RESTful API

classic Classic list List threaded Threaded
11 messages Options
| Threaded
Open this post in threaded view
|

RESTful API

Daniel Kong
I know you guys are very busy helping the rest but I hope you can help me
with this. I would like freeradius to authenticate with 3rd party
application via REST API. I do have the configuration like below.

connect_uri = "http://10.18.6.22:8081/apps/"
authenticate {
uri = "${..connect_uri}/user/%{User-Name}/%{User-Password}"
method = "get"
}

Problem is that I do not know what to be included in the request and
response for every authenticate, authorize, post-auth, and accounting. For
the response, I just include the HTTP status is sufficient for
authentication? How about the response for authorize, post-auth, and
accounting?

If the freeRadius is configured to use RESTful API, does other post-auth,
authorize, and accounting can be use with mysql so that only authentication
is using rest?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: RESTful API

Alan DeKok-2

> On Dec 17, 2018, at 11:15 PM, Daniel Kong <[hidden email]> wrote:
>
> I know you guys are very busy helping the rest but I hope you can help me
> with this. I would like freeradius to authenticate with 3rd party
> application via REST API. I do have the configuration like below.
>
> connect_uri = "http://10.18.6.22:8081/apps/"
> authenticate {
> uri = "${..connect_uri}/user/%{User-Name}/%{User-Password}"
> method = "get"
> }

  OK...

> Problem is that I do not know what to be included in the request and
> response for every authenticate, authorize, post-auth, and accounting. For
> the response, I just include the HTTP status is sufficient for
> authentication? How about the response for authorize, post-auth, and
> accounting?

  You don't need to include anything in the response.  The documentation describes how the module works and what it does.

  FreeRADIUS treats the REST API as just another database.  There's no "requirement" to put anything into SQL, so there's no requirement to put anything in REST.

> If the freeRadius is configured to use RESTful API, does other post-auth,
> authorize, and accounting can be use with mysql so that only authentication
> is using rest?

  Yes.  You just list "rest" in the authenticate section, and "sql" elsewhere.

  Alan DeKok.



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: RESTful API

Daniel Kong
Thanks for the feedback, Alan. I have more questions to ask regarding the
REST authentication. How does the freeRadius know that when to let the user
to gain access to the resources after invoke REST authentication? Does it
rely on the REST response http status? Eg. if the 3rd party application
returns a http status 200 means that the user is authenticated and able to
use the resource. However if the REST response returns a http status 401
means that he/she is unauthorized. Does the freeRadius interpret it this
way?

In order to use REST authentication only while the others like post-auth,
authorize, and accounting using the sql, I only need to configure the REST
for authentication. So my configuration would look like this? I just
comment off post-auth, authorize, and accounting. Correct me if I am wrong.

rest {
    tls {
        ...
    }

    authentication {
    }

    #authorize {
    #}

    #post-auth {
    #}

    #accounting {
    #}

    pool {
        ...
    }
}

So after authenticate is successful, freeRadius will do insertion of record
to radpostauth and radacct table by itself?

Our current usage of freeRadius is with mySQL. So we will insert record to
radcheck and radreply table while the rest of the table will be handled by
freeRadius. Now if we are using the REST for authentication, do we still
need to insert record to radcheck and radreply? Do we still rely on the
'Auth-Type' in the radcheck table?

Daniel.


On Tue, Dec 18, 2018 at 7:57 PM Alan DeKok <[hidden email]>
wrote:

>
> > On Dec 17, 2018, at 11:15 PM, Daniel Kong <[hidden email]>
> wrote:
> >
> > I know you guys are very busy helping the rest but I hope you can help me
> > with this. I would like freeradius to authenticate with 3rd party
> > application via REST API. I do have the configuration like below.
> >
> > connect_uri = "http://10.18.6.22:8081/apps/"
> > authenticate {
> > uri = "${..connect_uri}/user/%{User-Name}/%{User-Password}"
> > method = "get"
> > }
>
>   OK...
>
> > Problem is that I do not know what to be included in the request and
> > response for every authenticate, authorize, post-auth, and accounting.
> For
> > the response, I just include the HTTP status is sufficient for
> > authentication? How about the response for authorize, post-auth, and
> > accounting?
>
>   You don't need to include anything in the response.  The documentation
> describes how the module works and what it does.
>
>   FreeRADIUS treats the REST API as just another database.  There's no
> "requirement" to put anything into SQL, so there's no requirement to put
> anything in REST.
>
> > If the freeRadius is configured to use RESTful API, does other post-auth,
> > authorize, and accounting can be use with mysql so that only
> authentication
> > is using rest?
>
>   Yes.  You just list "rest" in the authenticate section, and "sql"
> elsewhere.
>
>   Alan DeKok.
>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: RESTful API

Alan DeKok-2
On Dec 18, 2018, at 11:01 PM, Daniel Kong <[hidden email]> wrote:
>
> Thanks for the feedback, Alan. I have more questions to ask regarding the
> REST authentication. How does the freeRadius know that when to let the user
> to gain access to the resources after invoke REST authentication?

  The server doesn't "let the user gain access to resources".  The server *authenticates* the user.  By sending an Access-Accept with various attributes in it.

  It's important to understand how it works.  If you have misconceptions about how the server works, then you won't be asking the right questions, and you won't be doing the right things.

> Does it
> rely on the REST response http status? Eg. if the 3rd party application
> returns a http status 200 means that the user is authenticated and able to
> use the resource. However if the REST response returns a http status 401
> means that he/she is unauthorized. Does the freeRadius interpret it this
> way?

  Go read raddb/mods-available/rest.  This *is* documented.

  The configuration file tells you how the http status return codes map to the FreeRADIUS codes that are used to process packets.

  Then... read the FreeRADIUS documentation to see how it works.  I suggest starting here:

https://networkradius.com/freeradius-documentation/

  Read the "technical guide" to get a good overview of how the server works.

> In order to use REST authentication only while the others like post-auth,
> authorize, and accounting using the sql, I only need to configure the REST
> for authentication. So my configuration would look like this? I just
> comment off post-auth, authorize, and accounting. Correct me if I am wrong.

 You can read the documentation to see how the rest module works.  Your questions are answered there.

> So after authenticate is successful, freeRadius will do insertion of record
> to radpostauth and radacct table by itself?

  No.  This isn't magic.

  The sql module puts data into radpostauth and radacct... if you configure the server to use the SQL module in "post-auth" and "accounting".

  The default configuration files go through this in great detail.

> Our current usage of freeRadius is with mySQL. So we will insert record to
> radcheck and radreply table while the rest of the table will be handled by
> freeRadius.

  I have no idea what that means.

> Now if we are using the REST for authentication, do we still
> need to insert record to radcheck and radreply? Do we still rely on the
> 'Auth-Type' in the radcheck table?

  The radcheck and radreply tables are used by the SQL module.  If you're not using the SQL module, then those tables aren't used.

  Your questions seem to be coming from a mindset that the server is magic, and magically "knows" how to do things.  It isn't.  It has a lot going on, and a lot of configuration files.  But in the end it's just a whole bunch of simple things put together in gradually more complex ways.

  If you want to use radcheck / radreply, configure the SQL module.  And be sure that the SQL module is listed in the virtual server.  See sites-available/default for many, many, examples.

  Go read the technical guide  I think many of your misconceptions are addressed there.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: RESTful API

Daniel Kong
Hi, thanks for the guidance. However, I encounter a problem in the rest
basic http authentication even though I have provided in the configuration
file.

connect_uri = "http://10.18.6.22:8081/apps"
authenticate {
   uri = "${..connect_uri}/user/%{User-Name}/%{User-Password}"
   method = "get"
   force_to = "json"
   require_auth = yes
   auth = "basic"
   username = "test"
   password = "password123"
   tls = ${..tls}
}

I have added the following lines to the default configuration file.

authorize {
   if (&User-Password) {
update control {
Auth-Type := 'rest'
}
}
}

authenticate {
   rest
}

And here is my radius output

(3) Received Access-Request Id 53 from 127.0.0.1:42150 to 127.0.0.1:1812
length 47
(3)   User-Name = "user1"
(3)   User-Password = "password1"
(3) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
(3)   authorize {
(3)     policy filter_username {
(3)       if (&User-Name) {
(3)       if (&User-Name)  -> TRUE
(3)       if (&User-Name)  {
(3)         if (&User-Name =~ / /) {
(3)         if (&User-Name =~ / /)  -> FALSE
(3)         if (&User-Name =~ /@[^@]*@/ ) {
(3)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(3)         if (&User-Name =~ /\.\./ ) {
(3)         if (&User-Name =~ /\.\./ )  -> FALSE
(3)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(3)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE
(3)         if (&User-Name =~ /\.$/)  {
(3)         if (&User-Name =~ /\.$/)   -> FALSE
(3)         if (&User-Name =~ /@\./)  {
(3)         if (&User-Name =~ /@\./)   -> FALSE
(3)       } # if (&User-Name)  = notfound
(3)     } # policy filter_username = notfound
(3)     [preprocess] = ok
(3)     [chap] = noop
(3)     [mschap] = noop
(3)     [digest] = noop
(3) suffix: Checking for suffix after "@"
(3) suffix: No '@' in User-Name = "user1", looking up realm NULL
(3) suffix: No such realm "NULL"
(3)     [suffix] = noop
(3) eap: No EAP-Message, not doing EAP
(3)     [eap] = noop
(3)     [files] = noop
(3)     [expiration] = noop
(3)     [logintime] = noop
(3)     if (&User-Password) {
(3)     if (&User-Password)  -> TRUE
(3)     if (&User-Password)  {
(3)       update control {
(3)         Auth-Type := rest
(3)       } # update control = noop
(3)     } # if (&User-Password)  = noop
(3)   } # authorize = ok
(3) Found Auth-Type = rest
(3) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(3)   authenticate {
rlm_rest (rest): Closing connection (6): Hit idle_timeout, was idle for 134
seconds
rlm_rest (rest): You probably need to lower "min"
rlm_rest (rest): Closing connection (1): Hit idle_timeout, was idle for 111
seconds
rlm_rest (rest): You probably need to lower "min"
rlm_rest (rest): Closing connection (7): Hit idle_timeout, was idle for 111
seconds
rlm_rest (rest): You probably need to lower "min"
rlm_rest (rest): 0 of 0 connections in use.  You  may need to increase
"spare"
rlm_rest (rest): Opening additional connection (8), 1 of 32 pending slots
used
rlm_rest (rest): Connecting to "http://10.18.6.22:8081/apps"
rlm_rest (rest): Reserved connection (8)
(3) rest: Expanding URI components
(3) rest: EXPAND http://10.18.6.22:8081
(3) rest:    --> http://10.18.6.22:8081
(3) rest: EXPAND /apps/user/%{User-Name}/%{User-Password}
(3) rest:    --> /apps/user/user1/password1
(3) rest: Sending HTTP GET to "
http://10.18.6.22:8081/apps/user/user1/password1"
(3) rest: Processing response header
(3) rest:   Status : 401 (Unauthorized)
(3) rest:   Type   : json (application/json)
(3) rest: Parsing attribute "result"
(3) rest: WARNING: Failed parsing attribute: Invalid vendor name in
attribute name "result", skipping...
(3) rest: Parsing attribute "message"
(3) rest: WARNING: Failed parsing attribute: Invalid vendor name in
attribute name "message", skipping...
rlm_rest (rest): Released connection (8)
Need 2 more connections to reach min connections (3)
rlm_rest (rest): Opening additional connection (9), 1 of 31 pending slots
used
rlm_rest (rest): Connecting to "http://10.18.6.22:8081/apps"
(3)     [rest] = reject
(3)   } # authenticate = reject
(3) Failed to authenticate the user
(3) Using Post-Auth-Type Reject
(3) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(3)   Post-Auth-Type REJECT {
(3) attr_filter.access_reject: EXPAND %{User-Name}
(3) attr_filter.access_reject:    --> user1
(3) attr_filter.access_reject: Matched entry DEFAULT at line 11
(3)     [attr_filter.access_reject] = updated
(3)     [eap] = noop
(3)     policy remove_reply_message_if_eap {
(3)       if (&reply:EAP-Message && &reply:Reply-Message) {
(3)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(3)       else {
(3)         [noop] = noop
(3)       } # else = noop
(3)     } # policy remove_reply_message_if_eap = noop
(3)   } # Post-Auth-Type REJECT = updated
(3) Login incorrect: [user1/password1] (from client localhost port 0)
(3) Delaying response for 1.000000 seconds
Waking up in 0.2 seconds.
Waking up in 0.7 seconds.
(3) Sending delayed response
(3) Sent Access-Reject Id 53 from 127.0.0.1:1812 to 127.0.0.1:42150 length
20
Waking up in 3.9 seconds.
(3) Cleaning up request packet ID 53 with timestamp +189
Ready to process requests

Please let me know where did I go wrong.

On Wed, Dec 19, 2018 at 9:58 PM Alan DeKok <[hidden email]>
wrote:

> On Dec 18, 2018, at 11:01 PM, Daniel Kong <[hidden email]> wrote:
> >
> > Thanks for the feedback, Alan. I have more questions to ask regarding the
> > REST authentication. How does the freeRadius know that when to let the
> user
> > to gain access to the resources after invoke REST authentication?
>
>   The server doesn't "let the user gain access to resources".  The server
> *authenticates* the user.  By sending an Access-Accept with various
> attributes in it.
>
>   It's important to understand how it works.  If you have misconceptions
> about how the server works, then you won't be asking the right questions,
> and you won't be doing the right things.
>
> > Does it
> > rely on the REST response http status? Eg. if the 3rd party application
> > returns a http status 200 means that the user is authenticated and able
> to
> > use the resource. However if the REST response returns a http status 401
> > means that he/she is unauthorized. Does the freeRadius interpret it this
> > way?
>
>   Go read raddb/mods-available/rest.  This *is* documented.
>
>   The configuration file tells you how the http status return codes map to
> the FreeRADIUS codes that are used to process packets.
>
>   Then... read the FreeRADIUS documentation to see how it works.  I
> suggest starting here:
>
> https://networkradius.com/freeradius-documentation/
>
>   Read the "technical guide" to get a good overview of how the server
> works.
>
> > In order to use REST authentication only while the others like post-auth,
> > authorize, and accounting using the sql, I only need to configure the
> REST
> > for authentication. So my configuration would look like this? I just
> > comment off post-auth, authorize, and accounting. Correct me if I am
> wrong.
>
>  You can read the documentation to see how the rest module works.  Your
> questions are answered there.
>
> > So after authenticate is successful, freeRadius will do insertion of
> record
> > to radpostauth and radacct table by itself?
>
>   No.  This isn't magic.
>
>   The sql module puts data into radpostauth and radacct... if you
> configure the server to use the SQL module in "post-auth" and "accounting".
>
>   The default configuration files go through this in great detail.
>
> > Our current usage of freeRadius is with mySQL. So we will insert record
> to
> > radcheck and radreply table while the rest of the table will be handled
> by
> > freeRadius.
>
>   I have no idea what that means.
>
> > Now if we are using the REST for authentication, do we still
> > need to insert record to radcheck and radreply? Do we still rely on the
> > 'Auth-Type' in the radcheck table?
>
>   The radcheck and radreply tables are used by the SQL module.  If you're
> not using the SQL module, then those tables aren't used.
>
>   Your questions seem to be coming from a mindset that the server is
> magic, and magically "knows" how to do things.  It isn't.  It has a lot
> going on, and a lot of configuration files.  But in the end it's just a
> whole bunch of simple things put together in gradually more complex ways.
>
>   If you want to use radcheck / radreply, configure the SQL module.  And
> be sure that the SQL module is listed in the virtual server.  See
> sites-available/default for many, many, examples.
>
>   Go read the technical guide  I think many of your misconceptions are
> addressed there.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: RESTful API

Alan DeKok-2
On Dec 27, 2018, at 4:48 AM, Daniel Kong <[hidden email]> wrote:

>
> Hi, thanks for the guidance. However, I encounter a problem in the rest
> basic http authentication even though I have provided in the configuration
> file.
> ...
> And here is my radius output
> ...
> rlm_rest (rest): Connecting to "http://10.18.6.22:8081/apps"
> rlm_rest (rest): Reserved connection (8)
> (3) rest: Expanding URI components
> (3) rest: EXPAND http://10.18.6.22:8081
> (3) rest:    --> http://10.18.6.22:8081
> (3) rest: EXPAND /apps/user/%{User-Name}/%{User-Password}
> (3) rest:    --> /apps/user/user1/password1
> (3) rest: Sending HTTP GET to "
> http://10.18.6.22:8081/apps/user/user1/password1"
> (3) rest: Processing response header
> (3) rest:   Status : 401 (Unauthorized)

  That seems to be clear.

> (3) rest:   Type   : json (application/json)
> (3) rest: Parsing attribute "result"
> (3) rest: WARNING: Failed parsing attribute: Invalid vendor name in
> attribute name "result", skipping...
> (3) rest: Parsing attribute "message"
> (3) rest: WARNING: Failed parsing attribute: Invalid vendor name in
> attribute name "message", skipping...

    The response is json, but not what the REST module expects.

> Please let me know where did I go wrong.

  The debug log is pretty clear.  The user is unauthorized.  And, the response isn't what the module expects.

  The module documentation explains *very* clearly what it sends to the REST API, and what it expects back from the REST API.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

RE: RESTful API

Martin, Jeremy
In reply to this post by Daniel Kong
How about 12:20 @ BFCU?

Jeremy

-----Original Message-----
From: Freeradius-Users [mailto:freeradius-users-bounces+jmartin=[hidden email]] On Behalf Of Daniel Kong
Sent: Thursday, December 27, 2018 4:48 AM
To: FreeRadius users mailing list <[hidden email]>
Subject: Re: RESTful API

Hi, thanks for the guidance. However, I encounter a problem in the rest basic http authentication even though I have provided in the configuration file.

connect_uri = "http://10.18.6.22:8081/apps"
authenticate {
   uri = "${..connect_uri}/user/%{User-Name}/%{User-Password}"
   method = "get"
   force_to = "json"
   require_auth = yes
   auth = "basic"
   username = "test"
   password = "password123"
   tls = ${..tls}
}

I have added the following lines to the default configuration file.

authorize {
   if (&User-Password) {
update control {
Auth-Type := 'rest'
}
}
}

authenticate {
   rest
}

And here is my radius output

(3) Received Access-Request Id 53 from 127.0.0.1:42150 to 127.0.0.1:1812 length 47
(3)   User-Name = "user1"
(3)   User-Password = "password1"
(3) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(3)   authorize {
(3)     policy filter_username {
(3)       if (&User-Name) {
(3)       if (&User-Name)  -> TRUE
(3)       if (&User-Name)  {
(3)         if (&User-Name =~ / /) {
(3)         if (&User-Name =~ / /)  -> FALSE
(3)         if (&User-Name =~ /@[^@]*@/ ) {
(3)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(3)         if (&User-Name =~ /\.\./ ) {
(3)         if (&User-Name =~ /\.\./ )  -> FALSE
(3)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(3)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE
(3)         if (&User-Name =~ /\.$/)  {
(3)         if (&User-Name =~ /\.$/)   -> FALSE
(3)         if (&User-Name =~ /@\./)  {
(3)         if (&User-Name =~ /@\./)   -> FALSE
(3)       } # if (&User-Name)  = notfound
(3)     } # policy filter_username = notfound
(3)     [preprocess] = ok
(3)     [chap] = noop
(3)     [mschap] = noop
(3)     [digest] = noop
(3) suffix: Checking for suffix after "@"
(3) suffix: No '@' in User-Name = "user1", looking up realm NULL
(3) suffix: No such realm "NULL"
(3)     [suffix] = noop
(3) eap: No EAP-Message, not doing EAP
(3)     [eap] = noop
(3)     [files] = noop
(3)     [expiration] = noop
(3)     [logintime] = noop
(3)     if (&User-Password) {
(3)     if (&User-Password)  -> TRUE
(3)     if (&User-Password)  {
(3)       update control {
(3)         Auth-Type := rest
(3)       } # update control = noop
(3)     } # if (&User-Password)  = noop
(3)   } # authorize = ok
(3) Found Auth-Type = rest
(3) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(3)   authenticate {
rlm_rest (rest): Closing connection (6): Hit idle_timeout, was idle for 134 seconds rlm_rest (rest): You probably need to lower "min"
rlm_rest (rest): Closing connection (1): Hit idle_timeout, was idle for 111 seconds rlm_rest (rest): You probably need to lower "min"
rlm_rest (rest): Closing connection (7): Hit idle_timeout, was idle for 111 seconds rlm_rest (rest): You probably need to lower "min"
rlm_rest (rest): 0 of 0 connections in use.  You  may need to increase "spare"
rlm_rest (rest): Opening additional connection (8), 1 of 32 pending slots used rlm_rest (rest): Connecting to "http://10.18.6.22:8081/apps"
rlm_rest (rest): Reserved connection (8)
(3) rest: Expanding URI components
(3) rest: EXPAND http://10.18.6.22:8081
(3) rest:    --> http://10.18.6.22:8081
(3) rest: EXPAND /apps/user/%{User-Name}/%{User-Password}
(3) rest:    --> /apps/user/user1/password1
(3) rest: Sending HTTP GET to "
http://10.18.6.22:8081/apps/user/user1/password1"
(3) rest: Processing response header
(3) rest:   Status : 401 (Unauthorized)
(3) rest:   Type   : json (application/json)
(3) rest: Parsing attribute "result"
(3) rest: WARNING: Failed parsing attribute: Invalid vendor name in attribute name "result", skipping...
(3) rest: Parsing attribute "message"
(3) rest: WARNING: Failed parsing attribute: Invalid vendor name in attribute name "message", skipping...
rlm_rest (rest): Released connection (8) Need 2 more connections to reach min connections (3) rlm_rest (rest): Opening additional connection (9), 1 of 31 pending slots used rlm_rest (rest): Connecting to "http://10.18.6.22:8081/apps"
(3)     [rest] = reject
(3)   } # authenticate = reject
(3) Failed to authenticate the user
(3) Using Post-Auth-Type Reject
(3) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(3)   Post-Auth-Type REJECT {
(3) attr_filter.access_reject: EXPAND %{User-Name}
(3) attr_filter.access_reject:    --> user1
(3) attr_filter.access_reject: Matched entry DEFAULT at line 11
(3)     [attr_filter.access_reject] = updated
(3)     [eap] = noop
(3)     policy remove_reply_message_if_eap {
(3)       if (&reply:EAP-Message && &reply:Reply-Message) {
(3)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(3)       else {
(3)         [noop] = noop
(3)       } # else = noop
(3)     } # policy remove_reply_message_if_eap = noop
(3)   } # Post-Auth-Type REJECT = updated
(3) Login incorrect: [user1/password1] (from client localhost port 0)
(3) Delaying response for 1.000000 seconds Waking up in 0.2 seconds.
Waking up in 0.7 seconds.
(3) Sending delayed response
(3) Sent Access-Reject Id 53 from 127.0.0.1:1812 to 127.0.0.1:42150 length
20
Waking up in 3.9 seconds.
(3) Cleaning up request packet ID 53 with timestamp +189 Ready to process requests

Please let me know where did I go wrong.

On Wed, Dec 19, 2018 at 9:58 PM Alan DeKok <[hidden email]>
wrote:

> On Dec 18, 2018, at 11:01 PM, Daniel Kong <[hidden email]> wrote:
> >
> > Thanks for the feedback, Alan. I have more questions to ask
> > regarding the REST authentication. How does the freeRadius know that
> > when to let the
> user
> > to gain access to the resources after invoke REST authentication?
>
>   The server doesn't "let the user gain access to resources".  The
> server
> *authenticates* the user.  By sending an Access-Accept with various
> attributes in it.
>
>   It's important to understand how it works.  If you have
> misconceptions about how the server works, then you won't be asking
> the right questions, and you won't be doing the right things.
>
> > Does it
> > rely on the REST response http status? Eg. if the 3rd party
> > application returns a http status 200 means that the user is
> > authenticated and able
> to
> > use the resource. However if the REST response returns a http status
> > 401 means that he/she is unauthorized. Does the freeRadius interpret
> > it this way?
>
>   Go read raddb/mods-available/rest.  This *is* documented.
>
>   The configuration file tells you how the http status return codes
> map to the FreeRADIUS codes that are used to process packets.
>
>   Then... read the FreeRADIUS documentation to see how it works.  I
> suggest starting here:
>
> https://networkradius.com/freeradius-documentation/
>
>   Read the "technical guide" to get a good overview of how the server
> works.
>
> > In order to use REST authentication only while the others like
> > post-auth, authorize, and accounting using the sql, I only need to
> > configure the
> REST
> > for authentication. So my configuration would look like this? I just
> > comment off post-auth, authorize, and accounting. Correct me if I am
> wrong.
>
>  You can read the documentation to see how the rest module works.  
> Your questions are answered there.
>
> > So after authenticate is successful, freeRadius will do insertion of
> record
> > to radpostauth and radacct table by itself?
>
>   No.  This isn't magic.
>
>   The sql module puts data into radpostauth and radacct... if you
> configure the server to use the SQL module in "post-auth" and "accounting".
>
>   The default configuration files go through this in great detail.
>
> > Our current usage of freeRadius is with mySQL. So we will insert
> > record
> to
> > radcheck and radreply table while the rest of the table will be
> > handled
> by
> > freeRadius.
>
>   I have no idea what that means.
>
> > Now if we are using the REST for authentication, do we still need to
> > insert record to radcheck and radreply? Do we still rely on the
> > 'Auth-Type' in the radcheck table?
>
>   The radcheck and radreply tables are used by the SQL module.  If
> you're not using the SQL module, then those tables aren't used.
>
>   Your questions seem to be coming from a mindset that the server is
> magic, and magically "knows" how to do things.  It isn't.  It has a
> lot going on, and a lot of configuration files.  But in the end it's
> just a whole bunch of simple things put together in gradually more complex ways.
>
>   If you want to use radcheck / radreply, configure the SQL module.  
> And be sure that the SQL module is listed in the virtual server.  See
> sites-available/default for many, many, examples.
>
>   Go read the technical guide  I think many of your misconceptions are
> addressed there.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: RESTful API

Daniel Kong
Hi Alan,

I get status 401 (unauthorized) is because the site is protected. By
disabling the rest security on the 3rd party application, it can
successfully send the request and get the response, which I have posted
previously by including the username and password for http basic
authentication.

connect_uri = "http://10.18.6.22:8081/apps"
authenticate {
   uri = "${..connect_uri}/user/%{User-Name}/%{User-Password}"
   method = "get"
   force_to = "json"
  * require_auth = yes*
*   auth = "basic"*
*   username = "test"*
*   password = "password123"*
   tls = ${..tls}
}

Since by specifying those required attributes is not working, so I have
tried to include REST-HTTP-Header, but it doesn't work as well.

connect_uri = "http://10.18.6.22:8081/apps"
authenticate {
   uri = "${..connect_uri}/user/%{User-Name}/%{User-Password}"
   method = "get"
   force_to = "json"
  * REST-HTTP-Header = "Authorization: Basic aW5ldHVzZXI6cGFzc3dvcmQxYXBw"*
   tls = ${..tls}
}

I am also getting a 401 while trying to send the request. Where is the
problem?

I have tried very hard to understand the return json format from the API
itself, but the information provided is insufficient. I understand it has a
pair of value which consist of attribute and value. That's why in my above
tryout which I tried to put a "result" and "message" attribute. But radius
doesn't recognize this two vendor attribute.

So my question is what is actually needed to pass back to radius? Is it by
specifying 200 (OK) and 401 (Unauthorized) is sufficient for radius to
process?

On Fri, Dec 28, 2018 at 2:52 AM Martin, Jeremy <[hidden email]> wrote:

> How about 12:20 @ BFCU?
>
> Jeremy
>
> -----Original Message-----
> From: Freeradius-Users [mailto:freeradius-users-bounces+jmartin=
> [hidden email]] On Behalf Of Daniel Kong
> Sent: Thursday, December 27, 2018 4:48 AM
> To: FreeRadius users mailing list <[hidden email]>
> Subject: Re: RESTful API
>
> Hi, thanks for the guidance. However, I encounter a problem in the rest
> basic http authentication even though I have provided in the configuration
> file.
>
> connect_uri = "http://10.18.6.22:8081/apps"
> authenticate {
>    uri = "${..connect_uri}/user/%{User-Name}/%{User-Password}"
>    method = "get"
>    force_to = "json"
>    require_auth = yes
>    auth = "basic"
>    username = "test"
>    password = "password123"
>    tls = ${..tls}
> }
>
> I have added the following lines to the default configuration file.
>
> authorize {
>    if (&User-Password) {
> update control {
> Auth-Type := 'rest'
> }
> }
> }
>
> authenticate {
>    rest
> }
>
> And here is my radius output
>
> (3) Received Access-Request Id 53 from 127.0.0.1:42150 to 127.0.0.1:1812
> length 47
> (3)   User-Name = "user1"
> (3)   User-Password = "password1"
> (3) # Executing section authorize from file
> /usr/local/etc/raddb/sites-enabled/default
> (3)   authorize {
> (3)     policy filter_username {
> (3)       if (&User-Name) {
> (3)       if (&User-Name)  -> TRUE
> (3)       if (&User-Name)  {
> (3)         if (&User-Name =~ / /) {
> (3)         if (&User-Name =~ / /)  -> FALSE
> (3)         if (&User-Name =~ /@[^@]*@/ ) {
> (3)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
> (3)         if (&User-Name =~ /\.\./ ) {
> (3)         if (&User-Name =~ /\.\./ )  -> FALSE
> (3)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
> (3)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
> FALSE
> (3)         if (&User-Name =~ /\.$/)  {
> (3)         if (&User-Name =~ /\.$/)   -> FALSE
> (3)         if (&User-Name =~ /@\./)  {
> (3)         if (&User-Name =~ /@\./)   -> FALSE
> (3)       } # if (&User-Name)  = notfound
> (3)     } # policy filter_username = notfound
> (3)     [preprocess] = ok
> (3)     [chap] = noop
> (3)     [mschap] = noop
> (3)     [digest] = noop
> (3) suffix: Checking for suffix after "@"
> (3) suffix: No '@' in User-Name = "user1", looking up realm NULL
> (3) suffix: No such realm "NULL"
> (3)     [suffix] = noop
> (3) eap: No EAP-Message, not doing EAP
> (3)     [eap] = noop
> (3)     [files] = noop
> (3)     [expiration] = noop
> (3)     [logintime] = noop
> (3)     if (&User-Password) {
> (3)     if (&User-Password)  -> TRUE
> (3)     if (&User-Password)  {
> (3)       update control {
> (3)         Auth-Type := rest
> (3)       } # update control = noop
> (3)     } # if (&User-Password)  = noop
> (3)   } # authorize = ok
> (3) Found Auth-Type = rest
> (3) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
> (3)   authenticate {
> rlm_rest (rest): Closing connection (6): Hit idle_timeout, was idle for
> 134 seconds rlm_rest (rest): You probably need to lower "min"
> rlm_rest (rest): Closing connection (1): Hit idle_timeout, was idle for
> 111 seconds rlm_rest (rest): You probably need to lower "min"
> rlm_rest (rest): Closing connection (7): Hit idle_timeout, was idle for
> 111 seconds rlm_rest (rest): You probably need to lower "min"
> rlm_rest (rest): 0 of 0 connections in use.  You  may need to increase
> "spare"
> rlm_rest (rest): Opening additional connection (8), 1 of 32 pending slots
> used rlm_rest (rest): Connecting to "http://10.18.6.22:8081/apps"
> rlm_rest (rest): Reserved connection (8)
> (3) rest: Expanding URI components
> (3) rest: EXPAND http://10.18.6.22:8081
> (3) rest:    --> http://10.18.6.22:8081
> (3) rest: EXPAND /apps/user/%{User-Name}/%{User-Password}
> (3) rest:    --> /apps/user/user1/password1
> (3) rest: Sending HTTP GET to "
> http://10.18.6.22:8081/apps/user/user1/password1"
> (3) rest: Processing response header
> (3) rest:   Status : 401 (Unauthorized)
> (3) rest:   Type   : json (application/json)
> (3) rest: Parsing attribute "result"
> (3) rest: WARNING: Failed parsing attribute: Invalid vendor name in
> attribute name "result", skipping...
> (3) rest: Parsing attribute "message"
> (3) rest: WARNING: Failed parsing attribute: Invalid vendor name in
> attribute name "message", skipping...
> rlm_rest (rest): Released connection (8) Need 2 more connections to reach
> min connections (3) rlm_rest (rest): Opening additional connection (9), 1
> of 31 pending slots used rlm_rest (rest): Connecting to "
> http://10.18.6.22:8081/apps"
> (3)     [rest] = reject
> (3)   } # authenticate = reject
> (3) Failed to authenticate the user
> (3) Using Post-Auth-Type Reject
> (3) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
> (3)   Post-Auth-Type REJECT {
> (3) attr_filter.access_reject: EXPAND %{User-Name}
> (3) attr_filter.access_reject:    --> user1
> (3) attr_filter.access_reject: Matched entry DEFAULT at line 11
> (3)     [attr_filter.access_reject] = updated
> (3)     [eap] = noop
> (3)     policy remove_reply_message_if_eap {
> (3)       if (&reply:EAP-Message && &reply:Reply-Message) {
> (3)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
> (3)       else {
> (3)         [noop] = noop
> (3)       } # else = noop
> (3)     } # policy remove_reply_message_if_eap = noop
> (3)   } # Post-Auth-Type REJECT = updated
> (3) Login incorrect: [user1/password1] (from client localhost port 0)
> (3) Delaying response for 1.000000 seconds Waking up in 0.2 seconds.
> Waking up in 0.7 seconds.
> (3) Sending delayed response
> (3) Sent Access-Reject Id 53 from 127.0.0.1:1812 to 127.0.0.1:42150 length
> 20
> Waking up in 3.9 seconds.
> (3) Cleaning up request packet ID 53 with timestamp +189 Ready to process
> requests
>
> Please let me know where did I go wrong.
>
> On Wed, Dec 19, 2018 at 9:58 PM Alan DeKok <[hidden email]>
> wrote:
>
> > On Dec 18, 2018, at 11:01 PM, Daniel Kong <[hidden email]>
> wrote:
> > >
> > > Thanks for the feedback, Alan. I have more questions to ask
> > > regarding the REST authentication. How does the freeRadius know that
> > > when to let the
> > user
> > > to gain access to the resources after invoke REST authentication?
> >
> >   The server doesn't "let the user gain access to resources".  The
> > server
> > *authenticates* the user.  By sending an Access-Accept with various
> > attributes in it.
> >
> >   It's important to understand how it works.  If you have
> > misconceptions about how the server works, then you won't be asking
> > the right questions, and you won't be doing the right things.
> >
> > > Does it
> > > rely on the REST response http status? Eg. if the 3rd party
> > > application returns a http status 200 means that the user is
> > > authenticated and able
> > to
> > > use the resource. However if the REST response returns a http status
> > > 401 means that he/she is unauthorized. Does the freeRadius interpret
> > > it this way?
> >
> >   Go read raddb/mods-available/rest.  This *is* documented.
> >
> >   The configuration file tells you how the http status return codes
> > map to the FreeRADIUS codes that are used to process packets.
> >
> >   Then... read the FreeRADIUS documentation to see how it works.  I
> > suggest starting here:
> >
> > https://networkradius.com/freeradius-documentation/
> >
> >   Read the "technical guide" to get a good overview of how the server
> > works.
> >
> > > In order to use REST authentication only while the others like
> > > post-auth, authorize, and accounting using the sql, I only need to
> > > configure the
> > REST
> > > for authentication. So my configuration would look like this? I just
> > > comment off post-auth, authorize, and accounting. Correct me if I am
> > wrong.
> >
> >  You can read the documentation to see how the rest module works.
> > Your questions are answered there.
> >
> > > So after authenticate is successful, freeRadius will do insertion of
> > record
> > > to radpostauth and radacct table by itself?
> >
> >   No.  This isn't magic.
> >
> >   The sql module puts data into radpostauth and radacct... if you
> > configure the server to use the SQL module in "post-auth" and
> "accounting".
> >
> >   The default configuration files go through this in great detail.
> >
> > > Our current usage of freeRadius is with mySQL. So we will insert
> > > record
> > to
> > > radcheck and radreply table while the rest of the table will be
> > > handled
> > by
> > > freeRadius.
> >
> >   I have no idea what that means.
> >
> > > Now if we are using the REST for authentication, do we still need to
> > > insert record to radcheck and radreply? Do we still rely on the
> > > 'Auth-Type' in the radcheck table?
> >
> >   The radcheck and radreply tables are used by the SQL module.  If
> > you're not using the SQL module, then those tables aren't used.
> >
> >   Your questions seem to be coming from a mindset that the server is
> > magic, and magically "knows" how to do things.  It isn't.  It has a
> > lot going on, and a lot of configuration files.  But in the end it's
> > just a whole bunch of simple things put together in gradually more
> complex ways.
> >
> >   If you want to use radcheck / radreply, configure the SQL module.
> > And be sure that the SQL module is listed in the virtual server.  See
> > sites-available/default for many, many, examples.
> >
> >   Go read the technical guide  I think many of your misconceptions are
> > addressed there.
> >
> >   Alan DeKok.
> >
> >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: RESTful API

Herwin Weststrate
On 02-01-19 10:39, Daniel Kong wrote:

> Hi Alan,
>
> I get status 401 (unauthorized) is because the site is protected. By
> disabling the rest security on the 3rd party application, it can
> successfully send the request and get the response, which I have posted
> previously by including the username and password for http basic
> authentication.
>
> connect_uri = "http://10.18.6.22:8081/apps"
> authenticate {
>    uri = "${..connect_uri}/user/%{User-Name}/%{User-Password}"
>    method = "get"
>    force_to = "json"
>   * require_auth = yes*
> *   auth = "basic"*
> *   username = "test"*
> *   password = "password123"*
>    tls = ${..tls}
> }
>
> Since by specifying those required attributes is not working, so I have
> tried to include REST-HTTP-Header, but it doesn't work as well.
>
> connect_uri = "http://10.18.6.22:8081/apps"
> authenticate {
>    uri = "${..connect_uri}/user/%{User-Name}/%{User-Password}"
>    method = "get"
>    force_to = "json"
>   * REST-HTTP-Header = "Authorization: Basic aW5ldHVzZXI6cGFzc3dvcmQxYXBw"*
>    tls = ${..tls}
> }
>
> I am also getting a 401 while trying to send the request. Where is the
> problem?

Since the connection is made via HTTP without TLS: have you tried
tcpdump/wireshark to inspect the HTTP headers? If the Authz header is
added and the request is rejected by the webserver, the problem is
probably in the web server, not the RADIUS server.


--
Herwin Weststrate
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: RESTful API

Alan DeKok-2
In reply to this post by Daniel Kong
On Jan 2, 2019, at 4:39 AM, Daniel Kong <[hidden email]> wrote:
...

  Please edit your replies.  There's no need to include 100's of lines of the previous message at the bottom of your post.  We've seen it already, and we don't need to see it again.

> I get status 401 (unauthorized) is because the site is protected. By
> disabling the rest security on the 3rd party application, it can
> successfully send the request and get the response, which I have posted
> previously by including the username and password for http basic
> authentication.

  OK... I'm not sure why you're "protecting" a REST API from FreeRADIUS.  But whatever...

> connect_uri = "http://10.18.6.22:8081/apps"
> authenticate {
>   uri = "${..connect_uri}/user/%{User-Name}/%{User-Password}"
>   method = "get"
>   force_to = "json"
>  * require_auth = yes*
> *   auth = "basic"*
> *   username = "test"*
> *   password = "password123"*
>   tls = ${..tls}
> }
>
> Since by specifying those required attributes is not working,

  What does that mean?  You should be able to look at either the FreeRADIUS logs, or the REST server logs to see what's going on.

> so I have
> tried to include REST-HTTP-Header, but it doesn't work as well.
>
> connect_uri = "http://10.18.6.22:8081/apps"
> authenticate {
>   uri = "${..connect_uri}/user/%{User-Name}/%{User-Password}"
>   method = "get"
>   force_to = "json"
>  * REST-HTTP-Header = "Authorization: Basic aW5ldHVzZXI6cGFzc3dvcmQxYXBw"*
>   tls = ${..tls}
> }
>
> I am also getting a 401 while trying to send the request. Where is the
> problem?

  Without detailed information (i.e. logs), there's no way to tell.  You have to figure out what's going on.  You can't just change the configuration and hope it will now magically work.

> I have tried very hard to understand the return json format from the API
> itself, but the information provided is insufficient. I understand it has a
> pair of value which consist of attribute and value. That's why in my above
> tryout which I tried to put a "result" and "message" attribute. But radius
> doesn't recognize this two vendor attribute.

  You need to have the API return json, in the format described in mods-available/rest.  Something like this should work:

        "User-Name": {
                "op":"=",
                "value":"bob"
        }

> So my question is what is actually needed to pass back to radius? Is it by
> specifying 200 (OK) and 401 (Unauthorized) is sufficient for radius to
> process?

  The REST module documentation describes what HTTP codes the REST server should return.  I've already said this.  Please read the documentation.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: RESTful API

jm+freeradiususer
In reply to this post by Daniel Kong
inetuser?

password1app?

You should now probably change that!

Cheers.

On 1/2/2019 10:39 AM, Daniel Kong wrote:
>    * REST-HTTP-Header = "Authorization: Basic aW5ldHVzZXI6cGFzc3dvcmQxYXBw"*
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html