Monday, September 30, 2013

Using Radius authentication with Apache web server


The following will install radius authentication on your RHEL/CentOS apache web server.   You can use these instructions for different linux builds, you will just need to adjust by finding the correct folder locations and package names.  Also this is a 64-bit system, so for 32-bit change the package names from x86_64 to i386 or whatever YUM tells you is available.

This configuration assumes you already have a functioning web server.  If you don't please find a separate tutorial on apache web server for your OS.  You must have the radius server configured before attempting this configuration.   You need to add each user to that linux box beforehand (useradd).  This will replace htpasswd authentication, but will only work for users defined in the radius server and the local linux server.

To my knowledge, you cannot have both radius and htpasswd authentication running at the same time.  Also, applications that have their own authentication system outside of htpasswd (such as mysql) will not work with radius since they are checking their own database and not the radius server.   It's likely possible, but not included in this config.

Do this at your own risk.  If you screwed up your system because of these instructions, feel free to contact me so I can laugh at you.

  • install packages
    yum install httpd-devel.x86_64 apr-devel apr-util-devel apr.x86_64 apr-util-devel.x86_64
  • Go to http://www.outoforder.cc/projects/libs/apr_memcache/  and locate the latest download URL
  • Go to temp folder make a new temp folder
  • # mkdir /opt/mem
    # cd /opt/mem
  • Download the file
    # wget URLLOCATION
    Where URLLOCATION is the URL you located in the above step
  • Unzip the file
    # bunzip2 FILENAME
    # tar -xzvf
    TARFILE
    Where FILENAME is the name of the file
  • Go to the folder
    # cd FOLDERNAME
    Where FOLDERNAME is the name of the folder created during unzip
  • # cd /opt/mem/FOLDERNAME
  • Run configure
    # ./configure --prefix=/etc/httpd --with-apr=/usr/bin/apr-1-config --with-apr-util=/usr/bin/apu-1-config
  • Make files
    # Make# Make install
  • Go to http://www.outoforder.cc/projects/apache/mod_auth_xradius/ and locate the latest mod_auth_xradius download
  • Go to temp folder make a new temp folder
    # mkdir /tmp/mod
    # cd /tmp/mod
  • Download the file
    # wget URLLOCATION
    Where URLLOCATION is the URL you located in the above step
  • Unzip the file
    # bunzip2 FILENAME
    # tar -xzvf
    TARFILE
    Where FILENAME is the name of the file
  • Go to the folder
    # cd FOLDERNAME
    Where FOLDERNAME is the name of the folder created during unzip
  • If you are using MORE than one radius server, you will need to patch a file to allow this.  If you are only using one radius server, you can skip the patching. 
  • Create patch file
    # touch patch.txt
    # nano patch.txt
  • Copy this patch data into the editor and save the file.
@@ -125,15 +125,15 @@
     rctx = xrad_auth_open();

     /* Loop through the array of RADIUS Servers, adding them to the rctx object */
-    sr = (xrad_server_info *) dc->servers->elts;
     for (i = 0; i < dc->servers->nelts; ++i) {       
-        rc = xrad_add_server(rctx, sr[i].hostname, sr[i].port, sr[i].secret,
+        sr = &(((xrad_server_info*)dc->servers->elts)[i]);
+        rc = xrad_add_server(rctx, sr->hostname, sr->port, sr->secret,
                              dc->timeout, dc->maxtries);
         
         if (rc != 0) {
             ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
                           "xradius: Failed to add server '%s:%d': (%d) %s",
-                          sr[i].hostname, sr[i].port, rc, xrad_strerror(rctx));
+                          sr->hostname, sr->port, rc, xrad_strerror(rctx));
             goto run_cleanup;
         }       
     }
@@ -294,7 +294,7 @@
     /* To properly use the Pools, this array is allocated from the here, instead of
         inside the directory configuration creation function. */
     if (dc->servers == NULL) {
-        dc->servers = apr_array_make(parms->pool, 4, sizeof(xrad_server_info*));
+        dc->servers = apr_array_make(parms->pool, 4, sizeof(xrad_server_info));
     }
     
     sr = apr_array_push(dc->servers);

  • Patch the file
    # patch -i patch.txt
  • When asked what file to patch, type in src/mod_auth_xradius.c
  • Now Run config
    # ./configure --with-apxs=/usr/sbin/apxs --with-apr-memcache=/etc/httpd/lib
  • Run make
    # make
    # make install
  • Edit config
    # nano /etc/httpd/conf/httpd.conf
  • Search for DocumentRoot "/var/www/html"
  • Paste the following text directly under DocumentRoot "/var/www/html" and save the file
  ## This Loads mod_auth_xradius into Apache
    LoadModule auth_xradius_module modules/mod_auth_xradius.so

    ## radius cache location
    AuthXRadiusCache dbm "conf/auth_xradius_cache"

    ## Cache timeout in seconds
    AuthXRadiusCacheTimeout 600
                Save and Exit the file.
  • Edit the main httpd conf file
    # nano /etc/httpd/conf/httpd.conf
  • Locate this text <Directory "/var/www/html">
    and add the following text directly underneath
        ## This is what the client sees in their Prompt.
        AuthName "Radius Authentication required"

        ## Type of authentication to use.
        AuthType basic
        AuthBasicProvider xradius

        ## Address and the Shared Secret of the RADIUS Server to contact.
        AuthXRadiusAddServer "192.168.1.1:1812" "RADIUSSECRET"
        AuthXRadiusAddServer "192.168.1.2:1812" "RADIUSSECRET"

        ## Time in Seconds to wait for replies from the RADIUS Servers
        AuthXRadiusTimeout 600 

        ## Number of times to resend a request to a server if no reply is received.
        AuthXRadiusRetries 3

        ## disallow blank passwords
        AuthXRadiusRejectBlank on

        ## This tells apache that we want a valid user and password.
        require valid-user
Where RADIUSSECRET is the shared radius secret password in the password safe.

Any folder/site/app you want to inherit web auth (radius) authentication must be a child folder of the html folder.  Anything outside the html folder will not inherit cached radius credentials and will not allow radius authentication.  Those folder will have to use standard web authentication.

If your radius server does not use port 1812, change the above accordingly.

  • Save and exit the editor.
  • Run ldconfig
    # ldconfig /usr/local/lib
  • Create cache file
    # touch /etc/httpd/conf/authxcache
    # chown apache:root /etc/httpd/conf/authxcache
  • Restart httpd
    # service httpd restart
  • Test radius auth by going to the homepage.  You may need to restart your browser.
    • If radius authentication is not working, check /var/log/httpd/ssl_error_log for errors.  If you see an error
      xradius: Failed to add server ':1812': (-1)
      Then your patch failed or you did not successfully patch the .c file.  You can refer to
      http://iwl.com/blog/apache-radius for assistance. 
As a last resort, you can go back and edit httpd.conf and comment out one of the listed radius servers.  Without the patch, the module works fine as long as there is only one server defined.

No comments:

Post a Comment