Unknown issue with rest module in FreeRADIUS 3.2.7

Dominic Stalder dominic.stalder at bluewin.ch
Thu Apr 3 17:45:07 UTC 2025 

Hi everybody
 
Recently, I upgraded from FreeRADIUS 3.2.6 to 3.2.7. I implemented a rest module call to our IPAM (Infoblox) on version 3.2.6. The rest module call is still in «evaluation» and was not used in production, that’s why it is not used frequently and I was not forced to troubleshoot the problem before.
 
But know I would need some help:
 
1. the rest module call to our IPAM (Infoblox) was working fine in FR 3.2.6.
 
2. The goal is to check, if a client with a given mac address (Calling-Station-Id) is listed in a given IP subnet on Infoblox, additionally to the 802.1x (PEAP) authentication on the given SSID
 
a) if yes (REST-HTTP-Status-Code = 200 and REST-HTTP-Body != []), then return an ACCESS-ACCEPT
 
b) if not (REST-HTTP-Status-Code != 200 or REST-HTTP-Body == []), then return an ACCESS-REJECT
 
As I stated above, it worked on FR 3.2.6, but since upgrading to 3.2.7, it SOMETIMES still works, but most of the time it DOESN’T and it returns a HTTP status code of 403 («Forbidden»). Stangely, I never get a HTTP status code of 403 with the exact same user credentials while trying the same API call in Postman:
 
[
    {
        "_ref": "record:host/ZG5zLmhvc3QkLl9kZWZhdWx0LmNoLnVuaWJlLnptay5wcnRnLXByb2JlLWZyZWVycmFkaXVzLXpta2Jlcm4:prtg-probe-freerradius-zmkbern.zmk.unibe.ch/default",
        "ipv4addrs": [
            {
                "_ref": "record:host_ipv4addr/ZG5zLmhvc3RfYWRkcmVzcyQuX2RlZmF1bHQuY2gudW5pYmUuem1rLnBydGctcHJvYmUtZnJlZXJyYWRpdXMtem1rYmVybi4xNzIuMjUuOC4xMC4:172.25.8.10/prtg-probe-freerradius-zmkbern.zmk.unibe.ch/default",
                "configure_for_dhcp": true,
                "host": "prtg-probe-freerradius-zmkbern.zmk.unibe.ch",
                "ipv4addr": "172.25.8.10",
                "mac": "a1:b2:c3:d4:e5:f6"
            }
        ],
        "name": "prtg-probe-freeradius-ssid.domain.xy",
        "view": "default"
    }
]
 
Debug output of a working attempt (if you need the whole debug output, please let me know):
 
(3973)     if (Service-Type == Call-Check) {
(3973)     if (Service-Type == Call-Check)  -> TRUE
(3973)     if (Service-Type == Call-Check)  {
(3973)       switch &Called-Station-SSID {
(3973)         case zmkbern-DEV {
(3973)           update request {
(3973)             &locMacAuth-IP-Subnet := "172.25.8.0/21"
(3973)           } # update request = noop
rlm_rest (rest): Reserved connection (38)
(3973) rest: Expanding URI components
(3973) rest: EXPAND https://gridmaster.domain.xy <https://gridmaster.domain.xy/>
(3973) rest:    --> https://gridmaster.domain.xy <https://gridmaster.domain.xy/>
(3973) rest: EXPAND /wapi/v2.11.3/record:host?network=%{locMacAuth-IP-Subnet}&mac=%{tolower:%{request:locMacAuth-Calling-Station-Id}}
(3973) rest:    --> /wapi/v2.11.3/record:host?network=172.25.8.0%2F21&mac=a1%3Ab2%3Ac3%3Ad4%3Ae5%3Af6
(3973) rest: Sending HTTP GET to https://gridmaster.domain.xy/wapi/v2.11.3/record:host?network=172.25.8.0%2F21&mac=a1%3Ab2%3Ac3%3Ad4%3Ae5%3Af6
(3973) rest: EXPAND id_svcinfobloxro_prod
(3973) rest:    --> id_svcinfobloxro_prod
(3973) rest: EXPAND c1K25E9MyrXLC6fCyZ
(3973) rest:    --> c1K25E9MyrXLC6fCyZ
(3973) rest: Processing response header
(3973) rest:   Status : 200 (OK)
(3973) rest:   Type   : json (application/json)
(3973) rest: Adding reply:REST-HTTP-Status-Code = "200"
(3973) rest: Adding reply:REST-HTTP-Body += "[     {         "_ref": "record:host/ZG5zLmhvc3QkLl9kZWZhdWx0LmNoLnVuaWJlLnptay5wcnRnLXByb2JlLWZyZWVycmFkaXVzLXpta2Jlcm4:prtg-probe-freerradius-zmkbern.zmk.unibe.ch/default",         "ipv4addrs": [             {                 "_ref": "record:host_ipv4addr/ZG5zLmhvc3RfYWRkcmVzcyQuX2RlZmF1bHQuY2gudW5pYmUuem1rLnBydGctcHJvYmUtZnJlZXJyYWRpdXMtem1rYmVybi4xNzIuMjUuOC4xMC4:172.25.8.10/prtg-probe-freerradius-zmkbern.zmk.unibe.ch/default",                 "configure_for_dhcp": true,                 "host": "prtg-probe-freerradius-zmkbern.zmk.unibe.ch",                 "ipv4addr": "172.25.8.10",                 "mac": "a1:b2:c3:d4:e5:f6"             }         ],         "name": "prtg-probe-freerradius-zmkbern.zmk.unibe.ch",         "view": "default"     } ]"
rlm_rest (rest): Released connection (38)
Need more connections to reach 10 spares
rlm_rest (rest): Opening additional connection (40), 1 of 29 pending slots used
rlm_rest (rest): Connecting to https://gridmaster.domain.xy <https://gridmaster.domain.xy/>
rlm_rest (rest): Closing expired connection (39) - Hit idle_timeout limit
rlm_rest (rest): You probably need to lower "min"
rlm_rest (rest): Closing expired connection (35) - Hit idle_timeout limit
(3973)           [rest] = updated
(3973)         } # case zmkbern-DEV = updated
(3973)       } # switch &Called-Station-SSID = updated
(3973)       if (reply:REST-HTTP-Status-Code == "200") {
(3973)       if (reply:REST-HTTP-Status-Code == "200")  -> TRUE
(3973)       if (reply:REST-HTTP-Status-Code == "200")  {
(3973)         if (reply:REST-HTTP-Body == "[]") {
(3973)         if (reply:REST-HTTP-Body == "[]")  -> FALSE
(3973)         else {
(3973)           policy accept {
(3973)             update control {
(3973)               &Response-Packet-Type = Access-Accept
(3973)             } # update control = noop
(3973)             [handled] = handled
(3973)           } # policy accept = handled
(3973)         } # else = handled
(3973)       } # if (reply:REST-HTTP-Status-Code == "200")  = handled
(3973)     } # if (Service-Type == Call-Check)  = handled
(3973)   } # authorize = handled
(3973) # Executing section post-auth from file /etc/freeradius/sites-enabled/default
 
Debug of a failing attempt:
 
(4245)     if (Service-Type == Call-Check) {
(4245)     if (Service-Type == Call-Check)  -> TRUE
(4245)     if (Service-Type == Call-Check)  {
(4245)       switch &Called-Station-SSID {
(4245)         case zmkbern-DEV {
(4245)           update request {
(4245)             &locMacAuth-IP-Subnet := "172.25.8.0/21"
(4245)           } # update request = noop
rlm_rest (rest): Reserved connection (40)
(4245) rest: Expanding URI components
(4245) rest: EXPAND https://gridmaster.domain.xy <https://gridmaster.domain.xy/>
(4245) rest:    --> https://gridmaster.domain.xy <https://gridmaster.domain.xy/>
(4245) rest: EXPAND /wapi/v2.11.3/record:host?network=%{locMacAuth-IP-Subnet}&mac=%{tolower:%{request:locMacAuth-Calling-Station-Id}}
(4245) rest:    --> /wapi/v2.11.3/record:host?network=172.25.8.0%2F21&mac=a1%3Ab2%3Ac3%3Ad4%3Ae5%3Af6
(4245) rest: Sending HTTP GET to https://gridmaster.domain.xy/wapi/v2.11.3/record:host?network=172.25.8.0%2F21&mac=a1%3Ab2%3Ac3%3Ad4%3Ae5%3Af6
(4245) rest: EXPAND id_svcinfobloxro_prod
(4245) rest:    --> id_svcinfobloxro_prod
(4245) rest: EXPAND c1K25E9MyrXLC6fCyZ
(4245) rest:    --> c1K25E9MyrXLC6fCyZ
(4245) rest: Processing response header
(4245) rest:   Status : 403 (Forbidden)
(4245) rest:   Type   : html (text/html)
(4245) rest: Adding reply:REST-HTTP-Status-Code = "403"
(4245) rest: ERROR: Server returned:
(4245) rest: ERROR: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
(4245) rest: ERROR: <html><head>
(4245) rest: ERROR: <title>403 Forbidden</title>
(4245) rest: ERROR: </head><body>
(4245) rest: ERROR: <h1>Forbidden</h1>
(4245) rest: ERROR: <p>You don't have permission to access this resource.</p>
(4245) rest: ERROR: </body></html>
rlm_rest (rest): Released connection (40)
Need more connections to reach 10 spares
rlm_rest (rest): Opening additional connection (45), 1 of 26 pending slots used
rlm_rest (rest): Connecting to https://gridmaster.domain.xy <https://gridmaster.domain.xy/>
(4245)           [rest] = userlock
(4245)         } # case zmkbern-DEV = userlock
(4245)       } # switch &Called-Station-SSID = userlock
(4245)     } # if (Service-Type == Call-Check)  = userlock
(4245)   } # authorize = userlock
(4245) Invalid user (Failed retrieving values required to evaluate condition): [<no User-Name attribute>] (from client localhost port 0 cli A1-B2-C3-D4-E5-F6)
(4245) Using Post-Auth-Type Reject
(4245) # Executing group from file /etc/freeradius/sites-enabled/default
(4245)   Post-Auth-Type REJECT {
(4245) attr_filter.access_reject: EXPAND %{User-Name}
(4245) attr_filter.access_reject:    -->
(4245)     [attr_filter.access_reject] = noop
(4245)     [eap] = noop
(4245)     policy remove_reply_message_if_eap {
(4245)       if (&reply:EAP-Message && &reply:Reply-Message) {
(4245)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(4245)       else {
(4245)         [noop] = noop
(4245)       } # else = noop
(4245)     } # policy remove_reply_message_if_eap = noop
(4245)     if (Service-Type == Call-Check) {
(4245)     if (Service-Type == Call-Check)  -> TRUE
(4245)     if (Service-Type == Call-Check)  {
 
I also get the following debug output from time to time in correspondance to this rest module call:
 
rlm_rest (rest): Released connection (0)
Need more connections to reach 10 spares
rlm_rest (rest): Opening additional connection (11), 1 of 28 pending slots used
rlm_rest (rest): Connecting to https://gridmaster.domiain.xy <https://gridmaster.domiain.xy/>
rlm_rest (rest): Closing expired connection (10) - Hit idle_timeout limit
rlm_rest (rest): Closing expired connection (9) - Hit idle_timeout limit
rlm_rest (rest): You probably need to lower "min"
rlm_rest (rest): Closing expired connection (8) - Hit idle_timeout limit
(988)           [rest] = userlock
(988)         } # case zmkbern-DEV = userlock
(988)       } # switch &Called-Station-SSID = userlock
(988)     } # if (Service-Type == Call-Check)  = userlock
(988)   } # authorize = userlock
 
As I don’t really understand the rest / threading part, any help is welcome.
 
Regards
Dominic

More information about the Freeradius-Users mailing list