Monday, September 30, 2013

Using Radius authentication with Apache web server


The following will install radius authentication on your RHEL/CentOS apache web server.   You can use these instructions for different linux builds, you will just need to adjust by finding the correct folder locations and package names.  Also this is a 64-bit system, so for 32-bit change the package names from x86_64 to i386 or whatever YUM tells you is available.

This configuration assumes you already have a functioning web server.  If you don't please find a separate tutorial on apache web server for your OS.  You must have the radius server configured before attempting this configuration.   You need to add each user to that linux box beforehand (useradd).  This will replace htpasswd authentication, but will only work for users defined in the radius server and the local linux server.

To my knowledge, you cannot have both radius and htpasswd authentication running at the same time.  Also, applications that have their own authentication system outside of htpasswd (such as mysql) will not work with radius since they are checking their own database and not the radius server.   It's likely possible, but not included in this config.

Do this at your own risk.  If you screwed up your system because of these instructions, feel free to contact me so I can laugh at you.

  • install packages
    yum install httpd-devel.x86_64 apr-devel apr-util-devel apr.x86_64 apr-util-devel.x86_64
  • Go to http://www.outoforder.cc/projects/libs/apr_memcache/  and locate the latest download URL
  • Go to temp folder make a new temp folder
  • # mkdir /opt/mem
    # cd /opt/mem
  • Download the file
    # wget URLLOCATION
    Where URLLOCATION is the URL you located in the above step
  • Unzip the file
    # bunzip2 FILENAME
    # tar -xzvf
    TARFILE
    Where FILENAME is the name of the file
  • Go to the folder
    # cd FOLDERNAME
    Where FOLDERNAME is the name of the folder created during unzip
  • # cd /opt/mem/FOLDERNAME
  • Run configure
    # ./configure --prefix=/etc/httpd --with-apr=/usr/bin/apr-1-config --with-apr-util=/usr/bin/apu-1-config
  • Make files
    # Make# Make install
  • Go to http://www.outoforder.cc/projects/apache/mod_auth_xradius/ and locate the latest mod_auth_xradius download
  • Go to temp folder make a new temp folder
    # mkdir /tmp/mod
    # cd /tmp/mod
  • Download the file
    # wget URLLOCATION
    Where URLLOCATION is the URL you located in the above step
  • Unzip the file
    # bunzip2 FILENAME
    # tar -xzvf
    TARFILE
    Where FILENAME is the name of the file
  • Go to the folder
    # cd FOLDERNAME
    Where FOLDERNAME is the name of the folder created during unzip
  • If you are using MORE than one radius server, you will need to patch a file to allow this.  If you are only using one radius server, you can skip the patching. 
  • Create patch file
    # touch patch.txt
    # nano patch.txt
  • Copy this patch data into the editor and save the file.
@@ -125,15 +125,15 @@
     rctx = xrad_auth_open();

     /* Loop through the array of RADIUS Servers, adding them to the rctx object */
-    sr = (xrad_server_info *) dc->servers->elts;
     for (i = 0; i < dc->servers->nelts; ++i) {       
-        rc = xrad_add_server(rctx, sr[i].hostname, sr[i].port, sr[i].secret,
+        sr = &(((xrad_server_info*)dc->servers->elts)[i]);
+        rc = xrad_add_server(rctx, sr->hostname, sr->port, sr->secret,
                              dc->timeout, dc->maxtries);
         
         if (rc != 0) {
             ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
                           "xradius: Failed to add server '%s:%d': (%d) %s",
-                          sr[i].hostname, sr[i].port, rc, xrad_strerror(rctx));
+                          sr->hostname, sr->port, rc, xrad_strerror(rctx));
             goto run_cleanup;
         }       
     }
@@ -294,7 +294,7 @@
     /* To properly use the Pools, this array is allocated from the here, instead of
         inside the directory configuration creation function. */
     if (dc->servers == NULL) {
-        dc->servers = apr_array_make(parms->pool, 4, sizeof(xrad_server_info*));
+        dc->servers = apr_array_make(parms->pool, 4, sizeof(xrad_server_info));
     }
     
     sr = apr_array_push(dc->servers);

  • Patch the file
    # patch -i patch.txt
  • When asked what file to patch, type in src/mod_auth_xradius.c
  • Now Run config
    # ./configure --with-apxs=/usr/sbin/apxs --with-apr-memcache=/etc/httpd/lib
  • Run make
    # make
    # make install
  • Edit config
    # nano /etc/httpd/conf/httpd.conf
  • Search for DocumentRoot "/var/www/html"
  • Paste the following text directly under DocumentRoot "/var/www/html" and save the file
  ## This Loads mod_auth_xradius into Apache
    LoadModule auth_xradius_module modules/mod_auth_xradius.so

    ## radius cache location
    AuthXRadiusCache dbm "conf/auth_xradius_cache"

    ## Cache timeout in seconds
    AuthXRadiusCacheTimeout 600
                Save and Exit the file.
  • Edit the main httpd conf file
    # nano /etc/httpd/conf/httpd.conf
  • Locate this text <Directory "/var/www/html">
    and add the following text directly underneath
        ## This is what the client sees in their Prompt.
        AuthName "Radius Authentication required"

        ## Type of authentication to use.
        AuthType basic
        AuthBasicProvider xradius

        ## Address and the Shared Secret of the RADIUS Server to contact.
        AuthXRadiusAddServer "192.168.1.1:1812" "RADIUSSECRET"
        AuthXRadiusAddServer "192.168.1.2:1812" "RADIUSSECRET"

        ## Time in Seconds to wait for replies from the RADIUS Servers
        AuthXRadiusTimeout 600 

        ## Number of times to resend a request to a server if no reply is received.
        AuthXRadiusRetries 3

        ## disallow blank passwords
        AuthXRadiusRejectBlank on

        ## This tells apache that we want a valid user and password.
        require valid-user
Where RADIUSSECRET is the shared radius secret password in the password safe.

Any folder/site/app you want to inherit web auth (radius) authentication must be a child folder of the html folder.  Anything outside the html folder will not inherit cached radius credentials and will not allow radius authentication.  Those folder will have to use standard web authentication.

If your radius server does not use port 1812, change the above accordingly.

  • Save and exit the editor.
  • Run ldconfig
    # ldconfig /usr/local/lib
  • Create cache file
    # touch /etc/httpd/conf/authxcache
    # chown apache:root /etc/httpd/conf/authxcache
  • Restart httpd
    # service httpd restart
  • Test radius auth by going to the homepage.  You may need to restart your browser.
    • If radius authentication is not working, check /var/log/httpd/ssl_error_log for errors.  If you see an error
      xradius: Failed to add server ':1812': (-1)
      Then your patch failed or you did not successfully patch the .c file.  You can refer to
      http://iwl.com/blog/apache-radius for assistance. 
As a last resort, you can go back and edit httpd.conf and comment out one of the listed radius servers.  Without the patch, the module works fine as long as there is only one server defined.

Using Radius authentication with SSH

The following will configure your linux-based SSH server to use a pre-defined radius server for authentication instead of plain password authentication.  You must configure the radius server before starting this configuration.  This is for Linux 64-bit bit but for 32-bit just change package names from .x86_64 to i686.:

·         Download install package (make sure the server can access the internet via port 80/443)
# yum install freeradius pam_radius.x86_64 pam_radius.x86_64 pam.x86_64 
type y when it asks you if this is OK, hit ENTER
·         Edit the conf file
# nano /etc/pam_radius.conf
·         Add the correct radius server info as follows
192.168.1.5        secret      5
192.168.1.6         secret      5
·         Use CTRL-O to save the file and CTRL-X to exit.
·         Set file permissions
# chmod 600 /etc/pam_radius.conf
·         edit the sshd_config file
# nano /etc/ssh/sshd_config
o   Uncomment the line PubkeyAuthentication yes
o   Uncomment the line UsePAM yes
Save and exit the file
·         edit the pam sshd config file
# nano /etc/pam.d/sshd
Move the first line down to become the second line.   This line needs to be the first line:
auth       sufficient   /lib/security/pam_radius_auth.so debug client_id=linux
Notes:
o   The first line must be listed as above.  If the default first line is still listed, radius will not authenticate properly.  
o   If you do NOT wish to allow standard password authentication WITH radius authentication, you can # comment the second line to force all auth requests to use dual factor.
o   If the machine is 64 bit, change /lib to /lib64
·         Enable standard authentication to switch users
# nano /etc/pam.d/su
·         Move this line to the top of the list.  This will allow you to auth using radius, but change user using normal password.
auth            include         system-auth
Save and exit the file.
·         Edit the system auth file
# nano /etc/pam.d/system-auth
·         Comment out this line
password    requisite     pam_cracklib.so try_first_pass retry=3
and add these lines to replace it
# password complexity requirements
password    requisite     pam_passwdqc.so min=disabled,disabled,12,8,7 retry=3
·         In the “auth” section toward the top, add these lines
# lock out users after 10 failed attempts
auth        required      pam_tally.so onerr=fail deny=5unlock_time=21600
·         restart the sshd service
# service sshd restart
·         Test Radius Authentication
o   Make sure the user account is valid, you have to add the user account to linux before it will auth using pam.
o   Make sure the server IP is listed in the radius CLIENTS file.  If it’s a new server, chances are it has not yet been added.
o   Check /var/log/secure for failures.  If you see PAM [error: /lib64/security/pam_radius_auth.so: cannot open shared object file then that .so file is not installed. It’s easiest to just copy the file from another server that is working or you can google the rpm for pam_radius_auth
·         If radius auth works, update the sshd_config file to forbid root login
# nano /etc/ssh/sshd_config
o   Uncomment the line PermitRootLogin no or change the value to no
o   Uncomment the line PermitEmptyPasswords no and make sure it is set to no
·         Save and exit.

·         set always on
chkconfig --level 35 sshd on