Comments on How to configure Apache to use Radius for Two-factor Authentication

How to configure Apache to use Radius for Two-factor Authentication This brief document shows how to configure Apache to use mod_auth_xradius to authenticate users with the WiKID Strong Authentication System. Adding two-factor authentication to Apache is a very simple process with this setup.

4 Comment(s)

Add comment

Please register in our forum first to comment.

Comments

By: Anonymous
Reply  

Apache > 2.1 requires an additional "AuthBasicProvider xradius" directive

By: Austin Kauffman
Reply  

In order to get High Availablity working with mod_auth_xradius a patch must be applied before compiling.

# vi src/patch-mod_auth_xradius.c (paste the following)
===============BEGIN CUT===============
--- src/mod_auth_xradius.c.orig Thu Apr 28 10:58:25 2005
+++ src/mod_auth_xradius.c Tue Dec 30 12:57:18 2008
@@ -125,15 +125,15 @@
  rctx = xrad_auth_open();

  /* Loop through the array of RADIUS Servers, adding them to the rctx object */
- sr = (xrad_server_info *) dc->servers->elts;
  for (i = 0; i < dc->servers->nelts; ++i) {
- rc = xrad_add_server(rctx, sr[i].hostname, sr[i].port, sr[i].secret,
+ sr = &(((xrad_server_info*)dc->servers->elts)[i]);
+ rc = xrad_add_server(rctx, sr->hostname, sr->port, sr->secret,
  dc->timeout, dc->maxtries);

  if (rc != 0) {
  ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
  "xradius: Failed to add server '%s:%d': (%d) %s",
- sr[i].hostname, sr[i].port, rc, xrad_strerror(rctx));
+ sr->hostname, sr->port, rc, xrad_strerror(rctx));
  goto run_cleanup;
  }
  }
@@ -294,7 +294,7 @@
  /* To properly use the Pools, this array is allocated from the here, instead of
  inside the directory configuration creation function. */
  if (dc->servers == NULL) {
- dc->servers = apr_array_make(parms->pool, 4, sizeof(xrad_server_info*));
+ dc->servers = apr_array_make(parms->pool, 4, sizeof(xrad_server_info));
  }

  sr = apr_array_push(dc->servers);
===============END CUT===============  
# patch < src/patch-mod_auth_xradius.c

This will allow you to add multiple radius servers with the AuthXRadiusAddServer directive.

By: James Smallacombe
Reply  

Thanks for this patch, it's so useful (essential?), you wonder why it hasn't been incorporated into a new version of the code yet.  FYI, for it to work as is, you need to change the file name of the source to add ".orig".  I prefer to modify the first two lines to something like this:

--- mod_auth_xradius.c    2005-04-28 03:58:25.000000000 -0400
+++ mod_auth_xradius.c.PATCHED    2010-09-10 11:38:49.000000000 -0400

And run the patch command from within the src/ directory:

patch < patchfilename

By: Archie
Reply  

For a simpler one-time password solution you might look at mod_authn_otp, which is an Apache module for one-time password authentication.

 It works with OAUTH-compliant tokens such as Nordic Edge's Pledge client that runs on a cell phone.