how to use rlm_rest for FreeRadius 4.X Dynamic Clients

Question

My FreeRadius installation is compiled from source

root@core .../raddb/sites-enabled# radiusd -v
Info  : radiusd - DEVELOPER BUILD - FreeRADIUS version 4.0.32006 (git #9c38480e), for host x86_64-pc-linux-gnu, built on Dec  3 2023 at 12:26:42
Info  : Copyright 1999-2023 The FreeRADIUS server project and contributors
Info  : There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
Info  : PARTICULAR PURPOSE
Info  : You may redistribute copies of FreeRADIUS under the terms of the
Info  : GNU General Public License
Info  : For more information about these matters, see the file named COPYRIGHT

my raddb/sites-enabled/default

server default {
    namespace = radius

    #
    #  ### RADIUS Configuration
    #
    #  All of the configuration for processing RADIUS packets goes here.
    #
    radius {
        Access-Request {
            log {
            }
            session {
            }
        }
    }
    dictionary {
    }


    #
    #  ### The listen section
    #
    #  The `listen` sections in v4 are very different from the
    #  `listen sections in v3.  The changes were necessary in
    #  order to make FreeRADIUS more flexible, and to make the
    #  configuration simpler and more consistent.
    #
    listen {
        type = Access-Request
        type = Status-Server
        transport = udp
        limit {
            max_clients = 2
            max_connections = 256
            idle_timeout = 60.0
            nak_lifetime = 30.0
            cleanup_delay = 5.0
        }
        udp {
            ipaddr = *
            port = 1812
            dynamic_clients = true
            networks {
                allow = 127/8
                allow = 192.168.56.0/24
            }
        }
    }
    listen udp_acct {
        type = Accounting-Request
        transport = udp
        udp {
            ipaddr = *
            port = 1813
        }
    }
    client localhost {
        shortname = sample
        ipaddr = 192.168.56.106
        secret = testing123

    }



#
#  ### Receive Access-Request packets
#
recv Access-Request {
    filter_username
    rest
    chap
    mschap
    files
    pap
}


#
#  ### Receive Status-Server packets
recv Status-Server {
    #
    #  We are still here and responding.
    #
    ok
}


#
#  ### PAP Authentication
authenticate pap {
    pap
}
authenticate chap {
    chap
}
authenticate mschap {
    mschap
}
send Access-Challenge {
    attr_filter.access_challenge
    handled
}
send Access-Accept {
}
send Access-Reject {
    delay_reject
}

#
#  An Accounting-Request packet has been received. Decide which
#  accounting type to use.
#
recv Accounting-Request {
    if (!&Event-Timestamp) {
        &request.Event-Timestamp := %{%l - &Acct-Delay-Time}
    }
    acct_unique
    rest
}

#
#  Session start
#
accounting Start {

}
accounting Stop {

}
accounting Interim-Update {

}
accounting Accounting-On {

}
accounting Accounting-Off {

}
accounting Failed {

}
send Accounting-Response {
}

new client {
    rest
    ok
}

add client {
    ok
}

deny client {
    ok
}

}

but with that configuration, the radiusd -X give me

...
Loaded module rlm_rest
    rest {
      http_negotiation = default
      connection {
        reuse {
          min = 2
          max = 100
          cleanup_interval = 30s
        }
        connect_timeout = 3.0
      }
      multiplex = yes
      fail_header_decode = no
      fail_body_decode = no
    }
    radutmp sradutmp {
      filename = /usr/local/var/log/radius/sradutmp
      username = <<< secret >>>
      check_with_nas = yes
      permissions = 0644
      caller_id = no
    }
Loaded module rlm_stats
    stats {
    }
Loaded module rlm_unix
    unix {
    }
Loaded module rlm_unpack
Loaded module rlm_utf8
#### Bootstrapping rlm modules ####
Bootstrapping rlm_chap "chap"
Bootstrapping rlm_delay "delay"
Bootstrapping rlm_delay "delay_reject"
Bootstrapping rlm_always "disallow"
Bootstrapping rlm_exec "echo"
Bootstrapping rlm_escape "escape"
Bootstrapping rlm_exec "exec"
Bootstrapping rlm_always "fail"
Bootstrapping rlm_always "handled"
Bootstrapping rlm_always "invalid"
Bootstrapping rlm_linelog "linelog"
Bootstrapping rlm_linelog "log_accounting"
Bootstrapping rlm_mschap "mschap"
Bootstrapping rlm_always "noop"
Bootstrapping rlm_always "notfound"
Bootstrapping rlm_exec "ntlm_auth"
Bootstrapping rlm_always "ok"
Bootstrapping rlm_always "reject"
Bootstrapping rlm_rest "rest"
Bootstrapping rlm_unix "unix"
Bootstrapping rlm_always "updated"
 } # modules
#### Instantiating listeners ####
Compiling policies in server default { ... }
Instantiating proto_radius "default.radius"
Instantiating proto_radius "default.udp_acct"
Instantiating process_radius "default"
Compiling policies in - recv Access-Request {...}
Compiling policies in - send Access-Accept {...}
Compiling policies in - send Access-Challenge {...}
Compiling policies in - send Access-Reject {...}
Compiling policies in - recv Accounting-Request {...}
Compiling policies in - send Accounting-Response {...}
Compiling policies in - recv Status-Server {...}
Compiling policies in - authenticate pap {...}
Compiling policies in - authenticate chap {...}
Compiling policies in - authenticate mschap {...}
Compiling policies in - accounting Start {...}
Compiling policies in - accounting Stop {...}
Compiling policies in - accounting Interim-Update {...}
Compiling policies in - accounting Accounting-On {...}
Compiling policies in - accounting Accounting-Off {...}
Compiling policies in - accounting Failed {...}
Compiling policies in - new client {...}
/usr/local/etc/raddb/sites-enabled/default[70]: Failed compiling rest - no method matching calling section found
/usr/local/etc/raddb/sites-enabled/default[70]: Invalid keyword "rest".

looks like that rlm rest is loaded, but the 'new client' section complaining about 'rest'.

Yes I read the documentation about dynamic client , but where to put 'rest' if I want to use rlm_rest for dynamic-clients?

sincerely
-bino-