think it is different for special directories like /etc/freeradius/policy.d/ and others, is that correct?

  Use "git".  Manually copying files is very much not recommended.

> 2.a) I would like to add an if statement to /etc/freeradius/mods-available/rest.

  No.

  You cannot put policies into the module configurations.

> My goal is to change the local varialbe "network" based on the attribute Called-Station-SSID, but it seams, that the modules do not allow any if / else conditions, is that correct?

  Try it and see.  You will get a message in the debug output.

> 2.b) What would be an alternative to have a switch statement in the rest module? Do I have to realize this via another local / custom variable from /sites-enabled/default to /mods-enabled/rest. Something like that.

  You're asking if a particular solution will work.  This is the wrong way to solve problems.

  Instead, describe what you want to do, and then ask what solution is best.

> --> I want to get sure, there is no "parallel" chaos, if multiple RADIUS requests arrive on the FreeRADIUS server and I set the custom variable early and it gets overwritten; hope you get my consider?

  The server tracks each request separately.  If you want custom variables for a request, then you put the custom variable into the request.  Not into the module configuration.

> if ("%{Called-Station-SSID}" == "xyz-DEV") {
> 	network = "172.25.8.0/21"
> }
> 
> # Create the REST API call URI:
> uri = "${..connect_uri}/wapi/v2.11.3/record:host?network=${network}&mac=%{My-Local-Calling-Station-Id-Colon}"

  You already know how to create custom attributes in the local dictionary, and then set them in a policy.  Why not do the same thing here for "network"?  Why invent another approach?

  Alan DeKok.

More information about the Freeradius-Users mailing list