mod_auth_radius not asking for username/password
Hi there, I am on Centos 7 httpd 2.4 mod_auth_radius 1.5.8 My virtual host file is as follows: apache is not asking for username/password after 1 failed radius auth attempt. After 1 failed auth, Unauthorized page appears and if I refresh the page (F5) previous failed credentials are sent to the radius server without popping up a window asking for username/password. If login is OK the page is authorized. But if not, the user will have to wait for the popup window until the session is timed out. if apache is configured for basic auth with htpasswd file. It asks for the password after failed login as expected. Nothing is logged in apache error log. Is anybody having an idea about whats going on? <VirtualHost _default_:443> AddRadiusAuth freeradius_ip:1812 my_secret 5:3 AddRadiusCookieValid 60 <Location /> AuthType Basic AuthName "Please login" AuthBasicProvider radius AuthRadiusCookieValid 60 AuthRadiusActive On AuthRadiusAuthoritative on #AuthUserFile "/var/www/passwd" Require valid-user Order allow,deny Allow from all </Location> </VirtualHost>
On Apr 8, 2016, at 10:13 AM, Süleyman Kuran <skuran@ayk.gov.tr> wrote:
apache is not asking for username/password after 1 failed radius auth attempt. After 1 failed auth, Unauthorized page appears and if I refresh the page (F5) previous failed credentials are sent to the radius server without popping up a window asking for username/password. If login is OK the page is authorized. But if not, the user will have to wait for the popup window until the session is timed out.
There's not much I can say to that, unfortunately. It's *supposed* to work, but Apache changed their API so often that I just gave up trying to maintain the module.
if apache is configured for basic auth with htpasswd file. It asks for the password after failed login as expected.
Nothing is logged in apache error log.
Nothing useful is ever logged into the Apache error log. :(
Is anybody having an idea about whats going on?
My guess is that the web browser isn't deleting the bad name / password like it's supposed to. Does it work with another browser? Alan DeKok.
From: "Alan DeKok" <aland@deployingradius.com> To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Sent: Friday, April 8, 2016 6:13:49 PM Subject: Re: mod_auth_radius not asking for username/password
On Apr 8, 2016, at 10:13 AM, Süleyman Kuran <skuran@ayk.gov.tr> wrote:
apache is not asking for username/password after 1 failed radius auth attempt. After 1 failed auth, Unauthorized page appears and if I refresh the page (F5) previous failed credentials are sent to the radius server without popping up a window asking for username/password. If login is OK the page is authorized. But if not, the user will have to wait for the popup window until the session is timed out.
There's not much I can say to that, unfortunately. It's *supposed* to work, but Apache changed their API so often that I just gave up trying to maintain the module.
if apache is configured for basic auth with htpasswd file. It asks for the password after failed login as expected.
Nothing is logged in apache error log.
Nothing useful is ever logged into the Apache error log. :(
Is anybody having an idea about whats going on?
My guess is that the web browser isn't deleting the bad name / password like it's supposed to.
Does it work with another browser?
Interestingly, this behaviour is not experienced using Google Chrome, but Firefox and Internet Explorer do have the problem.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Fri, Apr 8, 2016 at 5:13 PM, Süleyman Kuran <skuran@ayk.gov.tr> wrote:
Hi there,
I am on Centos 7 httpd 2.4 mod_auth_radius 1.5.8 My virtual host file is as follows:
apache is not asking for username/password after 1 failed radius auth attempt. After 1 failed auth, Unauthorized page appears and if I refresh the page (F5) previous failed credentials are sent to the radius server without popping up a window asking for username/password. If login is OK the page is authorized. But if not, the user will have to wait for the popup window until the session is timed out.
if apache is configured for basic auth with htpasswd file. It asks for the password after failed login as expected.
It would be interesting to see the outputs of: # curl -v -k https://localhost/ # curl -v -k https://localhost/ -u bad_user:bad_pwd
On 09-04-2016 18:24, Isaac Boukris wrote: > On Fri, Apr 8, 2016 at 5:13 PM, Süleyman Kuran <skuran@ayk.gov.tr> wrote: >> Hi there, >> >> I am on Centos 7 >> httpd 2.4 >> mod_auth_radius 1.5.8 >> My virtual host file is as follows: >> >> apache is not asking for username/password after 1 failed radius auth >> attempt. After 1 failed auth, Unauthorized page appears and if I refresh >> the page (F5) previous failed credentials are sent to the radius server >> without popping up a window asking for username/password. If login is OK >> the page is authorized. But if not, the user will have to wait for the >> popup window until the session is timed out. >> >> if apache is configured for basic auth with htpasswd file. It asks for >> the password after failed login as expected. > It would be interesting to see the outputs of: > # curl -v -k https://localhost/ > # curl -v -k https://localhost/ -u bad_user:bad_pwd [root@localhost ~]# curl -v -k https://localhost/ * About to connect() to localhost port 443 (#0) * Trying ::1... * Connected to localhost (::1) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * skipping SSL peer certificate verification * SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 * Server certificate: * subject: E=root@localhost.localdomain,CN=localhost.localdomain,OU=SomeOrganizationalUnit,O=SomeOrganization,L=SomeCity,ST=SomeState,C=-- * start date: Nis 07 08:44:34 2016 GMT * expire date: Nis 07 08:44:34 2017 GMT * common name: localhost.localdomain * issuer: E=root@localhost.localdomain,CN=localhost.localdomain,OU=SomeOrganizationalUnit,O=SomeOrganization,L=SomeCity,ST=SomeState,C=-- > GET / HTTP/1.1 > User-Agent: curl/7.29.0 > Host: localhost > Accept: */* > < HTTP/1.1 401 Unauthorized < Date: Mon, 11 Apr 2016 06:59:39 GMT < Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips mod_fcgid/2.3.9 PHP/5.4.16 < WWW-Authenticate: Basic realm="Auth required" < Content-Length: 381 < Content-Type: text/html; charset=iso-8859-1 < <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>401 Unauthorized</title> </head><body> <h1>Unauthorized</h1> <p>This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.</p> </body></html> * Connection #0 to host localhost left intact And the output to the second curl command is as follows: [root@localhost ~]# curl -v -k https://localhost/ -u bad_user:bad_pwd * About to connect() to localhost port 443 (#0) * Trying ::1... * Connected to localhost (::1) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * skipping SSL peer certificate verification * SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 * Server certificate: * subject: E=root@localhost.localdomain,CN=localhost.localdomain,OU=SomeOrganizationalUnit,O=SomeOrganization,L=SomeCity,ST=SomeState,C=-- * start date: Nis 07 08:44:34 2016 GMT * expire date: Nis 07 08:44:34 2017 GMT * common name: localhost.localdomain * issuer: E=root@localhost.localdomain,CN=localhost.localdomain,OU=SomeOrganizationalUnit,O=SomeOrganization,L=SomeCity,ST=SomeState,C=-- * Server auth using Basic with user 'bad_user' > GET / HTTP/1.1 > Authorization: Basic YmFkX3VzZXI6YmFkX3B3ZA== > User-Agent: curl/7.29.0 > Host: localhost > Accept: */* > < HTTP/1.1 401 Unauthorized < Date: Mon, 11 Apr 2016 07:02:10 GMT < Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips mod_fcgid/2.3.9 PHP/5.4.16 < Content-Length: 381 < Content-Type: text/html; charset=iso-8859-1 < <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>401 Unauthorized</title> </head><body> <h1>Unauthorized</h1> <p>This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.</p> </body></html> * Connection #0 to host localhost left intact And I am not so sure, this is a browser problem. Thank you. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Mon, Apr 11, 2016 at 10:04 AM, Süleyman Kuran <skuran@ayk.gov.tr> wrote:
[root@localhost ~]# curl -v -k https://localhost/ ... < HTTP/1.1 401 Unauthorized < Date: Mon, 11 Apr 2016 06:59:39 GMT < Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips mod_fcgid/2.3.9 PHP/5.4.16 < WWW-Authenticate: Basic realm="Auth required" < Content-Length: 381 < Content-Type: text/html; charset=iso-8859-1 ... And the output to the second curl command is as follows:
[root@localhost ~]# curl -v -k https://localhost/ -u bad_user:bad_pwd ... < HTTP/1.1 401 Unauthorized < Date: Mon, 11 Apr 2016 07:02:10 GMT < Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips mod_fcgid/2.3.9 PHP/5.4.16 < Content-Length: 381 < Content-Type: text/html; charset=iso-8859-1 ... And I am not so sure, this is a browser problem.
No, it's not a browser problem, as you can see the server does not send 'WWW-Authenticate: Basic' header when trying wrong credentials (chrome probably just remembers). Quote from RFC 2617: "If the origin server does not wish to accept the credentials sent with a request, it SHOULD return a 401 (Unauthorized) response. The response MUST include a WWW-Authenticate header field containing at least one (possibly new) challenge applicable to the requested resource." I'll try to take a look at the code.
I have created another test site an Ubuntu 14.04. The curl output for a failed login is as follows: curl -v -k http://hostname/ -u baduser:badpasswd * Hostname was NOT found in DNS cache * Trying test_ip... * Connected to hostname (public_ip) port 80 (#0) * Server auth using Basic with user 'baduser'
GET / HTTP/1.1 Authorization: Basic YmFkdXNlcjpiYWRwYXNzd2Q= User-Agent: curl/7.35.0 Host: hostname Accept: */*
< HTTP/1.1 401 Unauthorized < Date: Mon, 11 Apr 2016 07:48:48 GMT * Server Apache/2.4.7 (Ubuntu) is not blacklisted < Server: Apache/2.4.7 (Ubuntu) * Authentication problem. Ignoring this. < WWW-Authenticate: Basic realm="RADIUS authentication for localhost" < Content-Length: 381 < Content-Type: text/html; charset=iso-8859-1 < <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>401 Unauthorized</title> </head><body> <h1>Unauthorized</h1> <p>This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.</p> </body></html> * Connection #0 to host hostname left intact I see that WWW-Authenticate: header is sent after a failed login. This test site is not affected. This is also version mod_auth_radius 1.5.8. The only difference is binary module is installed using apt-get install. On Centos apxs fails, so I used this workaround http://stackoverflow.com/questions/26593494/radius-apache-web-server-on-cent... Might it be the culprit?
From: "Isaac Boukris" <iboukris@gmail.com> To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Sent: Monday, 11 April, 2016 10:32:46 Subject: Re: mod_auth_radius not asking for username/password
On Mon, Apr 11, 2016 at 10:04 AM, Süleyman Kuran <skuran@ayk.gov.tr> wrote:
[root@localhost ~]# curl -v -k https://localhost/ ... < HTTP/1.1 401 Unauthorized < Date: Mon, 11 Apr 2016 06:59:39 GMT < Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips mod_fcgid/2.3.9 PHP/5.4.16 < WWW-Authenticate: Basic realm="Auth required" < Content-Length: 381 < Content-Type: text/html; charset=iso-8859-1 ... And the output to the second curl command is as follows:
[root@localhost ~]# curl -v -k https://localhost/ -u bad_user:bad_pwd ... < HTTP/1.1 401 Unauthorized < Date: Mon, 11 Apr 2016 07:02:10 GMT < Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips mod_fcgid/2.3.9 PHP/5.4.16 < Content-Length: 381 < Content-Type: text/html; charset=iso-8859-1 ... And I am not so sure, this is a browser problem.
No, it's not a browser problem, as you can see the server does not send 'WWW-Authenticate: Basic' header when trying wrong credentials (chrome probably just remembers). Quote from RFC 2617: "If the origin server does not wish to accept the credentials sent with a request, it SHOULD return a 401 (Unauthorized) response. The response MUST include a WWW-Authenticate header field containing at least one (possibly new) challenge applicable to the requested resource."
I'll try to take a look at the code.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Mon, Apr 11, 2016 at 10:58 AM, Süleyman Kuran <skuran@ayk.gov.tr> wrote:
I see that WWW-Authenticate: header is sent after a failed login. This test site is not affected. This is also version mod_auth_radius 1.5.8. The only difference is binary module is installed using apt-get install. On Centos apxs fails, so I used this workaround http://stackoverflow.com/questions/26593494/radius-apache-web-server-on-cent...
Might it be the culprit?
Maybe try latest version: https://github.com/FreeRADIUS/mod_auth_radius/releases
The latest version can be installed on Centos 7 with apxs perfectly without errors, but the auth problem persists.
From: "Isaac Boukris" <iboukris@gmail.com> To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Sent: Monday, 11 April, 2016 18:26:44 Subject: Re: mod_auth_radius not asking for username/password
On Mon, Apr 11, 2016 at 10:58 AM, Süleyman Kuran <skuran@ayk.gov.tr> wrote:
I see that WWW-Authenticate: header is sent after a failed login. This test site is not affected. This is also version mod_auth_radius 1.5.8. The only difference is binary module is installed using apt-get install. On Centos apxs fails, so I used this workaround http://stackoverflow.com/questions/26593494/radius-apache-web-server-on-cent...
Might it be the culprit?
Maybe try latest version: https://github.com/FreeRADIUS/mod_auth_radius/releases
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Fri, Apr 15, 2016 at 11:51 AM, Süleyman Kuran <skuran@ayk.gov.tr> wrote:
The latest version can be installed on Centos 7 with apxs perfectly without errors, but the auth problem persists.
Can you try to apply this patch: https://github.com/frenche/mod_auth_radius/commit/ffa360599689e5a9bb06ed8901...
You're the one. "Authentication required" window pops up after a failed login as expected. Thank you.
From: "Isaac Boukris" <iboukris@gmail.com> To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Sent: Friday, 15 April, 2016 15:52:10 Subject: Re: mod_auth_radius not asking for username/password
On Fri, Apr 15, 2016 at 11:51 AM, Süleyman Kuran <skuran@ayk.gov.tr> wrote:
The latest version can be installed on Centos 7 with apxs perfectly without errors, but the auth problem persists.
Can you try to apply this patch: https://github.com/frenche/mod_auth_radius/commit/ffa360599689e5a9bb06ed8901...
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Fri, Apr 15, 2016 at 5:31 PM, Süleyman Kuran <skuran@ayk.gov.tr> wrote:
You're the one. "Authentication required" window pops up after a failed login as expected.
Cool, I've submited a PR: https://github.com/FreeRADIUS/mod_auth_radius/pull/34
On Apr 16, 2016, at 4:30 AM, Isaac Boukris <iboukris@gmail.com> wrote:
On Fri, Apr 15, 2016 at 5:31 PM, Süleyman Kuran <skuran@ayk.gov.tr> wrote:
You're the one. "Authentication required" window pops up after a failed login as expected.
Cool, I've submited a PR: https://github.com/FreeRADIUS/mod_auth_radius/pull/34
Merged, thanks. Alan DeKok.
participants (3)
-
Alan DeKok -
Isaac Boukris -
Süleyman Kuran