rlm_rest: update attributes on http/401 response?

Alan DeKok alan.dekok at inkbridge.io
Tue Mar 24 22:48:29 UTC 2026 

On Mar 25, 2026, at 4:52 AM, GIRSTMAIR Tobias via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> we are using the rlm_rest module to make authentication decisions. we
> would like to pass the rejection reason our REST API came up with back
> to FreeRadius for logging with rlm_sqllog.
> We managed to pass attributes back when returning a JSON payload with
> http/200 (accept), but it doesn't work for http/401 (reject).

  Yes.

> Is there a way during a reject to signal some log message from the REST
> API back to freeradius (like it works during accept)?

  You'll have to change the source code to add that.

> I've noticed that the documentation says the following:
> 
>        #  Authorize/Authenticate
>        #
>        #  Code   Meaning       Process body  Module code
>        #  401    unauthorized  yes           reject
>        #  2xx    successful    yes           ok/updated
> 
> but also:
> 
>        #  If the body is processed and found to contain attribute
> updated will be returned,
>        #  except in the case of a 401 code.

  Hm... the code looks like it processes the response and adds attributes for the 401 case.  But I haven't tried it in detail myself.

> However, when a client is rejected, we would like to also update
> `mycompany-reject-reason` but with the rejection message coming from
> the REST call, which returns a http/401 like this:
> 
> {
>  "control:mycompany-reason": "why the client was rejected"
> }

  That sounds useful, yes.

> However, this does not work: no attributes are updated, and this gets
> pritned to the logs:

  Perhaps try running the server in debug mode, as suggested pretty much everywhere.  Set up a test system.  VMs are free.

> Tue Mar 24 15:07:29 2026 : ERROR: (822634) rest: ERROR: Server
> returned:
> Tue Mar 24 15:07:29 2026 : ERROR: (822634) rest: ERROR:
> {"control:mycompany-reason":"the failure message"}

  That looks like it's at least seeing the json message.

> Tue Mar 24 15:07:29 2026 : Auth: (822634) Rejected in post-auth:
> [user at example.com/<via Auth-Type = eap>] (from client nas01.example.com
> port 0 cli aabbccddeeff)

  Since you're not looking at the debug output, you won't be able to see what's happening in the "post-auth" section.

  Run the server in debug mode.  As ALL of the documentation says, it's the best way to solve these issues.

  Alan DeKok.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20260325/b128ed24/attachment.sig>

More information about the Freeradius-Users mailing list