I need to set up a Freeradius network to control access to a network using a REST API.
In this scenario, I need the REST API to decide wether accept to deny requests, and make Freeradius to forward the result directly to the NAS. No password checking in Freeradius, but delegating the whole logic to the REST API
This SF ticket and this SO thicket describes a similar situation, but not exactly the same case, as those are setting to retrieve the user's password from the REST API and make Freeradius decide, comparing the user provided password and the one retrieved by REST.
The thing is, I'm getting this log:
(0) Received Access-Request Id 17 from 10.89.1.17:49039 to 10.89.1.17:1812 length 151
(0) User-Name = "username"
(0) NAS-Identifier = "OPEWRT"
(0) NAS-Port = 0
(0) Called-Station-Id = "XX-XX-XX-XX-XX-XX:TEST"
(0) Calling-Station-Id = "XX-XX-XX-XX-XX-XX"
(0) Framed-MTU = 1400
(0) NAS-Port-Type = Wireless-802.11
(0) Connect-Info = "CONNECT 0Mbps 802.11b"
(0) EAP-Message = 0x02ec000b01747265676664
(0) Message-Authenticator = 0x49bae1c6eebea19a2caa223153541840
(0) # Executing section authorize from file /opt/etc/raddb/sites-enabled/default
(0) authorize {
rlm_rest (rest): Reserved connection (0)
(0) rest: Expanding URI components
(0) rest: EXPAND http://rest:8080
(0) rest: --> http://rest:8080
(0) rest: EXPAND /authorize/user/%{User-Name}?mac=%{Called-Station-ID}
(0) rest: --> /authorize/user/tregfd?mac=XX-XX-XX-XX-XX-XX%3ATEST
(0) rest: Sending HTTP GET to "http://rest:8080/authorize/user/tregfd?mac=XX-XX-XX-XX-XX-XX%3ATEST"
(0) rest: Processing response header
(0) rest: Status : 200 ()
(0) rest: Type : plain (text/plain)
(0) rest: Adding reply:REST-HTTP-Status-Code = "200"
(0) rest: Adding reply:REST-HTTP-Body += "Authorized OK to tregfd from station XX-XX-XX-XX-XX-XX%:TEST"
rlm_rest (rest): Released connection (0)
Need more connections to reach 10 spares
rlm_rest (rest): Opening additional connection (5), 1 of 27 pending slots used
rlm_rest (rest): Connecting to "http://rest:8080"
(0) [rest] = updated
(0) if (ok) {
(0) if (ok) -> FALSE
(0) } # authorize = updated
(0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /opt/etc/raddb/sites-enabled/default
(0) Post-Auth-Type REJECT {
(0) attr_filter.access_reject: EXPAND %{User-Name}
(0) attr_filter.access_reject: --> tregfd
(0) attr_filter.access_reject: Matched entry DEFAULT at line 11
(0) [attr_filter.access_reject] = updated
(0) eap: Request was previously rejected, inserting EAP-Failure
(0) eap: Sending EAP Failure (code 4) ID 236 length 4
(0) [eap] = updated
(0) policy remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message) {
(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(0) else {
(0) [noop] = noop
(0) } # else = noop
(0) } # policy remove_reply_message_if_eap = noop
(0) } # Post-Auth-Type REJECT = updated
(0) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 17 from 10.89.1.17:1812 to 10.89.1.17:49039 length 44
(0) EAP-Message = 0x04ec0004
(0) Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 17 with timestamp +11 due to cleanup_delay was reached
Ready to process requests
What happening for this process to return FALSE from rlm_rest ?
(0) if (ok) -> FALSE
My desired setup would be to remove any non required module and setting so Freeradius only relies on REST to accep/account for users.
Can you help me?
