Radius Access-Challenge and Apache

Daniel Abels Daniel.Abels at leica-microsystems.com
Mon Aug 29 07:57:45 CEST 2011 

Hi all,

I have developed a rlm_perl script for FreeRadius to provide an
Access-Challenge response upon an initial successful login (i.e. enter
username & password, receive access-challenge, then enter a code.)

I'm having some trouble getting the an access-challenge "reply message"
to display on a web browser.  I'm not sure if I have something
configured incorrectly, or If my expectations of what the apache module
(mod-auth-radius) should be doing is wrong.

According to the documentation from the mod_auth_radius README, when the
module receives an "Access-Challenge" response:

"...you'll see your username displayed, along with the RADIUS
Reply-Message at the top of the authentication window."

But I see no such reply-message in the browser.  It just displays the
same Authentication Realm message ("Radius Authentication Test") for
each prompt (tested in Firefox.) I was expecting the reply-message
(which is "Please Enter Code") to be displayed instead, is that
possible?  Upon examining the source code for the module, there appears
to be code to handle this.

Using Wireshark, it also appears that this message is not returned to
the browser.

Anyway, if the user enters the correct code at this point, they can
reach the web page successfully, so the authentication side of things is
not a problem.

The server is Debian (squeeze) with freeradius (2.1.10+dfsg-2), apache
(2.2.16-6+squeeze1) and libapache2-mod-auth-radius (1.5.8-1)

The important portion of my apache configuration is below:

# Radius Server Authentication
AddRadiusAuth localhost:1812 testing123 5
AddRadiusCookieValid 5

# Test Radius Authentication
<Directory /var/www/test/>
    Options Indexes FollowSymLinks MultiViews
    AuthType Basic
    AuthName "Radius Authentication Test"
    AuthBasicAuthoritative Off
    AuthBasicProvider radius
    AuthRadiusAuthoritative On
    AuthRadiusActive On
    Require valid-user
</Directory>

I have performed other tests using a Cisco VPN concentrator and Cisco's
VPN client on Windows 7, this works great - the "Access-Challenge"
response works (It returns the message "Please Enter Code".)

On the command line, this also works using radtest, see below:

# radtest user testing localhost 10 testing123
Sending Access-Request of id 150 to 127.0.0.1 port 1812
        User-Name = "user"
        User-Password = "testing"
        NAS-IP-Address = 127.0.1.1
        NAS-Port = 10
rad_recv: Access-Challenge packet from host 127.0.0.1 port 1812, id=150,
length=50
        Reply-Message = "Please Enter Code"
        State = 0x6368616c6c656e6765

Any assistance on this matter would be greatly appreciated!

Regards,

Daniel Abels

More information about the Freeradius-Users mailing list