Re: mod_auth_radius w/Apache 2.4.4 ??
laurence.schuler wrote: I'm trying to use mod_auth_radius(-2.0) with apache 2.4.4 and it does not appear to be working properly. It complains: [:warn] [pid 14690] AuthRadiusActive set, but no RADIUS server IP - missing AddRadiusAuth in this context?) When I have AuthRadiusAuth set, and I can confirm it by changing the hostname to garbage, the server will then fail to start. Weird... So, it seems the module needs to be updated for apache 2.4.4. Is this activity planned? anyone have patches? Nope. As always, patches are welcome. I got tired of updating the module years ago. It seemed that every minor release of Apache had gratuitously incompatible changes in the API. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mod_auth_radius bus errors
Rick wrote: I'm attempting to use mod_auth_radius (the cvs string is out-of-date, but it's the latest from freeradius.org for Apache 1.3), Latest from CVS? Or...? to authenticate to a Safeword RADIUS server, but when I authenticate, Apache bus errors - on auth failure, however, it doesn't. There's nothing useful logged, and no core file, basically, the server thinks I've authenticated, and Apache logs: There were issues with older versions of the module. The code in CVS should have this fixed. We need to issue a new version of the module which contains the fixes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mod_auth_radius bus errors
Rick wrote: I'm attempting to use mod_auth_radius (the cvs string is out-of-date, but it's the latest from freeradius.org for Apache 1.3), Latest from CVS? Or...? Actually, from http://www.freeradius.org/mod_auth_radius/mod_auth_radius.c Building it from cvs works - thanks! to authenticate to a Safeword RADIUS server, but when I authenticate, Apache bus errors - on auth failure, however, it doesn't. There's nothing useful logged, and no core file, basically, the server thinks I've authenticated, and Apache logs: There were issues with older versions of the module. The code in CVS should have this fixed. We need to issue a new version of the module which contains the fixes. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mod_auth_radius
Charnjit Sidhu wrote: I have configured mod_auth_radius to work on my apache 2 webserver as a client, the authentication works with the Radius Server, however after authentication a blank page is displayed and the only error I get in my error_log is exit signal Segmentation fault after authentication I'm pulling my hair out, I have tried it on two different web servers, one Redhat Linux and the other Centos. I know the authentication is working as an error is displayed if I enter wrong user credentials. Try grabbing the latest version from CVS. See http://freeradius.org/development.html Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: mod_auth_radius
Hi Thanks for all your help, all working now. Charnjit Charnjit Sidhu Computing Officer Birmingham University Imaging Centre School of Psychology University of Birmingham Tel: +44 (0)121 4143857 E-mail: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] From: [EMAIL PROTECTED] on behalf of Alan DeKok Sent: Fri 3/7/2008 11:12 AM To: FreeRadius users mailing list Subject: Re: mod_auth_radius Charnjit Sidhu wrote: I have configured mod_auth_radius to work on my apache 2 webserver as a client, the authentication works with the Radius Server, however after authentication a blank page is displayed and the only error I get in my error_log is exit signal Segmentation fault after authentication I'm pulling my hair out, I have tried it on two different web servers, one Redhat Linux and the other Centos. I know the authentication is working as an error is displayed if I enter wrong user credentials. Try grabbing the latest version from CVS. See http://freeradius.org/development.html Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html winmail.dat- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mod_auth_radius add_cookie segfault
Brandon Ewing wrote: I am having some issues with mod_auth_radius causing httpd to segfault when set_cookie is called. Try grabbing the latest version from CVS (http://freeradius.org/development.html) That may have a fix. If so, I'll release another version. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mod_auth_radius
On 7/19/07, Alan DeKok [EMAIL PROTECTED] wrote: Rascher, Markus wrote: # service httpd start Starting httpd: httpd: Syntax error on line 205 of /etc/httpd/conf/httpd.conf: Cannot load /usr/lib/httpd/modules/mod_auth_radius-2.0.so into server: /usr/lib/httpd/modules/mod_auth_radius-2.0.so: undefined symbol: ap_snprintf There are patches to make the module build with newer versions of Apache. They should really be applied, but I've been busy with other things. Once that's done, a new version of the module should be released. Or are the patches are available somewhere and can be applied? Any idea on a time-frame for a new release? thanks, nick -- Nick Owen WiKID Systems, Inc. 404.962.8983 http://www.wikidsystems.com Commercial/Open Source Two-Factor Authentication - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mod_auth_radius
On Thu, Jul 19, 2007 at 09:14:28AM -0400, Nick Owen wrote: On 7/19/07, Rascher, Markus [EMAIL PROTECTED] wrote: Hi All, is there a tutorial how to install mod_auth_radius on an apache 2.xx server? The howto on the freeradius webpage is a little bit deprecated i guess. i get an error when starting the apache server after installing mod_auth_radius: # service httpd start Starting httpd: httpd: Syntax error on line 205 of /etc/httpd/conf/httpd.conf: Cannot load /usr/lib/httpd/modules/mod_auth_radius-2.0.so into server: /usr/lib/httpd/modules/mod_auth_radius-2.0.so: undefined symbol: ap_snprintf [FAILED] You might try mod_auth_xradius. I have done a couple of apache + radius + WiKID 2FA docs that might help: http://www.wikidsystems.com/documentation/howtos/how-to-add-two-factor-authentication-to-apache/ http://www.howtoforge.com/apache_radius_two_factor_authentication The latter is more recent. I tried mod_auth_xradius but found it has a major bug where it won't let you configure more than one RADIUS server. When I tried mod_auth_radius-2.0 this built OK with my server but I couldn't figure what to put in httpd.conf to make it work. Has AuthAuthoritative been replaced by AuthBasicAuthoritative? If so, does anyone know how what the httpd config for apache2 should look like? -- Ben Thompson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mod_auth_radius
Rascher, Markus wrote: # service httpd start Starting httpd: httpd: Syntax error on line 205 of /etc/httpd/conf/httpd.conf: Cannot load /usr/lib/httpd/modules/mod_auth_radius-2.0.so into server: /usr/lib/httpd/modules/mod_auth_radius-2.0.so: undefined symbol: ap_snprintf There are patches to make the module build with newer versions of Apache. They should really be applied, but I've been busy with other things. Once that's done, a new version of the module should be released. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mod_auth_radius-2.0
William wrote: Greetings, I am having some probles with mod_auth_radius-2.0 on apache 2.0.54. The error I am receiving is: Cannot load /usr/local/apache/modules/mod_auth_radius-2.0.so into server: /usr/local/apache/modules/mod_auth_radius-2.0.so: undefined symbol: ap_snprintf I am running on suse 10.1-x86_64 and apache is compiled from source.Any suggestions? Help? G'day William, What do you get when you run ldd /usr/local/apache/modules/mod_auth_radius-2.0.so ? Cheers, -- James Wakefield, Unix Administrator, Information Technology Services Division Deakin University, Geelong, Victoria 3217 Australia. Phone: 03 5227 8690 International: +61 3 5227 8690 Fax: 03 5227 8866 International: +61 3 5227 8866 E-mail: [EMAIL PROTECTED] Website: http://www.deakin.edu.au - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: mod_auth_radius values
Hi, I have written a php script that lists the request and response headers, the result of which is below: Request Headers Accept: */* Accept-Language: en-gb Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: xx Connection: Keep-Alive Authorization: Basic bHNreVJlZ2o6ZnSpZGF5Mw== Cookie: foo=bar Response Headers Set-Cookie: RADIUS=51f673efff8c5h235410d95289666de85305b928; path=/; X-Powered-By: PHP/4.4.0 After the cookie is set the 'Set-Cookie' header appears in the Request Header as 'Cookie: foo=bar; RADIUS=51f673efff8c5h235410d95289666de85305b928;'. (I have modified the values above slightly incase I am inadvertently sending a username/password to the list ;) Ive read through mod_auth_radius-2.0.c and it appears the cookie is a MD5 hash of the users information. So, is it possible to get the information from the cookie? Gareth. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: 18 August 2005 16:25 To: FreeRadius users mailing list Subject: Re: mod_auth_radius values Ayres G.J. [EMAIL PROTECTED] wrote: I am developing a web system that authenticates users to a web site through free radius using the mod_auth_radius module for apache. It all works fine, but I would like to get the username of the user that has authenticated for use on pages once they have authenticated. It's in the HTTP headers. The username password are sent in every request. I am not sure how to go about this. I guess that the values are set in a cookie or in the HTTP Headers by mod_auth_radius? Does anyone know a way I could retrieve the values, either through HTML or PHP? Not HTML. Maybe PHP, if it allows you to get HTTP headers. See the module source code for where the headers are, and the PHP docs for how to get at them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mod_auth_radius values
Ayres G.J. [EMAIL PROTECTED] wrote: Ive read through mod_auth_radius-2.0.c and it appears the cookie is a MD5 hash of the users information. So, is it possible to get the information from the cookie? No. The username/password IS in the header. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mod_auth_radius values
Ayres G.J. [EMAIL PROTECTED] wrote: I am developing a web system that authenticates users to a web site through free radius using the mod_auth_radius module for apache. It all works fine, but I would like to get the username of the user that has authenticated for use on pages once they have authenticated. It's in the HTTP headers. The username password are sent in every request. I am not sure how to go about this. I guess that the values are set in a cookie or in the HTTP Headers by mod_auth_radius? Does anyone know a way I could retrieve the values, either through HTML or PHP? Not HTML. Maybe PHP, if it allows you to get HTTP headers. See the module source code for where the headers are, and the PHP docs for how to get at them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mod_auth_radius values
Try the environment variable REMOTE_USER #!/usr/bin/perl print Content-type: text/html\n\n; foreach $key (keys %ENV) { print $key -- $ENV{$key}br; } Ken Alan DeKok wrote: Ayres G.J. [EMAIL PROTECTED] wrote: I am developing a web system that authenticates users to a web site through free radius using the mod_auth_radius module for apache. It all works fine, but I would like to get the username of the user that has authenticated for use on pages once they have authenticated. It's in the HTTP headers. The username password are sent in every request. I am not sure how to go about this. I guess that the values are set in a cookie or in the HTTP Headers by mod_auth_radius? Does anyone know a way I could retrieve the values, either through HTML or PHP? Not HTML. Maybe PHP, if it allows you to get HTTP headers. See the module source code for where the headers are, and the PHP docs for how to get at them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mod_auth_radius values
or even easier, if apache is setup for SSI, you can just plunk this into your web page where you want the authenticated username: !--#echo var=REMOTE_USER-- Ken Alan DeKok wrote: Ayres G.J. [EMAIL PROTECTED] wrote: I am developing a web system that authenticates users to a web site through free radius using the mod_auth_radius module for apache. It all works fine, but I would like to get the username of the user that has authenticated for use on pages once they have authenticated. It's in the HTTP headers. The username password are sent in every request. I am not sure how to go about this. I guess that the values are set in a cookie or in the HTTP Headers by mod_auth_radius? Does anyone know a way I could retrieve the values, either through HTML or PHP? Not HTML. Maybe PHP, if it allows you to get HTTP headers. See the module source code for where the headers are, and the PHP docs for how to get at them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: mod_auth_radius
I'm sorry for this stupid question. I'm using VM-Ware and the source file was in a shared folder. I moved it and it works. Loïc -Message d'origine- De : TRANSLER Loic Envoyé : mercredi 2 février 2005 16:44 À : freeradius-users@lists.freeradius.org Objet : mod_auth_radius Hi, I'm not sure I'm supposed to post about mod_auth_radius here. Sorry if I'm not. My apache (2.0) server is installed with rpm's. DSO's are enabled. So, I use apxs. When I launch the command apxs2 -i -a -c mod_auth_radius-2.0.c, the result is : /usr/lib/apache2/build/libtool --silent --mode=compile gcc -prefer-pic -O2 -fomit-frame-pointer -pipe -march=i586 -mcpu=pentiumpro -fno-omit-frame- pointer -DAP_HAVE_DESIGNATED_INITIALIZER -DLINUX=2 -D_REENTRANT - D_XOPEN_SOURCE=500 -D_BSD_SOURCE -D_SVID_SOURCE -D_GNU_SOURCE -O2 -fomit- frame-pointer -pipe -march=i586 -mcpu=pentiumpro -fno-omit-frame-pointer - pthread -DRECORD_FORWARD -I/usr/include/apache2 -I/usr/include/apache2 -I/usr/include/apache2 -c -o mod_auth_radius-2.0.lo mod_auth_radius- 2.0.c touch mod_auth_radius-2.0.slo mod_auth_radius-2.0.c:560: warning: initialization from incompatible pointer type ln: création d'un lien symbolique `mod_auth_radius-2.0.lo' vers `mod_auth_radius-2.0.o': Operation not permitted apxs:Error: Command failed with rc=65536 Versions: Linux Mandrake 10.0 Official Apache 2.0.48-6 Mod_auth_radius 1.5.7 Freeradius 1.0.1 Can anyone help me? Loïc. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mod_auth_radius vulnerability
Mordechai T. Abzug [EMAIL PROTECTED] wrote: The following URL says there's a vulnerability in mod_auth_radius: http://www.net-security.org/vuln.php?id=3997 Is this true? If so, has a new version been released? Most of it is true, part is B.S. An attacker CANNOT spoof replies from the RADIUS server to exploit this vulnerability. The risk of this problem is extremely low. [BTW: why does mod_auth_radius 1.5.7 source code refer to itself as 1.5.4 in comments? Is it really 1.5.7 or 1.5.4?] Lack of due diligence. It's 1.5.7. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: mod_auth_radius with apache and Tomcat
Hmm, Tomcat presents a different issue for authentication. I have RADIUS working with Apache 2.0, but I have not setup Tomcat. I think you will need to address Tomcat authentication separately since it runs as a separate service. From: Liz Osborne [EMAIL PROTECTED] Reply-To: freeradius-users@lists.freeradius.org To: 'freeradius-users@lists.freeradius.org' freeradius-users@lists.freeradius.org Subject: mod_auth_radius with apache and Tomcat Date: Thu, 20 Jan 2005 14:54:33 - Has anybody succeeded in using mod_auth_radius with apache and Tomcat? We are having problems authenticating URLs which are forwarded from apache to Tomcat. The authentication seems to work sometimes, but the web server returns a 404 error, saying the URL is not present on the server. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mod_auth_radius-2.0 difficulty
I bet if you set up a sniffer trace or use snoop, you probably would see your Apache2 wasn't even talking to the RADIUS server. I just got it all worked out on Solaris 8 and Mac OS X 10.3 after several days of similar head-scratching. Here's what I had to do to make Apache 2.0.52 use mod_auth_radius-2.0: In httpd.conf, DO NOTHING except using the LoadModule directive to initialize mod_auth_radius-2.0. In ssl.conf, put the mod_auth_radius directives there. *** begin abridged ssl.conf *** [the usual ssl stuff] IfDefine SSL [more usual ssl stuff] VirtualHost _default_:80 /VirtualHost VirtualHost _default_:443 [more usual ssl stuff] *** only works for me when IfModule is placed here *** IfModule mod_auth_radius-2.0.c AddRadiusAuth localhost:1645 testing123 5:3 AddRadiusCookieValid 5 /IfModule Location /search.html AuthName RADIUS SSL AuthType Basic AuthAuthoritative off AuthRadiusAuthoritative on AuthRadiusCookieValid 5 AuthRadiusActive On require valid-user /Location [more usual ssl stuff] /VirtualHost /IfDefine *** end abridged ssl.conf *** I tried placing IfModule mod_auth_radius-2.0.c in all sorts of other places plausible in httpd.conf and ssl.conf. Apache2 simply did not talk to the RADIUS server (and kept returning 500 internal server error) except using the placement I posted above. Y. J. Zhang Hello all, I have used mod_auth_radius with apache 1.x.x with no problems. We recently started upgrading the apache servers to 2.0. I downloaded the mod_auth_radius-2.0.c from http://www.freeradius.org/mod_auth_radius/ . It is version 1.5.7. The module compiled correctly with apxs.Ê I configured this module similar to how I configured the old one for apache 1.3.x. When I go to the diredtory I want to control, I get a login box. When I type in my login name and password, I get Internal Server Error. The logs say: configuration error: couldn't check user. No user file?: /wijsp Is there a way to increase the log level for this?Ê I have: LoadModule radius_auth_module modules/mod_auth_radius-2.0.so right after auth_module in the httpd.conf. I have: IfModule mod_auth_radius-2.0.c AddRadiusAuth auth1.mail.vanderbilt.edu:1645 XXX 5 AddRadiusCookieValid 720 /IfModule at the very end of the httpd.conf file. Obviously, XXX is our radius secret. Within the virtual host in the ssl.conf file (we use ssl), I have: Alias /wijsp /export/apps/webi/uat/65/nodes/corvette/mycluster/APACHE SSL FOR TOMCAT/MasterWebServer-129.59.10.49_1443/wijsp Directory /export/apps/webi/uat/65/nodes/corvette/mycluster/APACHE SSL FOR TOMCAT/MasterWebServer-129.59.10.49_1443/wijsp Options FollowSymLinks AllowOverride All SSLRequireSSL AuthType Basic AuthName Webi 6.5 AuthAuthoritative off AuthRadiusAuthoritative on AuthRadiusCookieValid 5 AuthRadiusActive On require valid-user /Directory I have been trying to get this to work all day, and I am being pressured by the powers that be to get this working soon. Does anyone have any tips, hints, directions that can help me? If I have grossly misinterpreted the documentation, please let me know that as well. I do appreciate any help you can give. Thanks, Jennifer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mod_auth_radius and ms-chapv2
No. josh. --On Monday, October 11, 2004 14:25:15 +0200 Makadi Janos [EMAIL PROTECTED] wrote: Hello, I would like to set up freeradius, and mod_auth_radius on linux to authenticate users via ias (radius server). My problem is the ias administrator said the authentication method is pap and not ms-chapv2. How can I set up mod_auth_radius to use ms-chapv2? Is it possibile? Thanks... Janos Makadi - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- --- Josh Howlett, Networking Digital Communications, Information Systems Computing, University of Bristol, U.K. 'phone: 0117 928 7850 email: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mod_auth_radius and ms-chapv2
Josh Howlett wrote: No. josh. --On Monday, October 11, 2004 14:25:15 +0200 Makadi Janos [EMAIL PROTECTED] wrote: Hello, I would like to set up freeradius, and mod_auth_radius on linux to authenticate users via ias (radius server). My problem is the ias administrator said the authentication method is pap and not ms-chapv2. How can I set up mod_auth_radius to use ms-chapv2? Is it possibile? Thanks... Janos Makadi THX Janos Makadi - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mod_auth_radius with OTP
Stephan Pfeiffer [EMAIL PROTECTED] wrote: is it possible to cache the authentication status? It's done by default, in the cookie. atm the mod_auth_radius module ask on every webserver-request the radius-server. That is not the default configuration. Maybe the browser is blocking cookies. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mod_auth_radius and ACE/Server
Rangel, Luciano [EMAIL PROTECTED] wrote: I'm using Freeradius as a Proxy Radius to the ACE/Server. When I try to authenticate in the Apache Server it execute several requests of user and password in the Proxy Radius causing PASSCODE REUSE ATTACK detect in the ACE/Server. How can execute only one request to the Proxy Freeradius Read the documentation which comes with mod_auth_radius, and the comments at the start of the C file. It describes when the module sends multiple requests, why, and how to fix it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mod_auth_radius-2.0+Apache2.0
On Mon, 2004-05-17 at 11:29, Andreas wrote: Hello, Im using SuSE Linux 9.1, FreeRadius 0.9.3 with the module mod_auth_radius-2.0 and Apache2.0. I would like to use Radius for web authentication. At first I tested the Apache 1.3 with the Radius module mod_auth_radius. I used the configuration as per description on http://www.freeradius.org/mod_auth_radius. Everything works great! But now I would like to use Apache 2.0 and the Radius module mod_auth_radius-2.0. After installation and configuration I checked the interaction between the Radius-server and the Radius-module from the Apache 2.0 with the tool ethereal. The access to the secured web area is answered by the login prompt. After entering the right user and password the Radius-module made a Access Request(1) and the Radius-server made a Access Accept (2). In actual fact I would say that the interaction is ok, or isnt it? But the browser gives me an error message back: Error 500. Does this error come form a wrong configuration from the httpd.conf file? Is the configuration from the apache 1.3 httpd.conf file equal to the configuration file from the apache 2.0 except the entry from AddModule .../mod_auth_radius.o? May somebody help me and give me some instructions?? Thank you in advance! Greetings Andreas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Did I miss the response to this? I am also looking for mod_auth_radius in Apache 2.0. Ted - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html