rlm_rest: update attributes on http/401 response?

[GIRSTMAIR Tobias]

Hi all,

we are using the rlm_rest module to make authentication decisions. we
would like to pass the rejection reason our REST API came up with back
to FreeRadius for logging with rlm_sqllog.
We managed to pass attributes back when returning a JSON payload with
http/200 (accept), but it doesn't work for http/401 (reject).

Is there a way during a reject to signal some log message from the REST
API back to freeradius (like it works during accept)?

I've noticed that the documentation says the following:

        #  Authorize/Authenticate
        #
        #  Code   Meaning       Process body  Module code
        #  401    unauthorized  yes           reject
        #  2xx    successful    yes           ok/updated

but also:

        #  If the body is processed and found to contain attribute
updated will be returned,
        #  except in the case of a 401 code.

As far as I understand, "Process body = yes" should mean that
attributes are updated, except for the case of 401, where this doesn't
happen.


Here's a rough sketch of our setup and what we tried:


We have configured a REST request in the authorize and post-auth
sections.

When a client is allowed into the network, a http/200 message with this
payload (and corresponding content-type header) is returned from our
REST API:

{
  "Extreme-Netlogin-Extended-Vlan":"UvlanWhatever",
  "control:mycompany-vlan":"vlanWhatever"
}

FreeRADIUS correctly parses this and adds the VLAN tag in the response
headed to the NAS, and the "control:" are available for use, like in
the snippet below.

server default {
    post-auth {
        if (&control:mycompany-vlan == "vlanSpecialCase") {
            update control {
                Auth-Type := Accept
                mycompany-reject-reason := "none"
            }
        }
        else {
            eap
        }
    }
}

we save some extra detail in `mycompany-reject-reason`. This is then
stored in our logs. That works beautifully.

However, when a client is rejected, we would like to also update
`mycompany-reject-reason` but with the rejection message coming from
the REST call, which returns a http/401 like this:

{
  "control:mycompany-reason": "why the client was rejected"
}

we have tried to then update the `mycompany-reason` unlang attribute:

server default {
    post-auth {
        Post-Auth-Type REJECT {
            update control {
                mycompany-reject-reason := &control:mycompany-reason
        }
    }
}

However, this does not work: no attributes are updated, and this gets
pritned to the logs:

Tue Mar 24 15:07:29 2026 : ERROR: (822634) rest: ERROR: Server
returned:
Tue Mar 24 15:07:29 2026 : ERROR: (822634) rest: ERROR:
{"control:mycompany-reason":"the failure message"}
Tue Mar 24 15:07:29 2026 : Auth: (822634) Rejected in post-auth:
[user at example.com/<via Auth-Type = eap>] (from client nas01.example.com
port 0 cli aabbccddeeff)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2791 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20260324/a2ad2a18/attachment.bin>