REST module Access-Reject 401 Reply-Message

classic Classic list List threaded Threaded
3 messages Options
| Threaded
Open this post in threaded view
|

REST module Access-Reject 401 Reply-Message

Users mailing list
Question regarding the REST module please.

If we return a 401 which gets translated into an Access-Reject, is there any way to pass something back from REST which can be put into the reply message?

In our scenario each user can have a maximum number of sessions, and if that limit is reached, we want to pass that specific error back in the Access-Reject.

TIA
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: REST module Access-Reject 401 Reply-Message

Alan DeKok-2
On Feb 11, 2021, at 6:33 AM, Adrian Smith via Freeradius-Users <[hidden email]> wrote:
>
> Question regarding the REST module please.
>
> If we return a 401 which gets translated into an Access-Reject, is there any way to pass something back from REST which can be put into the reply message?

  Both the 401 and the normal case call rest_response_decode(), which decodes data in the REST reply.

  If there's no data in the 401 reply, then the module returns "reject".  If there is data in the 401 reply, then it's added to the request (as with normal replies), and then the module returns "fail".

> In our scenario each user can have a maximum number of sessions, and if that limit is reached, we want to pass that specific error back in the Access-Reject.

  You should be able to just return data in the 401 reply.

  As for the RADIUS side, pretty much the only thing you can put into the Access-Reject is Reply-Message.  That might (or might not) get shown to the user.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: REST module Access-Reject 401 Reply-Message

Jorge Pereira-2
In reply to this post by Users mailing list
Adrian,

        The next release 3.0.22 is coming up with the new attribute "REST-HTTP-Status-Code” that held the HTTP response code. Feel free to build your own package from https://github.com/FreeRADIUS/freeradius-server/commits/v3.0.x <https://github.com/FreeRADIUS/freeradius-server/commits/v3.0.x> branch if you want that now.

Then you will be able to do something like:

...
rest
If (“%{REST-HTTP-Status-Code}” != “200”) {
   update reply {
       &Reply-Message := “The %{User-Name} can’t log in due to %{REST-HTTP-Status-Code} http response code"
   }
   Reject
}


--
Jorge Pereira
[hidden email]




> Em 11 de fev de 2021, à(s) 08:33, Adrian Smith via Freeradius-Users <[hidden email]> escreveu:
>
> Question regarding the REST module please.
>
> If we return a 401 which gets translated into an Access-Reject, is there any way to pass something back from REST which can be put into the reply message?
>
> In our scenario each user can have a maximum number of sessions, and if that limit is reached, we want to pass that specific error back in the Access-Reject.
>
> TIA
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html