4

using FreeRADIUS I need to authenticate RADIUS users against a web backend and have been attempting to use the rlm_rest module to do it. See here.

In my site configuration I have something like this:

authorize {
    rest
}

and in the authentication section I've tried things like these:

authenticate {
    Auth-Type REST {
        rest
    }
}

or

authenticate {
    rest
}

In either case I get the following error: (2) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject

On my web server, I am returning the 204 code as it seems like that should authenticate the user without additional processes. See here. The authorization seems to work fine, but that error is returned once the authentication section is reached.

What I need to know is the combination of "users" file entry and sites-available entries that I need to allow the rlm_rest module to complete the authentication portion of the request. Thanks,

freb
  • 143
  • 1
  • 7

1 Answers1

8

Rest doesn't set the Auth-Type, you have to do it manually.

authorize {
    rest
    if (ok) {
        update control {
            Auth-Type := rest
        }
    }
}

authenticate {
    rest
}

Auth-Types are automatically created for modules listed in authenticate (you don't actually need the Auth-Type stanza).

You don't need to call rest in authorize if you don't need to, something like this would also work fine:

authorize {
    if (User-Password) {
        update control {
            Auth-Type := rest
        }
    }
}

Edit:

Note: Prior to version 3.0.4 the REST module used control:Cleartext-Password to get the user's password, so in order for the module to work you'd need to copy the value over from request:User-Password:

authorize {
    if (User-Password) {
        update control {
            Cleartext-Password := &User-Password
            Auth-Type := rest
        }
    }
}

Versions 3.0.4 and later look for request:User-Password instead, which should just work in most cases.

Arran Cudbard-Bell
  • 1,514
  • 1
  • 9
  • 18
  • Also, let me know if you get it working. That code path hasn't been well tested, so i'm interested to see your results :) – Arran Cudbard-Bell May 21 '14 at 06:41
  • Thanks for the answer. I'm definitely on the next step of the issue. It is now authorizing but when it gets to the authentication section, it gives the error `ERROR: rest : Can't perform authentication, 'Cleartext-Password' attribute not found in the control list`. I'm not returning the cleartext password in the REST response as I'd like to rely on the web server for the logic. Maybe this isn't how it works? – freb May 24 '14 at 20:23
  • Hm, no it's how it works. For some odd reason the REST module was checking for a Cleartext-Password attribute in the control list. I've switched it to be the same as PAP, so it should work now. You can either use the latest v3.0.x HEAD or see above... – Arran Cudbard-Bell May 24 '14 at 21:09
  • Just tested your update for the `authorize` section and it seems to be working fine. Updated my test web server to deliver a `401` and the was receiving an `Access-Reject` as expected. Thanks for all the help. I'm pretty new to FreeRADIUS and am still learning. This module is exactly what I needed. – freb May 24 '14 at 23:28
  • No problem. glad you got it working :) – Arran Cudbard-Bell May 25 '14 at 08:26