How to configure Apache to use Radius for Two-factor Authentication

Want to support HowtoForge? Become a subscriber!
 
Submitted by nowen (Contact Author) (Forums) on Wed, 2007-03-07 17:17. :: Apache | Security

How to configure Apache to use Radius for Two-factor Authentication

This document describes how to add WiKID two-factor authentication to Apache 2.x using mod_auth_xradius or mod_ldap. Our configuration was as follows:

  • Fedora Core 5
  • Apache 2.2.2-10
  • mod_auth_xradius. We recommend using mod_auth_xradius rather than mod_auth_radius. Documentation for mod_auth_xradius can be found in the README file and here.
  • For two-factor authentication, we were using WiKID, in this case, the commercial version.

Here's how it will work, when the user clicks on a two-factor protected link, they will be prompted for a username and password. The user generates the one-time passcode on their WiKID token and enters it into the password prompt. Apache will route the username and one-time password to the WiKID server via mod_auth_xradius. If the username and one-time password match what WiKID expects, the server will tell Apache to grant access. First, we add Apache to the WiKID Strong Authentication Server as a network client, then add radius to Apache. I assume you already have a WiKID domain and users setup.

So, start by adding a new Radius network client to the WiKID server for your web server:

  • Log into WiKID server web interface (http://yourwikidserver/WiKIDAdim).
  • Select Network Clients tab.
  • Click on Create New Network Client.
  • Fill in the requested information.
    • For the IP Address, use the web server IP address
    • For Protocol, select Radius
    • Hit the Add button, and on the next page, enter a shared secret
    • Do not enter anything into the Return Attribute box
  • From the terminal or via ssh, run 'stop' and then 'start' to load the network client into the built-in WiKID radius server

That is it for the WiKID server.

Now to get Apache ready for two-factor authentication. We need to get and install mod_auth_xradius for Apache 2.x. First, we need to install httpd-devel so we can compile mod_auth_xradius:

# yum install httpd-devel
# wget http://www.outoforder.cc/downloads/mod_auth_xradius/mod_auth_xradius-0.4.6.tar.bz2
# bunzip2 mod_auth_xradius-0.4.6.tar.bz2
# tar -xvf mod_auth_xradius-0.4.6.tar
# cd mod_auth_xradius-0.4.6
# ./configure --with-apxs=/sbin/apxs
# make
# make install

Be sure to check the location of apxs.

Now you need to add two more things to your httpd.conf. First add

LoadModule auth_xradius_module modules/mod_auth_xradius.so
AuthXRadiusCache dbm conf/authxcache

Check out the xradius docs for other options. It is important to cache the authentication results. If you don't, every http request will generate an authentication request every attempt to validate the one-time passcode except the first attempt will fail.

 
<directory "/var/www/html/radius">
   AuthType Basic
   AuthName "Please enter your username and WiKID one-time passcode for entry to this site."
   AuthXRadiusAddServer "wikid_server_address:1812" "wikidserver_shared_secret"
   AuthXRadiusTimeout 7
   AuthXRadiusRetries 2
   require valid-user
</directory>

You will want to change wikid_server_address to the IP address of the WiKID server and wikidserver_shared_secret to the shared secret you configured above in the WiKID server.

You can enter the same information into a .htaccess file, or a directory directive if you like, depending on where the information you want protected by two-factor authentication is. We used the location directive to put a virtual directory behind two-factor authentication. For more information about

Links


Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Submitted by Archie (not registered) on Thu, 2009-06-18 22:01.

For a simpler one-time password solution you might look at mod_authn_otp, which is an Apache module for one-time password authentication.

 It works with OAUTH-compliant tokens such as Nordic Edge's Pledge client that runs on a cell phone.

 

Submitted by Austin Kauffman (not registered) on Fri, 2009-01-02 16:02.

In order to get High Availablity working with mod_auth_xradius a patch must be applied before compiling.

# vi src/patch-mod_auth_xradius.c (paste the following)
===============BEGIN CUT===============
--- src/mod_auth_xradius.c.orig Thu Apr 28 10:58:25 2005
+++ src/mod_auth_xradius.c Tue Dec 30 12:57:18 2008
@@ -125,15 +125,15 @@
  rctx = xrad_auth_open();

  /* Loop through the array of RADIUS Servers, adding them to the rctx object */
- sr = (xrad_server_info *) dc->servers->elts;
  for (i = 0; i < dc->servers->nelts; ++i) {
- rc = xrad_add_server(rctx, sr[i].hostname, sr[i].port, sr[i].secret,
+ sr = &(((xrad_server_info*)dc->servers->elts)[i]);
+ rc = xrad_add_server(rctx, sr->hostname, sr->port, sr->secret,
  dc->timeout, dc->maxtries);

  if (rc != 0) {
  ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
  "xradius: Failed to add server '%s:%d': (%d) %s",
- sr[i].hostname, sr[i].port, rc, xrad_strerror(rctx));
+ sr->hostname, sr->port, rc, xrad_strerror(rctx));
  goto run_cleanup;
  }
  }
@@ -294,7 +294,7 @@
  /* To properly use the Pools, this array is allocated from the here, instead of
  inside the directory configuration creation function. */
  if (dc->servers == NULL) {
- dc->servers = apr_array_make(parms->pool, 4, sizeof(xrad_server_info*));
+ dc->servers = apr_array_make(parms->pool, 4, sizeof(xrad_server_info));
  }

  sr = apr_array_push(dc->servers);
===============END CUT===============  
# patch < src/patch-mod_auth_xradius.c

This will allow you to add multiple radius servers with the AuthXRadiusAddServer directive.

Submitted by James Smallacombe (not registered) on Fri, 2010-09-10 16:58.

Thanks for this patch, it's so useful (essential?), you wonder why it hasn't been incorporated into a new version of the code yet.  FYI, for it to work as is, you need to change the file name of the source to add ".orig".  I prefer to modify the first two lines to something like this:

--- mod_auth_xradius.c    2005-04-28 03:58:25.000000000 -0400
+++ mod_auth_xradius.c.PATCHED    2010-09-10 11:38:49.000000000 -0400

And run the patch command from within the src/ directory:

patch < patchfilename

Submitted by Anonymous (not registered) on Wed, 2008-09-24 12:36.
Apache > 2.1 requires an additional "AuthBasicProvider xradius" directive