0

I am working on an integration between FreeRADIUS 3.0.15 and an API server in NodeJS, which will handle accounting, authorization and authentication. This is all documented (for instance, this repo is a very valuable starting point) and relatively straightforward.

However, I also want to use the Dynamic Clients module, and let my API server decide whether a client is allowed or not. I couldn't find any documentation on this, except for this thread on the FreeRADIUS mailing list, which contains a working example on how to let a remote API authorize a client:

# /sites-available/dynamic-clients
server dynamic_clients {
    authorize {
        if ("%{rest: https://url?ipaddress='%{Packet-Src-IP-Address}'}") {
            update control {
                &FreeRADIUS-Client-IP-Address = "%{Packet-Src-IP-Address}"
                &FreeRADIUS-Client-Shortname = "%{rest: https://url?ipaddress='%{Packet-Src-IP-Address}'&return=shortname}"
                &FreeRADIUS-Client-Secret = "%{rest: https://url?ipaddress='%{Packet-Src-IP-Address}'}&return=secret"
            }

        }
        ok
    }
}

This works, although there are a couple of issues:

  1. Is it possible to call the server only once to get different attributes? In the above cited thread, one of the authors suggests to "format your responses correctly" and links to some API docs, but I honestly could not understand what it means.

  2. Is it possible to send a POST request with a JSON payload? This is not crucial but it's easily doable when configuring the rest module, just by declaring a section:

    # /mods-available/rest
rest {
    # ... other sections
    authenticate {
        uri = "${..connect_uri}/radius/authenticate"
        method = 'post'
        body = 'json'
        data = '{ "username": "%{User-Name}", "password": "%{User-Password}" }'
    }
    ... other sections
}

In this respect, what I miss is the syntax for the REST expansion, I looked around but couldn't find anything (the only documentation page I found says there is no available expansion).

TomSCW
  • 3
  • 1
  • 2

1 Answers1

0

The JSON response format is documented in raddb/mods-available/rest. The link from the mailing list originally linked to an anchor which also displayed the same JSON response format, but those get stale.

  1. Yes, you can return multiple attributes, with different lists, operators and values, but the rest string expansion won't do that, it'll just dump the API server's response into a string. You need to call the REST module directly.

  2. Yes you can by calling the rlm_rest module as you said. The string expansion is just if you want to do post-processing of the server's response. Say you had a custom API which didn't return a JSON blob in the right format, you could take the output of the rest expansion, feed it through a JSON map and extract the data that way... At least you can in v4.0.x, not in v3.0.x.

Arran Cudbard-Bell
  • 1,514
  • 1
  • 9
  • 18
  • Thanks for the clarification, for now we are sticking to v3.0.x, will update to 4 once it's officially released. In the meanwhile, we'll use some other methods to process data from our API server... – TomSCW Feb 15 '18 at 13:51