How freeradius responds in json format to the request to authorize

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

How freeradius responds in json format to the request to authorize

Users mailing list
Hello! I am a new Freeradius user. I'm participating in the Google Summer Code and I'm working on an OpenWISP project regarding the creation of a freeradius web interface. This app Django-freeradius will be a web interface to a manage freeradius database using a Django Rest framework . I
I installed FreeRADIUS Version 3.0.12 on Ubuntu.
I am using rlm_rest So I can configure freeradius to delegate some or all of its operations (authorization, authentication, accounting, mail order) to a REST API.
But I can not understand how freeradius responds in json format to the request to authorize .
I tried to accept the user with Auth-Type: = Accept
And for the user to refuse: Auth-Type: = Reject but it does not work. If anyone could give me an explanation
I'll be more than happy. Thank you!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How freeradius responds in json format to the request to authorize

Alan DeKok-2

> On Jul 23, 2017, at 9:25 AM, Fiorella De Luca via Freeradius-Users <[hidden email]> wrote:
>
> Hello! I am a new Freeradius user. I'm participating in the Google Summer Code and I'm working on an OpenWISP project regarding the creation of a freeradius web interface. This app Django-freeradius will be a web interface to a manage freeradius database using a Django Rest framework . I
> I installed FreeRADIUS Version 3.0.12 on Ubuntu.
> I am using rlm_rest So I can configure freeradius to delegate some or all of its operations (authorization, authentication, accounting, mail order) to a REST API.

  OK...

> But I can not understand how freeradius responds in json format to the request to authorize .

  I'm not sure what that means...

> I tried to accept the user with Auth-Type: = Accept
> And for the user to refuse: Auth-Type: = Reject but it does not work. If anyone could give me an explanation
> I'll be more than happy. Thank you!

   Perhaps you could explain what you're trying to do.

  Explain in detail what you configured, what happened, and what you expected to happen.

  Alan DeKok.



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How freeradius responds in json format to the request to authorize

arr2036
In reply to this post by Users mailing list

> On 23 Jul 2017, at 09:25, Fiorella De Luca via Freeradius-Users <[hidden email]> wrote:
>
> Hello! I am a new Freeradius user. I'm participating in the Google Summer Code and I'm working on an OpenWISP project regarding the creation of a freeradius web interface. This app Django-freeradius will be a web interface to a manage freeradius database using a Django Rest framework .

That’s a good choice.  We had a project to do that a while back, it just didn’t end up progressing far.

I think the approach of using the Rest interface instead SQL is good.  The SQL format is too limiting.

> I installed FreeRADIUS Version 3.0.12 on Ubuntu.
> I am using rlm_rest So I can configure freeradius to delegate some or all of its operations (authorization, authentication, accounting, mail order)

Not sure what “mail order” is, but sure.

> to a REST API.
> But I can not understand how freeradius responds in json format to the request to authorize .
> I tried to accept the user with Auth-Type: = Accept
> And for the user to refuse: Auth-Type: = Reject but it does not work. If anyone could give me an explanation
> I'll be more than happy. Thank you!

The request/response format is documented here:

        https://github.com/FreeRADIUS/freeradius-server/blob/v4.0.x/raddb/mods-available/rest#L92

If you want response attributes to go into different lists, then you can qualify the attribute name with a list name.

For your example of Auth-Type the JSON for ‘Accept’ would be:

{
        “control:Auth-Type”:”Accept"
}

and for reject:

{
        “control:Auth-Type”:”Reject"
}

Let me know if this doesn’t work.  I’m fairly sure I added list qualifier extraction to the rim_rest module.  If I didn’t it’s a simple fix.

-Arran

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

signature.asc (859 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How freeradius responds in json format to the request to authorize

Users mailing list
Hello! 
Regarding checks like bandwidth limits and session time limit, when authorizing through a REST API, I guess we can do these checks in the authorization phase via the REST API too and return an appropiate response accordingly, is this correct?

Example:
check the user exists, check password matches, check user has not exhausted their allocated daily bandwidth.


If it's not correct, what's the current best practice in this case?

Thank you for the help!

    Il Lunedì 24 Luglio 2017 15:48, Arran Cudbard-Bell <[hidden email]> ha scritto:
 

 
> I've tried your suggestion and it worked!

Great!

> I wanted to ask you: are there any publicly available examples of implementations using authorize, authenticate, accounting, postauth (and any other operation) with a REST API?

No, unfortunately not.  If you've got some specific scenarios I can add some examples to wiki.freeradius.org.

> Another question: If we perform the username & password check in authorize, I suppose there's not much we will need to do in authenticate, correct?

For PAP (Plaintext auth) that's correct.  When you have more complex authentication mechanisms like EAP-PEAP, EAP-TTLS, MSCHAPv2, then the authentication flow is different.  For those methods, you generally need to retrieve the "known good" password via the REST interface, then call the appropriate module in authenticate to actually do something with it.

Could you do this with pap too if you're interested to see how it works.

authorize {
    rest
    pap
}

authenticate {
    pap
}

Then your JSON would be:

{
    control:Cleartext-Password := "<users password>"
}

You can also return hashed passwords.  The attributes that hold them are in dictionary.freeradius.internal (https://github.com/FreeRADIUS/freeradius-server/blob/89380b053b3c85d7150cd125216bfefd7925f73a/share/dictionary.freeradius.internal#L149)

Search for -Password.

Note: Only Cleartext-Password will work for all authentication mechanisms.


> Thank you!

No problem.

-Arran

   
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How freeradius responds in json format to the request to authorize

Alan DeKok-2
On Jul 26, 2017, at 2:46 PM, Fiorella De Luca via Freeradius-Users <[hidden email]> wrote:
> Regarding checks like bandwidth limits and session time limit, when authorizing through a REST API, I guess we can do these checks in the authorization phase via the REST API too and return an appropiate response accordingly, is this correct?

  Yes.

  The REST back-end can do pretty much anything it wants with the data it gets, and it can return pretty much any data in response.

  FreeRADIUS can then use that response to set RADIUS attributes.

> Example:
> check the user exists, check password matches, check user has not exhausted their allocated daily bandwidth.

  yes.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Loading...