mod_radius, apache2 and the auth cookie.

Palmer J.D.F. J.D.F.Palmer at swansea.ac.uk
Thu Jul 28 11:28:13 CEST 2005 

Hi Alan,

> 
> "Palmer J.D.F." <J.D.F.Palmer at swansea.ac.uk> wrote:
> > Is it possible to set the timeout for the auth cookie used by the
> mod_radius
> > authentication module to 0; by Zero I mean no time, not infinite time?
> 
>   You mean re-authenticate for every request?  That would require
> source code changes.

Effectively yes, see the description of what I'm trying to do below.

> > Or, is there a way that I can clear the cookie on a failed login?
> 
>   The module doesn't set the cookie on a failed login, so there
> shouldn't be any problem.

If I get a failed login, then try to login again it just uses cached
credentials and doesn't prompt for details, if I close and re-open the
browser it does then allow me to enter details.
I guess it may not be a cookie if one isn't set, but the credentials are
being cached somewhere.

> 
> > At present, if a user login fails the user has to close the browser and
> open
> > another in order to be able to re-enter their credentials, I want to try
> to
> > get round this if possible.
> 
>   I don't see why that would happen.  The module was designed, and
> tested to work properly in that situation.
> 
>   Can you explain more about what you're doing, how, and what browser
> you're using?

So far this has only been tested with IE on a patched up but otherwise std
XP machine.

The reason for the authentication is to log into a web-redirect gateway.
An iptables rule redirects any un-authenticated IP/MAC pairs to the login
page; on a successful login the page (a php page which resides in a
protected folder) adds some iptables rules to allow that particular client
(IP/MAC pair) through the gateway.
This is why it doesn't matter that there is an instant timeout, as the
client will not need to access the page again until his/her connection times
out and the 'allowing' iptables rules are removed.  The removal of stale
connections is handled with a cron job script that compares iptables entries
to the arp table on the internal interface, if there are iptables rules for
an IP/MAC pair, but no arp entry for them then the iptables rules are
removed.  
Quite crude, but it works.

In summary, I have index.php that users are redirected to, this page
contains a 'Log In' link to a page in a protected folder /gateway/go.php
when they click the link they are challenged for credentials, if they are
correct then /gateway/go.php loads setting some iptables rules, if it fails
then we are currently loading a page called failed.php that explains to the
user that they need to shut down the browser and open a new one and try
again.

An aside to this, is it possible to have a couple of text boxes on the login
page where the user/pass are entered which are then sent to mod_radius, as
opposed to having a pop up user/pass dialogue box?


Thanks,
Jezz Palmer.

More information about the Freeradius-Users mailing list