mod_auth_radius not asking for username/password

Süleyman Kuran skuran at ayk.gov.tr
Mon Apr 11 09:58:19 CEST 2016


I have created another test site an Ubuntu 14.04. The curl output for a failed login is as follows: 

curl -v -k http://hostname/ -u baduser:badpasswd 
* Hostname was NOT found in DNS cache 
* Trying test_ip... 
* Connected to hostname (public_ip) port 80 (#0) 
* Server auth using Basic with user 'baduser' 
> GET / HTTP/1.1 
> Authorization: Basic YmFkdXNlcjpiYWRwYXNzd2Q= 
> User-Agent: curl/7.35.0 
> Host: hostname 
> Accept: */* 
> 
< HTTP/1.1 401 Unauthorized 
< Date: Mon, 11 Apr 2016 07:48:48 GMT 
* Server Apache/2.4.7 (Ubuntu) is not blacklisted 
< Server: Apache/2.4.7 (Ubuntu) 
* Authentication problem. Ignoring this. 
< WWW-Authenticate: Basic realm="RADIUS authentication for localhost" 
< Content-Length: 381 
< Content-Type: text/html; charset=iso-8859-1 
< 
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> 
<html><head> 
<title>401 Unauthorized</title> 
</head><body> 
<h1>Unauthorized</h1> 
<p>This server could not verify that you 
are authorized to access the document 
requested. Either you supplied the wrong 
credentials (e.g., bad password), or your 
browser doesn't understand how to supply 
the credentials required.</p> 
</body></html> 
* Connection #0 to host hostname left intact 

I see that WWW-Authenticate: header is sent after a failed login. This test site is not affected. This is also version mod_auth_radius 1.5.8. The only difference is binary module is installed using apt-get install. On Centos apxs fails, so I used this workaround http://stackoverflow.com/questions/26593494/radius-apache-web-server-on-centos 

Might it be the culprit? 

> From: "Isaac Boukris" <iboukris at gmail.com>
> To: "FreeRadius users mailing list" <freeradius-users at lists.freeradius.org>
> Sent: Monday, 11 April, 2016 10:32:46
> Subject: Re: mod_auth_radius not asking for username/password

> On Mon, Apr 11, 2016 at 10:04 AM, Süleyman Kuran <skuran at ayk.gov.tr> wrote:
> > [root at localhost ~]# curl -v -k https://localhost/
> ...
> > < HTTP/1.1 401 Unauthorized
> > < Date: Mon, 11 Apr 2016 06:59:39 GMT
> > < Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips mod_fcgid/2.3.9
> > PHP/5.4.16
> > < WWW-Authenticate: Basic realm="Auth required"
> > < Content-Length: 381
> > < Content-Type: text/html; charset=iso-8859-1
> ...
> > And the output to the second curl command is as follows:

> > [root at localhost ~]# curl -v -k https://localhost/ -u bad_user:bad_pwd
> ...
> > < HTTP/1.1 401 Unauthorized
> > < Date: Mon, 11 Apr 2016 07:02:10 GMT
> > < Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips mod_fcgid/2.3.9
> > PHP/5.4.16
> > < Content-Length: 381
> > < Content-Type: text/html; charset=iso-8859-1
> ...
> > And I am not so sure, this is a browser problem.

> No, it's not a browser problem, as you can see the server does not
> send 'WWW-Authenticate: Basic' header when trying wrong credentials
> (chrome probably just remembers).
> Quote from RFC 2617:
> "If the origin server does not wish to accept the credentials sent
> with a request, it SHOULD return a 401 (Unauthorized) response. The
> response MUST include a WWW-Authenticate header field containing at
> least one (possibly new) challenge applicable to the requested
> resource."

> I'll try to take a look at the code.

> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


More information about the Freeradius-Users mailing list