I have created another test site an Ubuntu 14.04. The curl output for a failed login is as follows: curl -v -k http://hostname/ -u baduser:badpasswd * Hostname was NOT found in DNS cache * Trying test_ip... * Connected to hostname (public_ip) port 80 (#0) * Server auth using Basic with user 'baduser'
GET / HTTP/1.1 Authorization: Basic YmFkdXNlcjpiYWRwYXNzd2Q= User-Agent: curl/7.35.0 Host: hostname Accept: */*
< HTTP/1.1 401 Unauthorized < Date: Mon, 11 Apr 2016 07:48:48 GMT * Server Apache/2.4.7 (Ubuntu) is not blacklisted < Server: Apache/2.4.7 (Ubuntu) * Authentication problem. Ignoring this. < WWW-Authenticate: Basic realm="RADIUS authentication for localhost" < Content-Length: 381 < Content-Type: text/html; charset=iso-8859-1 < <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>401 Unauthorized</title> </head><body> <h1>Unauthorized</h1> <p>This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.</p> </body></html> * Connection #0 to host hostname left intact I see that WWW-Authenticate: header is sent after a failed login. This test site is not affected. This is also version mod_auth_radius 1.5.8. The only difference is binary module is installed using apt-get install. On Centos apxs fails, so I used this workaround http://stackoverflow.com/questions/26593494/radius-apache-web-server-on-cent... Might it be the culprit?
From: "Isaac Boukris" <iboukris@gmail.com> To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Sent: Monday, 11 April, 2016 10:32:46 Subject: Re: mod_auth_radius not asking for username/password
On Mon, Apr 11, 2016 at 10:04 AM, Süleyman Kuran <skuran@ayk.gov.tr> wrote:
[root@localhost ~]# curl -v -k https://localhost/ ... < HTTP/1.1 401 Unauthorized < Date: Mon, 11 Apr 2016 06:59:39 GMT < Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips mod_fcgid/2.3.9 PHP/5.4.16 < WWW-Authenticate: Basic realm="Auth required" < Content-Length: 381 < Content-Type: text/html; charset=iso-8859-1 ... And the output to the second curl command is as follows:
[root@localhost ~]# curl -v -k https://localhost/ -u bad_user:bad_pwd ... < HTTP/1.1 401 Unauthorized < Date: Mon, 11 Apr 2016 07:02:10 GMT < Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips mod_fcgid/2.3.9 PHP/5.4.16 < Content-Length: 381 < Content-Type: text/html; charset=iso-8859-1 ... And I am not so sure, this is a browser problem.
No, it's not a browser problem, as you can see the server does not send 'WWW-Authenticate: Basic' header when trying wrong credentials (chrome probably just remembers). Quote from RFC 2617: "If the origin server does not wish to accept the credentials sent with a request, it SHOULD return a 401 (Unauthorized) response. The response MUST include a WWW-Authenticate header field containing at least one (possibly new) challenge applicable to the requested resource."
I'll try to take a look at the code.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html