1

I read : Configuring rlm_rest module in FreeRadius

My FreeRadius version is 3.0.11 (git #d667a28)

My try is using included demo.pl, just change the port.

radtest --> radtest testing testing123 127.0.0.1 1 testing123

I tried some scenario for 'authorize' section.

#authorize {
#    if (User-Password) {
#        update control {
#            Auth-Type := rest
#        }
#    }
#}

#authorize {
#    if (User-Password) {
#        update control {
#            Cleartext-Password := User-Password
#            Auth-Type := rest
#        }
#    }
#}

authorize {
    update control {
        Auth-Type := rest
    }
}

But I always got : 'Failed to authenticate the user'

Debug :

Tue Aug 30 03:54:46 2016 : Debug: (0) rest: EXPAND /
Tue Aug 30 03:54:46 2016 : Debug: (0) rest:    --> /
Tue Aug 30 03:54:46 2016 : Debug: (0) rest: Sending HTTP POST to "http://10.10.255.2:5000/"
Tue Aug 30 03:54:46 2016 : Debug: (0) rest: Adding custom headers:
Tue Aug 30 03:54:46 2016 : Debug: (0) rest:   X-FreeRADIUS-Section: authenticate
Tue Aug 30 03:54:46 2016 : Debug: (0) rest:   X-FreeRADIUS-Server: default
Tue Aug 30 03:54:46 2016 : Debug: (0) rest: Request body content-type will be "application/json"
Tue Aug 30 03:54:46 2016 : Debug: (0) rest: Encoding attribute "User-Name"
Tue Aug 30 03:54:46 2016 : Debug: (0) rest:   Type   : string
Tue Aug 30 03:54:46 2016 : Debug: (0) rest:   Length : 7
Tue Aug 30 03:54:46 2016 : Debug: (0) rest:   Value  : "testing"
Tue Aug 30 03:54:46 2016 : Debug: (0) rest: Encoding attribute "User-Password"
Tue Aug 30 03:54:46 2016 : Debug: (0) rest:   Type   : string
Tue Aug 30 03:54:46 2016 : Debug: (0) rest:   Length : 10
Tue Aug 30 03:54:46 2016 : Debug: (0) rest:   Value  : "testing123"
Tue Aug 30 03:54:46 2016 : Debug: (0) rest: Encoding attribute "NAS-IP-Address"
Tue Aug 30 03:54:46 2016 : Debug: (0) rest:   Type   : ipaddr
Tue Aug 30 03:54:46 2016 : Debug: (0) rest:   Length : 9
Tue Aug 30 03:54:46 2016 : Debug: (0) rest:   Value  : "127.0.1.1"
Tue Aug 30 03:54:46 2016 : Debug: (0) rest: Encoding attribute "NAS-Port"
Tue Aug 30 03:54:46 2016 : Debug: (0) rest:   Type   : integer
Tue Aug 30 03:54:46 2016 : Debug: (0) rest:   Length : 1
Tue Aug 30 03:54:46 2016 : Debug: (0) rest:   Value  : 1
Tue Aug 30 03:54:46 2016 : Debug: (0) rest: Encoding attribute "Message-Authenticator"
Tue Aug 30 03:54:46 2016 : Debug: (0) rest:   Type   : octets
Tue Aug 30 03:54:46 2016 : Debug: (0) rest:   Length : 34
Tue Aug 30 03:54:46 2016 : Debug: (0) rest:   Value  : "0x9d06a674fbd767958883955ee01ec1cb"
Tue Aug 30 03:54:46 2016 : Debug: (0) rest: JSON Data: {"User-Name":{"type":"string","value":["testing"]},"User-Password":{"type":"string","value":["testing123"]},"NAS-IP-Address":{"type":"ipaddr","value":["127.0.1.1"]},"NAS-Port":{"type":"integer","value":[1]},"Message-Authenticator":{"type":"octets","value":["0x9d06a674fbd767958883955ee01ec1cb"]}}
Tue Aug 30 03:54:46 2016 : Debug: (0) rest: Returning 296 bytes of JSON data
Tue Aug 30 03:54:47 2016 : Debug: (0) rest: Processing response header
Tue Aug 30 03:54:47 2016 : Debug: (0) rest:   Status : 200 (OK)
Tue Aug 30 03:54:47 2016 : Debug: (0) rest:   Type   : json (application/json)
Tue Aug 30 03:54:47 2016 : Debug: (0) rest: Parsing attribute "control:Cleartext-Password"
Tue Aug 30 03:54:47 2016 : Debug: (0) rest:   Type   : string
Tue Aug 30 03:54:47 2016 : Debug: (0) rest:   Length : 10
Tue Aug 30 03:54:47 2016 : Debug: (0) rest:   Value  : "testing123"
Tue Aug 30 03:54:47 2016 : Debug: testing123
Tue Aug 30 03:54:47 2016 : Debug: Parsed xlat tree:
Tue Aug 30 03:54:47 2016 : Debug: literal --> testing123
Tue Aug 30 03:54:47 2016 : Debug: (0) rest: EXPAND testing123
Tue Aug 30 03:54:47 2016 : Debug: (0) rest:    --> testing123
Tue Aug 30 03:54:47 2016 : Debug: (0) rest: Cleartext-Password := "testing123"
Tue Aug 30 03:54:47 2016 : Debug: (0) rest: ::: FROM 1 TO 1 MAX 2
Tue Aug 30 03:54:47 2016 : Debug: (0) rest: ::: Examining Cleartext-Password
Tue Aug 30 03:54:47 2016 : Debug: (0) rest: ::: APPENDING Cleartext-Password FROM 0 TO 1
Tue Aug 30 03:54:47 2016 : Debug: (0) rest: ::: TO in 1 out 1
Tue Aug 30 03:54:47 2016 : Debug: (0) rest: ::: to[0] = Auth-Type
Tue Aug 30 03:54:47 2016 : Debug: (0) rest: Parsing attribute "reply:Reply-Message"
Tue Aug 30 03:54:47 2016 : Debug: (0) rest:   Type   : string
Tue Aug 30 03:54:47 2016 : Debug: (0) rest:   Length : 18
Tue Aug 30 03:54:47 2016 : Debug: (0) rest:   Value  : "Hello from demo.pl"
Tue Aug 30 03:54:47 2016 : Debug: Hello from demo.pl
Tue Aug 30 03:54:47 2016 : Debug: Parsed xlat tree:
Tue Aug 30 03:54:47 2016 : Debug: literal --> Hello from demo.pl
Tue Aug 30 03:54:47 2016 : Debug: (0) rest: EXPAND Hello from demo.pl
Tue Aug 30 03:54:47 2016 : Debug: (0) rest:    --> Hello from demo.pl
Tue Aug 30 03:54:47 2016 : Debug: (0) rest: Reply-Message := "Hello from demo.pl"
Tue Aug 30 03:54:47 2016 : Debug: (0) rest: ::: FROM 1 TO 0 MAX 1
Tue Aug 30 03:54:47 2016 : Debug: (0) rest: ::: Examining Reply-Message
Tue Aug 30 03:54:47 2016 : Debug: (0) rest: ::: APPENDING Reply-Message FROM 0 TO 0
Tue Aug 30 03:54:47 2016 : Debug: (0) rest: ::: TO in 0 out 0
Tue Aug 30 03:54:47 2016 : Debug: rlm_rest (rest): Released connection (0)
Tue Aug 30 03:54:47 2016 : Debug: (0)     modsingle[authenticate]: returned from rest (rlm_rest) for request 0
Tue Aug 30 03:54:47 2016 : Debug: (0)     [rest] = updated
Tue Aug 30 03:54:47 2016 : Debug: (0)   } # authenticate = updated
Tue Aug 30 03:54:47 2016 : Debug: (0) Failed to authenticate the user
Tue Aug 30 03:54:47 2016 : Debug: (0) Using Post-Auth-Type Reject

Could you please give me any clue ?

Community
  • 1
Bino Oetomo
  • 207
  • 3
  • 10

2 Answers2

1

You're not using rest to do authentication here, you're just using it to retrieve the user's password.

You need to list the pap module too to actually perform the comparison.

i.e.

authorize {
    rest
    pap
}

authenticate {
    pap
}
Arran Cudbard-Bell
  • 1,514
  • 1
  • 9
  • 18
0

if authorize route is already authenticating the user, perhaps you could just set Auth-Type to Accept. It works for me, but I'm open to hear any drawbacks this has

#authorize {
#    if (User-Password) {
#        update control {
#            Auth-Type := Accept
#        }
#    }
#}
G-John
  • 1