GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → FreeRADIUS → mod_auth_radius

FreeRADIUS / mod_auth_radius

Licence: other
The FreeRADIUS Apache module for RADIUS authentication

Programming Languages

c
50402 projects - #5 most used programming language
Makefile
30231 projects
HTML
75241 projects

Labels

clientapacheradius

Projects that are alternatives of or similar to mod auth radius

h2go
Apache H2 Go SQL Driver
Stars: ✭ 35 (+0%)
Mutual labels:  apache
ap-airflow
Astronomer Core Docker Images
Stars: ✭ 87 (+148.57%)
Mutual labels:  apache
apache-baseline
DevSec Apache Baseline - InSpec Profile
Stars: ✭ 37 (+5.71%)
Mutual labels:  apache
vhost-gen
Configurable vHost generator for Apache 2.2, Apache 2.4 and Nginx
Stars: ✭ 111 (+217.14%)
Mutual labels:  apache
reverse-proxy-php
在GAE php空间或者在国外apache php空间搭建反向代理
Stars: ✭ 51 (+45.71%)
Mutual labels:  apache
zeppelin
Apache Zeppelin with support for SQL Server
Stars: ✭ 17 (-51.43%)
Mutual labels:  apache
modules
Mesos modules examples and open source modules outside of the Apache Mesos source tree.
Stars: ✭ 26 (-25.71%)
Mutual labels:  apache
analog-ce
Analog CE
Stars: ✭ 14 (-60%)
Mutual labels:  apache
ansible-role-apache-php-fpm
Apache FastCGI support for PHP-FPM
Stars: ✭ 31 (-11.43%)
Mutual labels:  apache
semalt-blocker
⛔ Self-updating PHP library which blocks referral spam from ruining your website statistics
Stars: ✭ 67 (+91.43%)
Mutual labels:  apache
baikal-docker
Provides a ready-to-go Baikal server, incl. docker-compose.yml & Systemd service file
Stars: ✭ 85 (+142.86%)
Mutual labels:  apache
qpid-proton-j
Mirror of Apache Qpid Proton-J
Stars: ✭ 28 (-20%)
Mutual labels:  apache
Apache-Directory-Listing
A directory listing theme for Apache
Stars: ✭ 138 (+294.29%)
Mutual labels:  apache
hadoop-data-ingestion-tool
OLAP and ETL of Big Data
Stars: ✭ 17 (-51.43%)
Mutual labels:  apache
CarbonDataLearning
Apache CarbonData Learning
Stars: ✭ 52 (+48.57%)
Mutual labels:  apache
laravel-geoly
Perform fast and efficient radius searches on your Laravel Eloquent models.
Stars: ✭ 25 (-28.57%)
Mutual labels:  radius
qpid-jms
Mirror of Apache Qpid JMS
Stars: ✭ 60 (+71.43%)
Mutual labels:  apache
error-log-parser
Simple PHP library to parse Apache or Nginx error-log file entries for further usage.
Stars: ✭ 19 (-45.71%)
Mutual labels:  apache
docker base images
Vlad's Base Images for Docker
Stars: ✭ 61 (+74.29%)
Mutual labels:  apache
Apache
Docker container running Apache running on Ubuntu, Composer, Lavavel, TDD via Shippable & CircleCI
Stars: ✭ 15 (-57.14%)
Mutual labels:  apache
View All Similar Projects ➔

mod_auth_radius

0. Branch state

Build Status

1. Introduction

Everyone wants strong authentication over the web. For us, this means RADIUS.

Using static passwords & RADIUS authentication over HTTP is a BAD IDEA. Everyone can sniff the passwords, as they’re sent over the net in the clear. We suggest using HTTPS. RADIUS web authentication is a REALLY BAD IDEA if you use the same RADIUS server for web and NAS (dial-up) or firewall users. Then ANYONE can pretend to be you, and break through your firewall with minimal effort.

PLEASE use a different RADIUS server for web authentication and dial-up or firewall users! If you must use the same server, go for one-time passwords. They’re ever so much more secure.

Also, do NOT have your RADIUS server visible to the external world. Doing so makes all kinds of attacks possible.

2. Configuration

See the example httpd.conf in this directory for a detailed example of the configuration directives.

You must have at least one authentication method as authoritative. If they all return "DECLINED", you get a "server configuration error" message.

AddRadiusAuth configures the RADIUS server name (and optional port). You must also specify the shared secret, and tell the RADIUS server that the web host machine is a valid RADIUS client. The optional <seconds> field specifies how long Apache waits before giving up, and deciding that the RADIUS server is down. It then returns a "DENIED" error.

If you want, you can specify how long the returned cookies are valid. The time is in minutes, with the magic value of 0 meaning forever.

The per-dir configuration Cookie Valid time does NOT over-ride the server configuration. mod_auth_radius choose the most restrictive of the two to use. This way, a site administrator can say all cookies are valid forever, and then make some directories a bit more secure, by forcing re-authentication every hour.

If you want logging, use the standard Apache access log. A log message is generated ONLY when a user has authenticated, and their name & file accessed is put in the log file.

The per-dir AddRadiusCallingStationID configuration option will force the calling station ID string (only static strings) and include it in authentication requests, if used. If not used, the default behavior, using the client’s remote IP address will be applied.

3. How it works

The browser requests a page: http://www.example.com/index.html

Apache notes that the directory is access controlled, and sends a "Authorization Required".

The browser asks for a username & password, which it then sends to Apache, along with a request for the page again.

Apache calls mod_auth_radius, which notes that there is no RADIUS cookie in the request.

mod_auth_radius packages up the username/password into a RADIUS request, and sends it to the RADIUS server.

The RADIUS server does its magic, and decides yes/no for authentication.

If no, mod_auth_radius returns DENIED.

If yes, mod_auth_radius returns a cookie containing MD5’d public+private information.

The web browser uses this cookie on all subsequent requests, and mod_auth_radius verifies the cookie is valid, and doesn’t contact the RADIUS server again.

4. Some warnings

This works fine for static passwords (i.e. "user", "password"), but needs a bit more attention for one-time passwords. All of the browsers I’ve tested don’t use the cookie immediately if you’re accessing a directory as:

What’s hidden here is that the following files are checked for:

etc., all in sequence. This module does a stat, and returns "NOT FOUND" when anyone tries to access a file which doesn’t exist. However, it WILL authenticate for a file which does exists, but the browser may not use the returned cookie when accessing a different page.

The way to fix this is to point the browser at a specific page. i.e.

Which points to the page index.html (or similar). That file should contain text which says "connect to our secure site", where secure is a link to a specific page, not a directory. e.g.

If you do not add in index.html in the link, it won’t work properly.

This method ensures that users are only authenticated once for the secure pages, and not multiple times.

People using static passwords don’t need to do this, but if they don’t, they’ll notice that their RADIUS server is getting 1-4 hits for every web authentication request.

Some browsers (I.E.) have a problem with sending cookies on initial requests. If you have a file index.html which includes img/foo.gif in the same directory. The user authenticates, reads index.html (with the cookie in the request header), BUT on reading the gifs, the cookie is NOT included.

This problem can be avoided by EITHER putting the gifs in the same directory as the index.html file, or putting moving the entire tree down a node, and having a NEW index.html which points to ./moved/index.html This is ridiculously ugly, but it seems to work.

5. About the cookies

The cookies are valid for a specified time, or until the browser dies. mod_auth_radius will forcibly try to expire cookies that it thinks are too old. If your browser doesn’t expire the cookie, you’ll see an authorization required message over and over. You must then exit the browser, and re-load the web page.

6. Challenge-Response support

This module also supports the full RADIUS challenge-response mechanism. From the user’s perspective, on authenticatation, type in username & garbage (or NUL) password. Click <OK>, and you’ll get an authentication failure. This is fine, as mod_auth_radius has secretly set a cookie, and modified the Basic-Authentication-Realm.

When the authentication fails, click <OK> to continue, and you’ll get another username/password authentication window. This time, however, you’ll see your username displayed, along with the RADIUS Reply-Message at the top of the authentication window. This message usually includes a challenge.

Type in your username, and put the response to the challenge in the password field. Click <OK> again, and you should be authenticated.

The secret is that cookies are being magically set back and forth, and these cookies include the RADIUS state variable.

The challenge-response works on Netscape 3.x and 4.x, HotJava, but NOT on Internet Explorer. I.E. does not appear to follow the relevant RFCs properly.

7. Other

Any questions or comments can be sent to the FreeRADIUS users list http://freeradius.org/list/index.html.

Author: Alan DeKok <[email protected]>

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].