RADIUS OTP auth with Apache

Scholz, Dieter rd-disc at gmx.net
Wed Apr 12 10:42:20 CEST 2017 

Hello,

at the moment I'm facing the problem to implement a OTP (one time 
password) auth solution for Apache httpd. The webserver should act as a 
proxy for several internal sites (it runs Debian Stretch). The OTP 
software solution I use is LINOTP. Freeradius is my radius server 
(default package from Debian Jessie - runs on another host). I have no 
problem authentication on the command line. Using radtest everything 
works as expected.

But I have problems with the Apache radius auth config.

I tested several configurations. At the moment the configuration that 
runs best is the libapache2-mod-auth-radius variant (Stretch package).
It works fine when connecting using an icognito browser tab. But if I 
use a standard browser tab everytime I close and reopen the browser the 
first auth attempt fails. Looking at the log I found that the auth 
cookie is not deleted when closing the browser. The docs state it should 
be deleted when the browser exits. So when the browser is restarted the 
first auth attempt is using the stale cookie information and fails. This 
is a bit unconvenient. I couldn't find an answer (but a similar 
unanswered question) for this problem when searching the mailing list.

Here's my Apache config:

<VirtualHost *:80>
         DocumentRoot /var/www/btw

         ProxyPass / http://<IP>/
         ProxyPassReverse / http://<IP>/

         LogLevel debug

         <Proxy *>
                 Order allow,deny
                 Allow from all
         </Proxy>

         AddRadiusAuth <IP>:1812 <SECRET> 5:3
         AddRadiusCookieValid 5

         <Location />
                 AuthType Basic
                 AuthName "<A_NAME>"
                 AuthBasicProvider radius
                 AuthRadiusActive On
                 AuthRadiusCookieValid 5
                 AuthRadiusAuthoritative on
                 require valid-user
         </Location>
</VirtualHost>

I tried a different variant for the auth problem using PAM and the PAM 
radius module but only reached a situation that the first auth attempt 
works but each new request triggered a new login dialog box.

So here are my questions:

- Is there a solution for the cookie not getting deleted when using the 
libapache2-mod-auth-radius module?

- Is there another way to auth against a radius server (or the linotp 
server) that works?

At the moment I'm stuck so any help is appreciated.

Thanks.

Regards, Dieter

More information about the Freeradius-Users mailing list