EAP-PEAP REST Authorize Multiple API Calls

classic Classic list List threaded Threaded
2 messages Options
| Threaded
Open this post in threaded view
|

EAP-PEAP REST Authorize Multiple API Calls

Emile Swarts
Hi,

I use the rest module to authenticate with a custom API backend with
EAP-PEAP.
It works well apart from the fact that each request hits the backend API 3
times.

I have no rest calls in my default virtual server, just the inner-tunnel.

Does anyone have any ideas on how to fix this?

This is what my inner-tunnel virtual server looks like:

server inner-tunnel {
  authorize {
    filter_username
    rest
    eap {
      ok = return
    }
  }

  authenticate {
    Auth-Type MS-CHAP {
      mschap
    }
    eap
  }

  session {
  }

  post-auth {
    redundant {
      rest
      ok
    }

    Post-Auth-Type REJECT {
      redundant {
        rest
        fail
      }
    }
  }

  pre-proxy {
  }

  post-proxy {
    eap
  }
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: EAP-PEAP REST Authorize Multiple API Calls

Alan DeKok-2
On Jan 9, 2019, at 10:31 AM, Emile Swarts <[hidden email]> wrote:
> I use the rest module to authenticate with a custom API backend with
> EAP-PEAP.
> It works well apart from the fact that each request hits the backend API 3
> times.

  With EAP, even the inner tunnel uses multiple round trips, and therefore multiple packets.

> I have no rest calls in my default virtual server, just the inner-tunnel.
>
> Does anyone have any ideas on how to fix this?

  Do the REST call only once. :)

  But more helpfully, do the rest call only if it wasn't already done.  If you're using a recent version of server, you can use the "session-state" list to remember things across multiple packets.

> This is what my inner-tunnel virtual server looks like:
>
> server inner-tunnel {
>  authorize {
>    filter_username
>    rest

  Do something like:

        if (!session-state.Tmp-String-0) {
                rest
                update session-state {
                        Tmp-String-0 := "done rest"
                        ... and copy the attributes returned from rest to session-state!
                }
        } else {
                update control {
                        ... copy REST attributes from session-state to wherever...
                }
        }

  There's a bit of glue to be done, but it should be clear enough.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html