Configuration of rlm_rest

Starting with version 3.0.x FreeRADIUS is shipped with the rlm_rest module, which can be used to transform RADIUS authentication requests to HTTP requests to a suitable REST endpoint. Starting with version 2.19, privacyIDEA implements such an endpoint (/validate/radiuscheck, see Validate endpoints). However, the endpoint currently does not implement all features of the RADIUS plugin such as challenge-response authentication and attribute mapping.

Please note that Ubuntu 17.04 and Debian 9 are the first releases to include FreeRADIUS 3.0.x. Here, the required packages can be installed as follows:

apt-get install freeradius freeradius-rest

Setup

First, the rlm_rest module needs to be enabled:

cd /etc/freeradius/mods-enabled
ln -s ../mods-available/rest .

The authentication type needs to be configured in the /etc/freeradius/users file:

DEFAULT Auth-Type := rest

and the site configuration should invoke the module as follows:

authenticate {
     Auth-Type rest {
        rest
     }
     digest
     unix
}

The module itself is then configured via the file /etc/freeradius/mods-enabled/rest. First, connect_uri needs to point to your privacyIDEA instance:

connect_uri = "https://127.0.0.1/"

The authenticate section needs to be modified as follows:

authenticate
    uri = "${..connect_uri}/validate/radiuscheck"
    method = 'post'
    body = 'post'
    data = "user=%{urlquote:%{User-Name}}&pass=%{urlquote:%{User-Password}}"
    force_to = 'plain'
    tls = ${..tls}
}

Assuming clients.conf has been edited accordingly, the FreeRADIUS server should already respond to authentication requests:

echo "User-Name=user, Password=password" | radclient -sx yourRadiusServer \
   auth topsecret

For instructions how to configure more advanced features of rlm_rest such as the connection pool or TLS certificate validation, please consult the documentation in the configuration file.