RADIUS OTP auth with Apache
rd-disc at gmx.net
Wed Apr 12 10:42:20 CEST 2017
at the moment I'm facing the problem to implement a OTP (one time
password) auth solution for Apache httpd. The webserver should act as a
proxy for several internal sites (it runs Debian Stretch). The OTP
software solution I use is LINOTP. Freeradius is my radius server
(default package from Debian Jessie - runs on another host). I have no
problem authentication on the command line. Using radtest everything
works as expected.
But I have problems with the Apache radius auth config.
I tested several configurations. At the moment the configuration that
runs best is the libapache2-mod-auth-radius variant (Stretch package).
It works fine when connecting using an icognito browser tab. But if I
use a standard browser tab everytime I close and reopen the browser the
first auth attempt fails. Looking at the log I found that the auth
cookie is not deleted when closing the browser. The docs state it should
be deleted when the browser exits. So when the browser is restarted the
first auth attempt is using the stale cookie information and fails. This
is a bit unconvenient. I couldn't find an answer (but a similar
unanswered question) for this problem when searching the mailing list.
Here's my Apache config:
ProxyPass / http://<IP>/
ProxyPassReverse / http://<IP>/
Allow from all
AddRadiusAuth <IP>:1812 <SECRET> 5:3
I tried a different variant for the auth problem using PAM and the PAM
radius module but only reached a situation that the first auth attempt
works but each new request triggered a new login dialog box.
So here are my questions:
- Is there a solution for the cookie not getting deleted when using the
- Is there another way to auth against a radius server (or the linotp
server) that works?
At the moment I'm stuck so any help is appreciated.
More information about the Freeradius-Users