FreeRADIUS with REST

Introduction

Starting from FreeRADIUS v3.x, FreeRADIUS has added support to REST API.

This article will talk about how to configure FreeRADIUS to make authentication by connecting to a remote server using REST.

Prerequisite

Make sure you have Ubuntu 16.04 or higher with FreeRADIUS v3.x installed, but alternative is to upgrade FreeRADIUS independently of Ubuntu version.

Also make sure you have configured your clients.conf file and added your network access server.

Configurations

Open the terminal, and enable root mode using the following command:

$ sudo su

Then go to FreeRADIUS folder using “cd” command:

$ cd /etc/freeradius

If you are in Ubuntu 18.04, then use this command:

$ cd /etc/freeradius/3.0

Use ls command and you will get all the folders in FreeRADIUS.

mods-available folder contain all the modules provided by FreeRADIUS, and mods-enabled folder contains the enabled modules that the FreeRADIUS server will use.

We will use the rest module to configure FreeRADIUS to work with REST.

To use the rest module, we have to enable it first.

To enable it we have to make a soft link of it in mods-enabled folder.
This is done using the following commands:

$ cd mods-enabled
$ ln -s ../mods-available/rest

Now, we will configure the rest module.

$ nano rest

First, replace connect_uri with your HTTP domain.

connect_uri = "http://localhost:8084/RestForRadius"

Then, replace authorize{} section with the below configurations

authorize {
uri = "${..connect_uri}/authorize"
method = 'post'
tls = ${..tls}
body = 'json'
data = '{ "username": "%{User-Name}", "password": "%{User-Password}", "calling-station-id": "%{Calling-Station-Id}" }'
}

Where “authorize” is the name of the web service responsible for authorization.

Also replace the authenticate{} section with the below configurations

authenticate { 
uri = "${..connect_uri}/authenticate"
method = 'post'
body = 'json'
data = '{ "username": "%{User-Name}", "password": "%{User-Password}", "calling-station-id": "%{Calling-Station-Id}" }'
tls = ${..tls}
}

Where “authenticate” is the name of the web service responsible for authentication.

Save the changes and close the rest module.

The next step is to configure the virtual server.
There are two virtual servers enabled: default, and inner-tunnel.

We will configure them both with the same configurations.

Go to /etc/freeradius/sites-enabled and run the following command

$ nano default

This file represent the configurations for the default server.

Go to the authorize{} section and add rest as below:

authorize {
...

rest

...
}

Do the same with authenticate{} section.

authenticate {
...

rest

...
}

Save and exit.

Do the same to inner-tunnel server file.

Now we will start FreeRADIUS in debug mode. Make sure that your remote server (connect_uri) is up and accessible or you will get an error.

$ freeradius -X

If you get Ready to process requests then you have configured it successfully.

References

http://system-eng.blogspot.com/2016/09/sending-freeradius-accounting-data-to.html

https://stackoverflow.com/questions/43698251/freeradius-3-0-13-rlm-rest-restful-api-authentication