Using Radius authentication with Apache web server

-

The following will install radius authentication on your RHEL/CentOS apache web server.   You can use these instructions for different linux builds, you will just need to adjust by finding the correct folder locations and package names.  Also this is a 64-bit system, so for 32-bit change the package names from x86_64 to i386 or whatever YUM tells you is available.

This configuration assumes you already have a functioning web server.  If you don't please find a separate tutorial on apache web server for your OS.  You must have the radius server configured before attempting this configuration.   You need to add each user to that linux box beforehand (useradd).  This will replace htpasswd authentication, but will only work for users defined in the radius server and the local linux server.

To my knowledge, you cannot have both radius and htpasswd authentication running at the same time.  Also, applications that have their own authentication system outside of htpasswd (such as mysql) will not work with radius since they are checking their own database and not the radius server.   It's likely possible, but not included in this config.

Do this at your own risk.  If you screwed up your system because of these instructions, feel free to contact me so I can laugh at you.

  • install packages
    yum install httpd-devel.x86_64 apr-devel apr-util-devel apr.x86_64 apr-util-devel.x86_64
  • Go to http://www.outoforder.cc/projects/libs/apr_memcache/  and locate the latest download URL
  • Go to temp folder make a new temp folder
  • # mkdir /opt/mem
    # cd /opt/mem
  • Download the file
    # wget URLLOCATION
    Where URLLOCATION is the URL you located in the above step
  • Unzip the file
    # bunzip2 FILENAME
    # tar -xzvf     TARFILE
    Where FILENAME is the name of the file
  • Go to the folder
    # cd FOLDERNAME
    Where FOLDERNAME is the name of the folder created during unzip
  • # cd /opt/mem/FOLDERNAME
  • Run configure
    # ./configure --prefix=/etc/httpd --with-apr=/usr/bin/apr-1-config --with-apr-util=/usr/bin/apu-1-config
  • Make files
    # Make# Make install
  • Go to http://www.outoforder.cc/projects/apache/mod_auth_xradius/ and locate the latest mod_auth_xradius download
  • Go to temp folder make a new temp folder
    # mkdir /tmp/mod
    # cd /tmp/mod
  • Download the file
    # wget URLLOCATION
    Where URLLOCATION is the URL you located in the above step
  • Unzip the file
    # bunzip2 FILENAME
    # tar -xzvf     TARFILE
    Where FILENAME is the name of the file
  • Go to the folder
    # cd FOLDERNAME
    Where FOLDERNAME is the name of the folder created during unzip
  • If you are using MORE than one radius server, you will need to patch a file to allow this.  If you are only using one radius server, you can skip the patching. 
  • Create patch file
    # touch patch.txt
    # nano patch.txt
  • Copy this patch data into the editor and save the file.
@@ -125,15 +125,15 @@
     rctx = xrad_auth_open();

     /* Loop through the array of RADIUS Servers, adding them to the rctx object */
-    sr = (xrad_server_info *) dc->servers->elts;
     for (i = 0; i < dc->servers->nelts; ++i) {       
-        rc = xrad_add_server(rctx, sr[i].hostname, sr[i].port, sr[i].secret,
+        sr = &(((xrad_server_info*)dc->servers->elts)[i]);
+        rc = xrad_add_server(rctx, sr->hostname, sr->port, sr->secret,
                              dc->timeout, dc->maxtries);
         
         if (rc != 0) {
             ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
                           "xradius: Failed to add server '%s:%d': (%d) %s",
-                          sr[i].hostname, sr[i].port, rc, xrad_strerror(rctx));
+                          sr->hostname, sr->port, rc, xrad_strerror(rctx));
             goto run_cleanup;
         }       
     }
@@ -294,7 +294,7 @@
     /* To properly use the Pools, this array is allocated from the here, instead of
         inside the directory configuration creation function. */
     if (dc->servers == NULL) {
-        dc->servers = apr_array_make(parms->pool, 4, sizeof(xrad_server_info*));
+        dc->servers = apr_array_make(parms->pool, 4, sizeof(xrad_server_info));
     }
     
     sr = apr_array_push(dc->servers);

  • Patch the file
    # patch -i patch.txt
  • When asked what file to patch, type in src/mod_auth_xradius.c
  • Now Run config
    # ./configure --with-apxs=/usr/sbin/apxs --with-apr-memcache=/etc/httpd/lib
  • Run make
    # make
    # make install
  • Edit config
    # nano /etc/httpd/conf/httpd.conf
  • Search for DocumentRoot "/var/www/html"
  • Paste the following text directly under DocumentRoot "/var/www/html" and save the file
  ## This Loads mod_auth_xradius into Apache
    LoadModule auth_xradius_module modules/mod_auth_xradius.so

    ## radius cache location
    AuthXRadiusCache dbm "conf/auth_xradius_cache"

    ## Cache timeout in seconds
    AuthXRadiusCacheTimeout 600
                Save and Exit the file.
  • Edit the main httpd conf file
    # nano /etc/httpd/conf/httpd.conf
  • Locate this text <Directory "/var/www/html">
    and add the following text directly underneath
        ## This is what the client sees in their Prompt.
        AuthName "Radius Authentication required"

        ## Type of authentication to use.
        AuthType basic
        AuthBasicProvider xradius

        ## Address and the Shared Secret of the RADIUS Server to contact.
        AuthXRadiusAddServer "192.168.1.1:1812" "RADIUSSECRET"
        AuthXRadiusAddServer "192.168.1.2:1812" "RADIUSSECRET"

        ## Time in Seconds to wait for replies from the RADIUS Servers
        AuthXRadiusTimeout 600 

        ## Number of times to resend a request to a server if no reply is received.
        AuthXRadiusRetries 3

        ## disallow blank passwords
        AuthXRadiusRejectBlank on

        ## This tells apache that we want a valid user and password.
        require valid-user
Where RADIUSSECRET is the shared radius secret password in the password safe.

Any folder/site/app you want to inherit web auth (radius) authentication must be a child folder of the html folder.  Anything outside the html folder will not inherit cached radius credentials and will not allow radius authentication.  Those folder will have to use standard web authentication.

If your radius server does not use port 1812, change the above accordingly.

  • Save and exit the editor.
  • Run ldconfig
    # ldconfig /usr/local/lib
  • Create cache file
    # touch /etc/httpd/conf/authxcache
    # chown apache:root /etc/httpd/conf/authxcache
  • Restart httpd
    # service httpd restart
  • Test radius auth by going to the homepage.  You may need to restart your browser.
    • If radius authentication is not working, check /var/log/httpd/ssl_error_log for errors.  If you see an error
      xradius: Failed to add server ':1812': (-1)
      Then your patch failed or you did not successfully patch the .c file.  You can refer to       http://iwl.com/blog/apache-radius for assistance. 
As a last resort, you can go back and edit httpd.conf and comment out one of the listed radius servers.  Without the patch, the module works fine as long as there is only one server defined.

Comments

  1. South Shore Data NetworksMarch 18, 2020 at 1:54 PM

    Hi - Attempting to follow your steps here and when i try to execute "patch -i patch.txt" i get a message "patch: **** Only garbage was found in the patch input."

    hoping maybe somebody can help.

    Would really like to get radius auth working for my Nagios implementation to work with it.

    ReplyDelete
    Replies
    1. №thingMarch 19, 2020 at 9:43 AM

      it should work without the patch. the patch is only needed if you intend to use multiple radius servers for redundancy. it worked at the time i wrote it but i cant speak to how newer OS builds are behaving.

      Delete

Post a Comment

Popular posts from this blog

Scion xB 2005 - Fuel Filter replacement DIY

-
Image
Warning: this is for educational purposes only.  Neither I nor anyone else on the planet is responsible for your stupid decisions and lack of thinking.  The information provided here is the best of my documenting ability and nothing more.  Like ANYTHING on the internet, it should not be considered as the full truth with no missing pieces.  If I leave anything out, it's your responsibility to find the rest of the puzzle.   ie, if you blow your car or yourself into a million pieces, it's YOUR fault. Note:  This took a lot more effort than I had anticipated even with the other DIY articles I found on this subject.  I personally will be paying someone to do it for me next time.  If you decide to take this on, I suggest you go ahead an replace the fuel pump while you are at it, as long as you have at least 60,000 miles on the toaster.  My pump died at 94k miles. Before you begin, make sure you have access to tools as you will need a wide range of them.  You will find out what s
Read more

Flashing Firmware to Creality CR-10 S5

-
Image
There are plenty of firmware flashing guides out there for CR-10 models, but not yet a lot for the CR-10 S5 model.  So I had to figure out how to flash the firmware based on what was available for other models. To  understand what is required, please refer to this video.  It has all of the major steps needed. This post is not meant as a full guide.  It's merely supplemental information that applies to the video below meant for the S5 model's of the CR-10 series.  https://www.youtube.com/watch?v=7J7NYnxL5vA So the basic idea is the CR-10's do NOT have a bootloader installed by default.  So in order to flash the firmware, you first have to burn the bootloader.  This can be done via an arduino because the CR-10's all use an arduino as their main processor. The CR-10 normally has a jumper to switch to USB power.  the S5 does not have this.  You can just disconnect the 120/240v power and plug in the USB cable and it will power the S5 board.   You wil need the boar
Read more

Using Radius authentication with SSH

-
The following will configure your linux-based SSH server to use a pre-defined radius server for authentication instead of plain password authentication.  You must configure the radius server before starting this configuration.  This is for Linux 64-bit bit but for 32-bit just change package names from .x86_64 to i686.: ·          Download install package (make sure the server can access the internet via port 80/443) # yum install freeradius  pam_radius.x86_64  pam_radius.x86_64  pam.x86_64  type y when it asks you if this is OK, hit ENTER ·          Edit the conf file # nano /etc/pam_radius.conf ·          Add the correct radius server info as follows 192.168.1.5        secret      5 192.168.1.6         secret      5 ·          Use CTRL-O to save the file and CTRL-X to exit. ·          Set file permissions # chmod 600 /etc/pam_radius.conf ·          edit the sshd_config file # nano /etc/ssh/sshd_c
Read more