RADIUS OTP auth with Apache
Hello, at the moment I'm facing the problem to implement a OTP (one time password) auth solution for Apache httpd. The webserver should act as a proxy for several internal sites (it runs Debian Stretch). The OTP software solution I use is LINOTP. Freeradius is my radius server (default package from Debian Jessie - runs on another host). I have no problem authentication on the command line. Using radtest everything works as expected. But I have problems with the Apache radius auth config. I tested several configurations. At the moment the configuration that runs best is the libapache2-mod-auth-radius variant (Stretch package). It works fine when connecting using an icognito browser tab. But if I use a standard browser tab everytime I close and reopen the browser the first auth attempt fails. Looking at the log I found that the auth cookie is not deleted when closing the browser. The docs state it should be deleted when the browser exits. So when the browser is restarted the first auth attempt is using the stale cookie information and fails. This is a bit unconvenient. I couldn't find an answer (but a similar unanswered question) for this problem when searching the mailing list. Here's my Apache config: <VirtualHost *:80> DocumentRoot /var/www/btw ProxyPass / http://<IP>/ ProxyPassReverse / http://<IP>/ LogLevel debug <Proxy *> Order allow,deny Allow from all </Proxy> AddRadiusAuth <IP>:1812 <SECRET> 5:3 AddRadiusCookieValid 5 <Location /> AuthType Basic AuthName "<A_NAME>" AuthBasicProvider radius AuthRadiusActive On AuthRadiusCookieValid 5 AuthRadiusAuthoritative on require valid-user </Location> </VirtualHost> I tried a different variant for the auth problem using PAM and the PAM radius module but only reached a situation that the first auth attempt works but each new request triggered a new login dialog box. So here are my questions: - Is there a solution for the cookie not getting deleted when using the libapache2-mod-auth-radius module? - Is there another way to auth against a radius server (or the linotp server) that works? At the moment I'm stuck so any help is appreciated. Thanks. Regards, Dieter
- Is there a solution for the cookie not getting deleted when using the libapache2-mod-auth-radius module?
This is a browser problem.
- Is there another way to auth against a radius server (or the linotp server) that works?
The problem is the browser and how it handles cookies (especially given that the 'incognito' mode shows it functions correctly. Sort the cookie problem out and the method of how you authenticate (with mod-auth-radius) becomes irrelevant? As such, this problem is better addressed in an Apache mailing list, not here. Stefan Paetow Moonshot Industry & Research Liaison Coordinator t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net skype: stefan.paetow.janet jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
Hello, thanks for your fast reply.
- Is there a solution for the cookie not getting deleted when using the libapache2-mod-auth-radius module? This is a browser problem.
I used all major Browsers for my tests (Chrome, Firefox, IE). So it's hard for me to imagine that the browser is the problem.
- Is there another way to auth against a radius server (or the linotp server) that works? The problem is the browser and how it handles cookies (especially given that the 'incognito' mode shows it functions correctly. Sort the cookie problem out and the method of how you authenticate (with mod-auth-radius) becomes irrelevant?
As such, this problem is better addressed in an Apache mailing list, not here.
I scanned the sourcecode of the radius auth module. The cookie and it's type is set by the module and you manipulate the validity time using module instructions (AuthRadiusCookieValid). So what should Apache do? Manipulate the cookie? Sorry, but it seems I do not completly understand your answer. Is there somone who is using an Apache/Radius configuration and is willing to share the Apache config? Regards, Dieter
Dieter: Here's the list of apache/two-factor authentication tutorials I have written: https://www.wikidsystems.com/support/how-to/keyword/apache/. It's been awhile, tbh. I remember having an issue with mod_auth_radius and switching to Mod_auth_xradius. IIRC, the issues with mod_auth_radius have been fixed, but I am not really sure of that. My issues were around session management, but a bit different than yours. Now mod_auth_xradius is a bit dated. Anyway, hope it helps in some way... nick On Wed, Apr 12, 2017 at 11:02 AM, Scholz, Dieter <rd-disc@gmx.net> wrote:
Hello,
thanks for your fast reply.
- Is there a solution for the cookie not getting deleted when using the libapache2-mod-auth-radius module?
This is a browser problem.
I used all major Browsers for my tests (Chrome, Firefox, IE). So it's hard for me to imagine that the browser is the problem.
- Is there another way to auth against a radius server (or the linotp server) that works?
The problem is the browser and how it handles cookies (especially given that the 'incognito' mode shows it functions correctly. Sort the cookie problem out and the method of how you authenticate (with mod-auth-radius) becomes irrelevant?
As such, this problem is better addressed in an Apache mailing list, not here.
I scanned the sourcecode of the radius auth module. The cookie and it's type is set by the module and you manipulate the validity time using module instructions (AuthRadiusCookieValid). So what should Apache do? Manipulate the cookie? Sorry, but it seems I do not completly understand your answer.
Is there somone who is using an Apache/Radius configuration and is willing to share the Apache config?
Regards, Dieter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- -- Nick Owen WiKID Systems, Inc http://www.wikidsystems.com On-premises Two-Factor Authentication
participants (3)
-
Nick Owen -
Scholz, Dieter -
Stefan Paetow