How To Configure Apache To Use Radius For Two-Factor Authentication On Ubuntu 12.04
This document describes how to add WiKID two-factor authentication to Apache 2.2.22 using mod_auth_radius on Ubuntu 12.04.
It is also recommended that you consider using mutual https authentication for web applications that are worthy of two-factor authentication. Strong mutual authentication means that the targeted website is authenticated to the user in some cryptographically secure manner, thwarting most man-in-the-middle attacks.
The WiKID open-source software token performs mutual authentication by retrieving a hash of the website's SSL certificate from the WiKID server and comparing a hash of the downloaded SSL certificate. If the two match, the token will launch the default browser to the target site for the user. If they don't match an error will be displayed, much like SSH. To configure mutual authentication for web applications, see this tutorial.
Our configuration was as follows:
- Ubuntu 12.04
- Apache 2.2.22
- libapache2-mod-auth-radius 1.5.8-1
- For two-factor authentication, we were using WiKID, in this case, the commercial version. For complete installation instructions, please visit: http://www.wikidsystems.com/support/wikid-support-center/installation-how-tos
Here's how it will work, when the user clicks on a two-factor protected link, they will be prompted for a username and password. The user generates the one-time passcode on their WiKID token and enters it into the password prompt. Apache will route the username and one-time password to the WiKID server via mod_auth_radius. If the username and one-time password match what WiKID expects, the server will tell Apache to grant access. First, we add Apache to the WiKID Strong Authentication Server as a network client, then add radius to Apache. I assume you already have a WiKID domain and users setup.
So, start by adding a new Radius network client to the WiKID server for your web server:
- Log into WiKID server web interface (http://yourwikidserver/WiKIDAdmin).
- Select Network Clients tab.
- Click on Create New Network Client.
- Fill in the requested information.
- For the IP Address, use the web server IP address.
- For Protocol, select Radius.
- Hit the Add button, and on the next page, enter a shared secret.
- Do not enter anything into the Return Attribute box.
- From the terminal or via ssh, run 'stop' and then 'start' to load the network client into the built-in WiKID radius server.
That is it for the WiKID server.
Now to get Apache ready for two-factor authentication. I started from a fresh Ubuntu 12.04 install so I had to install both apache and mod_auth_radius.
$ sudo apt-get install apache2 libapache2-mod-auth-radius
Ubuntu now has Apache's configuration files separated by virtual hosts. For this example, I edited /etc/apache2/sites-available/default.
Create a directory that will be protected by two-factor authentication. In this case, /secure. Enter this into your sites-available/default:
<IfModule radius_auth_module> AddRadiusAuth 10.100.0.109:1812 apache_secret 5:3 AddRadiusCookieValid 5 </IfModule> <Location /secure> AuthType Basic AuthName "WiKID two-factor authentication for default site" AuthBasicProvider radius AuthRadiusCookieValid 5 AuthRadiusActive On require valid-user </Location>
Note radius_auth_module. To validate that the module is loaded use this command:
sudo apachectl -M | grep radius
You will want to change wikid_server_address to the IP address of the WiKID server and wikidserver_shared_secret to the shared secret you configured above in the WiKID server. Note that the the AddRadiusAuth line ends with 5 and not 5:3. The 3 in the later setting is for the number of times to attempt a password use. For one-time passwords, we only want them tried once, therefore we leave it empty. The 5 is for a 5 second time out. The AuthRadiusCookieValid directive is set for 60 minutes.
That should be all you need. You can use a .htaccess file, but that is frowned upon. The Location method is deemed more secure.
- WiKID Strong Authentication - Two-Factor Authentication
- Mod-auth-radius - mod-auth-radius
- Apache - The Apache Webserver