mod_auth_radius not asking for username/password

Isaac Boukris iboukris at gmail.com
Mon Apr 11 09:32:46 CEST 2016


On Mon, Apr 11, 2016 at 10:04 AM, Süleyman Kuran <skuran at ayk.gov.tr> wrote:
> [root at localhost ~]# curl -v -k https://localhost/
...
> < HTTP/1.1 401 Unauthorized
> < Date: Mon, 11 Apr 2016 06:59:39 GMT
> < Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips mod_fcgid/2.3.9
> PHP/5.4.16
> < WWW-Authenticate: Basic realm="Auth required"
> < Content-Length: 381
> < Content-Type: text/html; charset=iso-8859-1
...
> And the output to the second curl command is as follows:
>
> [root at localhost ~]# curl -v -k https://localhost/ -u bad_user:bad_pwd
...
> < HTTP/1.1 401 Unauthorized
> < Date: Mon, 11 Apr 2016 07:02:10 GMT
> < Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips mod_fcgid/2.3.9
> PHP/5.4.16
> < Content-Length: 381
> < Content-Type: text/html; charset=iso-8859-1
...
> And I am not so sure, this is a browser problem.


No, it's not a browser problem, as you can see the server does not
send 'WWW-Authenticate: Basic' header when trying wrong credentials
(chrome probably just remembers).
Quote from RFC 2617:
"If the origin server does not wish to accept the credentials sent
with a request, it SHOULD return a 401 (Unauthorized) response. The
response MUST include a WWW-Authenticate header field containing at
least one (possibly new) challenge applicable to the requested
resource."

I'll try to take a look at the code.



More information about the Freeradius-Users mailing list