Radius Access-Challenge and Apache
Hi all, I have developed a rlm_perl script for FreeRadius to provide an Access-Challenge response upon an initial successful login (i.e. enter username & password, receive access-challenge, then enter a code.) I'm having some trouble getting the an access-challenge "reply message" to display on a web browser. I'm not sure if I have something configured incorrectly, or If my expectations of what the apache module (mod-auth-radius) should be doing is wrong. According to the documentation from the mod_auth_radius README, when the module receives an "Access-Challenge" response: "...you'll see your username displayed, along with the RADIUS Reply-Message at the top of the authentication window." But I see no such reply-message in the browser. It just displays the same Authentication Realm message ("Radius Authentication Test") for each prompt (tested in Firefox.) I was expecting the reply-message (which is "Please Enter Code") to be displayed instead, is that possible? Upon examining the source code for the module, there appears to be code to handle this. Using Wireshark, it also appears that this message is not returned to the browser. Anyway, if the user enters the correct code at this point, they can reach the web page successfully, so the authentication side of things is not a problem. The server is Debian (squeeze) with freeradius (2.1.10+dfsg-2), apache (2.2.16-6+squeeze1) and libapache2-mod-auth-radius (1.5.8-1) The important portion of my apache configuration is below: # Radius Server Authentication AddRadiusAuth localhost:1812 testing123 5 AddRadiusCookieValid 5 # Test Radius Authentication <Directory /var/www/test/> Options Indexes FollowSymLinks MultiViews AuthType Basic AuthName "Radius Authentication Test" AuthBasicAuthoritative Off AuthBasicProvider radius AuthRadiusAuthoritative On AuthRadiusActive On Require valid-user </Directory> I have performed other tests using a Cisco VPN concentrator and Cisco's VPN client on Windows 7, this works great - the "Access-Challenge" response works (It returns the message "Please Enter Code".) On the command line, this also works using radtest, see below: # radtest user testing localhost 10 testing123 Sending Access-Request of id 150 to 127.0.0.1 port 1812 User-Name = "user" User-Password = "testing" NAS-IP-Address = 127.0.1.1 NAS-Port = 10 rad_recv: Access-Challenge packet from host 127.0.0.1 port 1812, id=150, length=50 Reply-Message = "Please Enter Code" State = 0x6368616c6c656e6765 Any assistance on this matter would be greatly appreciated! Regards, Daniel Abels
Daniel Abels wrote:
On the command line, this also works using radtest, see below:
So... run the server in debugging mode, and see what happens when you send it a packet from Apache. That information is useful. There's a *reason* we suggest using debugging mode. Alan DeKok.
Hi Alan, Thank you for your response. I've been having a lot of trouble reaching the mailing list, my responses are not getting through. Hopefully this one will! Below is the output from the debug mode: rad_recv: Access-Request packet from host 127.0.0.1 port 1026, id=60, length=83 User-Name = "dra" User-Password = "*****" Service-Type = Authenticate-Only NAS-Identifier = "debian-test-dra.vsl.com.au" NAS-IP-Address = 127.0.0.1 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "dra", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry DEFAULT at line 54 ++[files] returns ok rlm_perl: Authorize Function Called rlm_perl: Authorization for >127.0.0.1< was granted... rlm_perl: Added pair User-Name = dra rlm_perl: Added pair NAS-Identifier = debian-test-dra.vsl.com.au rlm_perl: Added pair User-Password = ***** rlm_perl: Added pair Service-Type = Authenticate-Only rlm_perl: Added pair NAS-IP-Address = 127.0.0.1 rlm_perl: Added pair Auth-Type = Perl ++[perl] returns ok ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = Perl # Executing group from file /etc/freeradius/sites-enabled/default +- entering group Perl {...} rlm_perl: Log Request Attributes Called rlm_perl: Request: >User-Name< = >dra< rlm_perl: Request: >User-Password< = >*****< rlm_perl: Request: >NAS-Identifier< = >debian-test-dra.vsl.com.au< rlm_perl: Request: >Service-Type< = >Authenticate-Only< rlm_perl: Request: >NAS-IP-Address< = >127.0.0.1< rlm_perl: Authenticate Function Called rlm_perl: User: >dra< Authenticated, now sending access-challenge rlm_perl: Log Reply Attributes Called rlm_perl: Reply: >Reply-Message< = >Please Enter Code< rlm_perl: Reply: >State< = >challenge< rlm_perl: Added pair User-Name = dra rlm_perl: Added pair User-Password = ***** rlm_perl: Added pair NAS-Identifier = debian-test-dra.vsl.com.au rlm_perl: Added pair Service-Type = Authenticate-Only rlm_perl: Added pair NAS-IP-Address = 127.0.0.1 rlm_perl: Added pair Reply-Message = Please Enter Code rlm_perl: Added pair State = challenge rlm_perl: Added pair Response-Packet-Type = Access-Challenge rlm_perl: Added pair Auth-Type = Perl ++[perl] returns handled Sending Access-Challenge of id 60 to 127.0.0.1 port 1026 Reply-Message = "Please Enter Code" State = 0x6368616c6c656e6765 Finished request 6. Going to the next request Waking up in 4.9 seconds. Cleaning up request 6 ID 60 with timestamp +148 Ready to process requests. The output to the browser at this point looks like this: (Firefox 6.0, but I have tried IE 8.0 too) http://imageshack.us/photo/my-images/856/authenticationrequired2.png/ I turned-up the logging level for Apache too, the following is a complete successful login: [Tue Aug 30 09:25:04 2011] [debug] mod_auth_radius-2.0.c(1185): Radius Auth for: debian-test-dra.vsl.com.au requests /test/ : file=/var/www/test/ [Tue Aug 30 09:25:04 2011] [debug] mod_auth_radius-2.0.c(762): Found Radius Cookie, now check if it's valid... [Tue Aug 30 09:25:04 2011] [debug] mod_auth_radius-2.0.c(1191): Found cookie=8115747392e228c2f612d8fce9b384074e5c2035f36809adchallenge for user=dra : [Tue Aug 30 09:25:04 2011] [debug] mod_auth_radius-2.0.c(1195): with RADIUS challenge state set.\n [Tue Aug 30 09:25:04 2011] [debug] mod_auth_radius-2.0.c(902): Sending packet on 127.0.0.1:1812 [Tue Aug 30 09:25:04 2011] [debug] mod_auth_radius-2.0.c(1111): RADIUS server requested challenge for user dra [Tue Aug 30 09:25:04 2011] [debug] mod_auth_radius-2.0.c(1232): RADIUS authentication for user=dra password=***** failed\n [Tue Aug 30 09:25:04 2011] [debug] mod_auth_radius-2.0.c(1239): Sending failure message to user=dra\n [Tue Aug 30 09:25:04 2011] [error] [client 10.10.240.240] user dra: authentication failure for "/test/": Password Mismatch [Tue Aug 30 09:25:04 2011] [debug] mod_deflate.c(615): [client 10.10.240.240] Zlib: Compressed 482 to 324 : URL /test/ [Tue Aug 30 09:25:18 2011] [debug] mod_auth_radius-2.0.c(1185): Radius Auth for: debian-test-dra.vsl.com.au requests /test/ : file=/var/www/test/ [Tue Aug 30 09:25:18 2011] [debug] mod_auth_radius-2.0.c(762): Found Radius Cookie, now check if it's valid... [Tue Aug 30 09:25:18 2011] [debug] mod_auth_radius-2.0.c(1191): Found cookie=f94377b91a7b4e30ac0a3910ea54ec194e5c2048f36809adchallenge for user=dra : [Tue Aug 30 09:25:18 2011] [debug] mod_auth_radius-2.0.c(1195): with RADIUS challenge state set.\n [Tue Aug 30 09:25:18 2011] [debug] mod_auth_radius-2.0.c(902): Sending packet on 127.0.0.1:1812 [Tue Aug 30 09:25:18 2011] [debug] mod_auth_radius-2.0.c(1256): RADIUS Authentication for user=dra password=0000 OK. Cookie expiry in 5 minutes\n [Tue Aug 30 09:25:18 2011] [debug] mod_auth_radius-2.0.c(1258): Adding cookie 393dda94ff105f4d6dad2c1a509a3a344e5c210a\n [Tue Aug 30 09:25:18 2011] [debug] mod_deflate.c(615): [client 10.10.240.240] Zlib: Compressed 130 to 108 : URL /test/index.html Any ideas? Thanks again, Daniel
Hi, I have done this ... But I still don't have any luck (please see my last message.) Could the problem be related to the version of radius auth for apache in the Debian repos perhaps? Daniel
-----Original Message----- From: freeradius-users-bounces+daniel.abels=leica- microsystems.com@lists.freeradius.org [mailto:freeradius-users- bounces+daniel.abels=leica-microsystems.com@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Monday, 29 August 2011 8:25 PM To: FreeRadius users mailing list Subject: Re: Radius Access-Challenge and Apache
Daniel Abels wrote:
On the command line, this also works using radtest, see below:
So... run the server in debugging mode, and see what happens when you send it a packet from Apache. That information is useful.
There's a *reason* we suggest using debugging mode.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Alan DeKok -
Daniel Abels