Re: mod_auth_radius w/Apache 2.4.4 ??
laurence.schuler wrote: I'm trying to use mod_auth_radius(-2.0) with apache 2.4.4 and it does not appear to be working properly. It complains: [:warn] [pid 14690] AuthRadiusActive set, but no RADIUS server IP - missing AddRadiusAuth in this context?) When I have AuthRadiusAuth set, and I can confirm it by changing the hostname to garbage, the server will then fail to start. Weird... So, it seems the module needs to be updated for apache 2.4.4. Is this activity planned? anyone have patches? Nope. As always, patches are welcome. I got tired of updating the module years ago. It seemed that every minor release of Apache had gratuitously incompatible changes in the API. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mod_auth_radius w/Apache 2.4.4 ??
I'm trying to use mod_auth_radius(-2.0) with apache 2.4.4 and it does not appear to be working properly. It complains: [:warn] [pid 14690] AuthRadiusActive set, but no RADIUS server IP - missing AddRadiusAuth in this context?) When I have AuthRadiusAuth set, and I can confirm it by changing the hostname to garbage, the server will then fail to start. So, it seems the module needs to be updated for apache 2.4.4. Is this activity planned? anyone have patches? Thanks, --Larry - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mod_auth_radius
Hi, Has anyone compiled the mod_auth_radius module for apache 2.x on windows? Wheren can I download the binary? Kind regards - Thomas Noppe Dienst Informatiesystemen - SO thomas.no...@uzleuven.bemailto:thomas.no...@uzleuven.be +32 16 34 79 87 +32 16 34 78 01 UZ Leuven | campus Gasthuisberg | Herestraat 49 | B - 3000 Leuven | www.uzleuven.behttp://www.uzleuven.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mod_auth_radius-2.0.c patch to support Apache 2.2.x
Hi,
I've tried sending this directly to the author, but there seems to be
a problem somewhere, so I'm sending it to the list instead.
Maybe I should file it as a bug report...
This has been in the Debian package for a while now
(http://packages.debian.org/libapache2-mod-auth-radius).
- Forwarded message from Josip Rodin [EMAIL PROTECTED] -
Date: Sat, 31 May 2008 22:37:00 +0200
From: Josip Rodin [EMAIL PROTECTED]
To: Alan DeKok [EMAIL PROTECTED]
Subject: mod_auth_radius-2.0.c patch to support Apache 2.2.x
Hi,
I'm resending the below e-mail just in case you didn't notice, it's been
almost three months now.
http://www.freeradius.org/mod_auth_radius/ is still only shipping
the old versions...
On Sun, Mar 09, 2008 at 09:12:19PM +0100, Josip Rodin wrote:
On Thu, Mar 06, 2008 at 03:36:27AM +0100, Josip Rodin wrote:
On Sat, Jul 21, 2007 at 06:08:23PM +0200, joy wrote:
Is the mod_auth_radius-2.0.c supposed to work properly with Apache 2.2.x?
I can compile it just fine, but can't get it to work on runtime.
Maybe, like LDAP, this module should become a an AuthBasicProvider?
I took a hint from mod_auth_xradius' changes for Apache 2.1+, and made the
patch which is attached... but it still doesn't work. Apache is so annoying
to debug, I need to compile the server with debugging symbols and run it
through gdb... :(
Okay, I debugged it a bit further (no help from gdb), and managed to produce
a working patch. The problem that threw me off was the early DECLINED
handling in the authenticate_basic_user() function, which got activated
both when the module was inactive and when the RADIUS server definition
was missing. However, these two conditions are functionally quite different,
so I split the handling in two, with the latter case leaving a warning
in the log file.
The working patch is attached. It allows people to define:
AuthBasicProvider radius
and everything appears to be working well after that.
--
2. That which causes joy or happiness.
--- libapache-mod-auth-radius-1.5.7.orig/mod_auth_radius-2.0.c
+++ libapache-mod-auth-radius-1.5.7/mod_auth_radius-2.0.c
@@ -300,6 +300,9 @@
#include apr_general.h
#include apr_tables.h
#include apr_strings.h
+/* Apache 2.1+ */
+#include ap_provider.h
+#include mod_auth.h
module AP_MODULE_DECLARE_DATA radius_auth_module;
@@ -1122,8 +1125,11 @@
* basic authentication...
*/
-static int
-authenticate_basic_user(request_rec *r)
+/* common stuff for both Apache 2.0 and 2.1+ */
+int
+authenticate_basic_user_common(request_rec *r,
+ const char* user,
+ const char* sent_pw)
{
radius_dir_config_rec *rec =
(radius_dir_config_rec *)ap_get_module_config (r-per_dir_config,
radius_auth_module);
@@ -1131,21 +1137,25 @@
radius_server_config_rec *scr = (radius_server_config_rec *)
ap_get_module_config (s-module_config, radius_auth_module);
conn_rec *c = r-connection;
- const char *sent_pw;
char errstr[MAX_STRING_LEN];
- int res, min;
+ int min;
char *cookie;
char *state = NULL;
char message[256];
time_t expires;
struct stat buf;
- if (!rec-active || !scr-radius_ip) /* not active here, or no
radius */
-return DECLINED;/* server declared, decline */
+ /* not active here, just decline */
+ if (!rec-active)
+return DECLINED;
+
+ /* no server declared, decline but note for debugging purposes -joy */
+ if (!scr-radius_ip) {
+ap_log_error(APLOG_MARK, APLOG_NOERRNO | APLOG_WARNING, 0, r-server,
+ AuthRadiusActive set, but no RADIUS server IP - missing
AddRadiusAuth in this context?);
+return DECLINED;
+ }
- if ((res = ap_get_basic_auth_pw(r, sent_pw)))
-return res;
-
if (r-user[0] == 0) /* NUL users can never be let in */
return HTTP_UNAUTHORIZED;
@@ -1227,9 +1237,57 @@
return OK;
}
+/* Apache 2.1+ */
+static authn_status
+authenticate_basic_user_newargs(request_rec *r,
+const char *user,
+const char *password)
+{
+ int normalreturnvalue = authenticate_basic_user_common(r, user, password);
+
+ if (normalreturnvalue == OK)
+return AUTH_GRANTED;
+ else if (normalreturnvalue == HTTP_UNAUTHORIZED)
+return AUTH_DENIED;
+ else
+return AUTH_GENERAL_ERROR;
+ /* AUTH_USER_NOT_FOUND would be nice, but the typical RADIUS server
+ never gives any such information, it just sends an Access-Reject
+ packet, no reasons given
+ */
+}
+
+/* Apache 2.0 */
+static int
+authenticate_basic_user(request_rec *r)
+{
+ int res;
+ const char *sent_pw;
+
+ /* this used to say just if ((res=...)), which relied on the fact that
+ OK is defined as 0, and the other states are non-0, which is then
+ used in a typical C fashion... but it's
Re: mod_auth_radius bus errors
Rick wrote: I'm attempting to use mod_auth_radius (the cvs string is out-of-date, but it's the latest from freeradius.org for Apache 1.3), Latest from CVS? Or...? to authenticate to a Safeword RADIUS server, but when I authenticate, Apache bus errors - on auth failure, however, it doesn't. There's nothing useful logged, and no core file, basically, the server thinks I've authenticated, and Apache logs: There were issues with older versions of the module. The code in CVS should have this fixed. We need to issue a new version of the module which contains the fixes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mod_auth_radius bus errors
Rick wrote: I'm attempting to use mod_auth_radius (the cvs string is out-of-date, but it's the latest from freeradius.org for Apache 1.3), Latest from CVS? Or...? Actually, from http://www.freeradius.org/mod_auth_radius/mod_auth_radius.c Building it from cvs works - thanks! to authenticate to a Safeword RADIUS server, but when I authenticate, Apache bus errors - on auth failure, however, it doesn't. There's nothing useful logged, and no core file, basically, the server thinks I've authenticated, and Apache logs: There were issues with older versions of the module. The code in CVS should have this fixed. We need to issue a new version of the module which contains the fixes. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mod_auth_radius bus errors
Hi all, I'm attempting to use mod_auth_radius (the cvs string is out-of-date, but it's the latest from freeradius.org for Apache 1.3), to authenticate to a Safeword RADIUS server, but when I authenticate, Apache bus errors - on auth failure, however, it doesn't. There's nothing useful logged, and no core file, basically, the server thinks I've authenticated, and Apache logs: [Date time] [notice] child pid 9819 exit signal Bus Error (10) And the web page I'm trying to access is never displayed (Unable to display web page error.) This is on a Solaris 10 / SPARC box - wondering if there may be some network byte-ordering issue? Anyway, if anyone has seen this before, and know what I'm doing wrong, would appreciate any assistance. Best regards, Rick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mod_auth_radius: AuthRadiusCookieValid problem
Hello list, I use the mod_auth_radius module in both Apache1 and Apache2. These modules work fine, but a remarkable difference between the two is that the variable AuthRadiusCookieValid (which is set to 1, which means one minute) is working well when the Apache1 is visited, but is not working at all when viewing a page on Apache2. I realize that this issue may not be related to freeradius, but does anyone have a hint? R. -- ___ It is better to remain silent and be thought a fool, than to speak aloud and remove all doubt. +--+ | Richard Lucassen, Utrecht| | Public key and email address:| | http://www.lucassen.org/mail-pubkey.html | +--+ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mod_auth_radius
Help, Not sure wether this is the right place to email an issue. I have configured mod_auth_radius to work on my apache 2 webserver as a client, the authentication works with the Radius Server, however after authentication a blank page is displayed and the only error I get in my error_log is exit signal Segmentation fault after authentication I'm pulling my hair out, I have tried it on two different web servers, one Redhat Linux and the other Centos. I know the authentication is working as an error is displayed if I enter wrong user credentials. I have followed your online instruction's, to configure my httpd.conf and .htaccess. Can anyone help Charnjit Charnjit Sidhu Computing Officer Birmingham University Imaging Centre School of Psychology University of Birmingham Tel: +44 (0)121 4143857 E-mail: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mod_auth_radius
Charnjit Sidhu wrote: I have configured mod_auth_radius to work on my apache 2 webserver as a client, the authentication works with the Radius Server, however after authentication a blank page is displayed and the only error I get in my error_log is exit signal Segmentation fault after authentication I'm pulling my hair out, I have tried it on two different web servers, one Redhat Linux and the other Centos. I know the authentication is working as an error is displayed if I enter wrong user credentials. Try grabbing the latest version from CVS. See http://freeradius.org/development.html Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: mod_auth_radius
Hi Thanks for all your help, all working now. Charnjit Charnjit Sidhu Computing Officer Birmingham University Imaging Centre School of Psychology University of Birmingham Tel: +44 (0)121 4143857 E-mail: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] From: [EMAIL PROTECTED] on behalf of Alan DeKok Sent: Fri 3/7/2008 11:12 AM To: FreeRadius users mailing list Subject: Re: mod_auth_radius Charnjit Sidhu wrote: I have configured mod_auth_radius to work on my apache 2 webserver as a client, the authentication works with the Radius Server, however after authentication a blank page is displayed and the only error I get in my error_log is exit signal Segmentation fault after authentication I'm pulling my hair out, I have tried it on two different web servers, one Redhat Linux and the other Centos. I know the authentication is working as an error is displayed if I enter wrong user credentials. Try grabbing the latest version from CVS. See http://freeradius.org/development.html Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html winmail.dat- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mod_auth_radius question
I have a question regarding mod_auth_radius which doesn't seem to be addressed by the included documentation or anything I have found with a google search. When configuring the module in the apache configuration (I'm using the latest 1.3 branch) is it possible to specify more than one radius server so that it will fail over in the even that the first is down? Something like this: IfModule mod_auth_radius.c # # AddRadiusAuth server[:port] shared-secret [ timeout [ : retries ]] # AddRadiusAuth server1.example.com:1645 secret 5:3 AddRadiusAuth server2.example.com:1645 secret 5:3 AddRadiusCookieValid 60 /IfModule It seems as though this doesn't work or it wants to use only the last one specified. Am I missing something? Anybody have experience trying to use this module in a similar setup? It would be great to be able to get this working with both of my radius servers. Thanks in advance! Jeremiah - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mod_auth_radius add_cookie segfault
Greetings, I am having some issues with mod_auth_radius causing httpd to segfault when set_cookie is called. The server in question is CentOS 4.5, with httpd-2.0.52-32.3 and apr-0.9.4-24.5.c4.2 RPMs installed. I downloaded mod_auth_radius from http://www.freeradius.org/mod_auth_radius/mod_auth_radius-2.0.c It compiled correctly via apxs after I added #include apr_compat.h I compiled with the following line: apxs -i -a -c mod_auth_radius-2.0.c I have the following in the .htaccess for the directory I wish to protect: IfModule mod_auth_radius-2.0.c AddRadiusAuth 10.10.17.15:1812 secret 5:3 AuthName RADIUS Access AuthType Basic Require valid-user AuthRadiusActive On /IfModule If I access the page, I am presented with a basic authtype prompt -- however, after I enter a valid username and password, the httpd child segfaults: [Mon Nov 26 15:00:01 2007] [notice] child pid 21136 exit signal Segmentation fault (11) I know that the issue is in the set_cookie routine, because if I comment out the set_cookie call after a successful authentication and recompile, the segfault does not happen. However, this results in a RADIUS call for every single GET request, which is not desired. I am not proficient in C, so if anyone has any suggestions as to further troubleshooting/resolution for this issue, I would appreciate the input, off or on-list. -- Brandon Ewing([EMAIL PROTECTED]) pgpmtmw37ZBQf.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mod_auth_radius add_cookie segfault
Brandon Ewing wrote: I am having some issues with mod_auth_radius causing httpd to segfault when set_cookie is called. Try grabbing the latest version from CVS (http://freeradius.org/development.html) That may have a fix. If so, I'll release another version. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mod_auth_radius
On 7/19/07, Alan DeKok [EMAIL PROTECTED] wrote: Rascher, Markus wrote: # service httpd start Starting httpd: httpd: Syntax error on line 205 of /etc/httpd/conf/httpd.conf: Cannot load /usr/lib/httpd/modules/mod_auth_radius-2.0.so into server: /usr/lib/httpd/modules/mod_auth_radius-2.0.so: undefined symbol: ap_snprintf There are patches to make the module build with newer versions of Apache. They should really be applied, but I've been busy with other things. Once that's done, a new version of the module should be released. Or are the patches are available somewhere and can be applied? Any idea on a time-frame for a new release? thanks, nick -- Nick Owen WiKID Systems, Inc. 404.962.8983 http://www.wikidsystems.com Commercial/Open Source Two-Factor Authentication - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mod_auth_radius
On Thu, Jul 19, 2007 at 09:14:28AM -0400, Nick Owen wrote: On 7/19/07, Rascher, Markus [EMAIL PROTECTED] wrote: Hi All, is there a tutorial how to install mod_auth_radius on an apache 2.xx server? The howto on the freeradius webpage is a little bit deprecated i guess. i get an error when starting the apache server after installing mod_auth_radius: # service httpd start Starting httpd: httpd: Syntax error on line 205 of /etc/httpd/conf/httpd.conf: Cannot load /usr/lib/httpd/modules/mod_auth_radius-2.0.so into server: /usr/lib/httpd/modules/mod_auth_radius-2.0.so: undefined symbol: ap_snprintf [FAILED] You might try mod_auth_xradius. I have done a couple of apache + radius + WiKID 2FA docs that might help: http://www.wikidsystems.com/documentation/howtos/how-to-add-two-factor-authentication-to-apache/ http://www.howtoforge.com/apache_radius_two_factor_authentication The latter is more recent. I tried mod_auth_xradius but found it has a major bug where it won't let you configure more than one RADIUS server. When I tried mod_auth_radius-2.0 this built OK with my server but I couldn't figure what to put in httpd.conf to make it work. Has AuthAuthoritative been replaced by AuthBasicAuthoritative? If so, does anyone know how what the httpd config for apache2 should look like? -- Ben Thompson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mod_auth_radius
Hi All, is there a tutorial how to install mod_auth_radius on an apache 2.xx server? The howto on the freeradius webpage is a little bit deprecated i guess. i get an error when starting the apache server after installing mod_auth_radius: # service httpd start Starting httpd: httpd: Syntax error on line 205 of /etc/httpd/conf/httpd.conf: Cannot load /usr/lib/httpd/modules/mod_auth_radius-2.0.so into server: /usr/lib/httpd/modules/mod_auth_radius-2.0.so: undefined symbol: ap_snprintf [FAILED] Thanks for your answers. Markus - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mod_auth_radius
Rascher, Markus wrote: # service httpd start Starting httpd: httpd: Syntax error on line 205 of /etc/httpd/conf/httpd.conf: Cannot load /usr/lib/httpd/modules/mod_auth_radius-2.0.so into server: /usr/lib/httpd/modules/mod_auth_radius-2.0.so: undefined symbol: ap_snprintf There are patches to make the module build with newer versions of Apache. They should really be applied, but I've been busy with other things. Once that's done, a new version of the module should be released. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Challenge-response with mod_auth_radius
Hello, We would like to use freeradius with a 'home made' challenge response authentication scheme (we will build our own module) using mod_auth_radius. Ultimately we would like to prompt the user (after successfull authentication) with a challenge that he would have to enter in a securID like device and enter his response in the mod_auth_radius prompt. I've been toying with freeradius and mod_auth_radius for a few days now, and I still haven't succeeded in prompting the user with a challenge from the RADIUS server. Could anyone point me in the right direction ? Is it possible ? We're using mod_auth_radius as a basic client, but we could use any type of NAS. Best regards, Arnaud - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Challenge-response with mod_auth_radius
What we want to do is EAP-CTG, I'll investigate further in that direction. Please just let me know if for some reason freeradius doesn't support that. Regards Arnaud Dostes [EMAIL PROTECTED] Envoyé par : [EMAIL PROTECTED] 05.12.2006 12:17 Veuillez répondre à FreeRadius users mailing list freeradius-users@lists.freeradius.org A freeradius-users@lists.freeradius.org cc Objet Challenge-response with mod_auth_radius Hello, We would like to use freeradius with a 'home made' challenge response authentication scheme (we will build our own module) using mod_auth_radius. Ultimately we would like to prompt the user (after successfull authentication) with a challenge that he would have to enter in a securID like device and enter his response in the mod_auth_radius prompt. I've been toying with freeradius and mod_auth_radius for a few days now, and I still haven't succeeded in prompting the user with a challenge from the RADIUS server. Could anyone point me in the right direction ? Is it possible ? We're using mod_auth_radius as a basic client, but we could use any type of NAS. Best regards, Arnaud - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Challenge-response with mod_auth_radius
Arnaud Dostes wrote: What we want to do is EAP-CTG, I'll investigate further in that direction. It's EAP-GTC, and no, you probably don't want that. See rlm_example for a sample challenge-response implementation in the server. See rlm_otp for a *working* implementation that integrates with some X9.9 token cards. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mod_auth_radius-2.0
Greetings, I am having some probles with mod_auth_radius-2.0 on apache 2.0.54. The error I am receiving is: Cannot load /usr/local/apache/modules/mod_auth_radius-2.0.so into server: /usr/local/apache/modules/mod_auth_radius-2.0.so: undefined symbol: ap_snprintf I am running on suse 10.1-x86_64 and apache is compiled from source.Any suggestions? Help? -- William Server Administrator NetOne Communications, Inc. 231-734-2917 pgp369n88bQUE.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mod_auth_radius-2.0
William wrote: Greetings, I am having some probles with mod_auth_radius-2.0 on apache 2.0.54. The error I am receiving is: Cannot load /usr/local/apache/modules/mod_auth_radius-2.0.so into server: /usr/local/apache/modules/mod_auth_radius-2.0.so: undefined symbol: ap_snprintf I am running on suse 10.1-x86_64 and apache is compiled from source.Any suggestions? Help? G'day William, What do you get when you run ldd /usr/local/apache/modules/mod_auth_radius-2.0.so ? Cheers, -- James Wakefield, Unix Administrator, Information Technology Services Division Deakin University, Geelong, Victoria 3217 Australia. Phone: 03 5227 8690 International: +61 3 5227 8690 Fax: 03 5227 8866 International: +61 3 5227 8866 E-mail: [EMAIL PROTECTED] Website: http://www.deakin.edu.au - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mod_auth_radius: multiple auth attempts
I am using mod_auth_radius2 with Apache version 2.0.54. When I attempt to authenticate, I see a successful attempt followed by 2 failed attempts, leaving me with a 401 Authorization Required message in the browser. Any ideas? I have tried increasing the timeout. Here is the relevant portion of my httpd.conf: IfModule mod_auth_radius-2.0.c AddRadiusAuth radius server 1:1645 shared-secret 5:3 AddRadiusAuth radius server 2:1645 shared-secret 5:3 AuthRadiusBindAddress server IP address /IfModule Directory /usr/local/apache2/htdocs/secure DirectoryIndex index.html AuthType Basic AuthName secure AuthAuthoritative off AuthRadiusAuthoritative on AuthRadiusCookieValid 15 AuthRadiusActive On require valid-user /Directory - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Mod_auth_radius
I have a couple macs running apache (Preconfigured via Apple) The source is not supplied and the apple didn't apxs.. Has anyone installed mod_auth_radius on a Apple running osx? Thanx - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
System hangs with Apache SSL mod_auth_radius sending authentication information to a radius - my sql server.
System hangs with Apache SSL mod_auth_radius sending authentication information to a radius - mysql server. Hi everyone, I am having a problem with my apache web server hanging and am looking for help. I have check the log files and am finding nothing to indicate the cause of the system hangs. The web server which hangs is Fedora Core 4 The Radius - Mysql server is Redhat EL4 httpd.conf excerpts. LoadModule cgi_module modules/mod_cgi.soLoadModule radius_auth_module /usr/lib/httpd/modules/mod_auth_radius-2.0.so#/IfModule# End of proxy directives. Add to the BOTTOM of httpd.conf# If we're using mod_auth_radius, then add it's specific# configuration options.#IfModule mod_auth_radius-2.0.c ## AddRadiusAuth server[:port] shared-secret [ timeout [ : retries ]]# Use localhost, the old RADIUS port, secret 'testing123',# time out after 5 seconds, and retry 3 times.AddRadiusAuth imp-dell-21:1812password 5:3# ServerName RadiusPassword in clients.conf file## AuthRadiusBindAddress hostname/ip-address## Bind client (local) socket to this local IP address.# The server will then see RADIUS client requests will come from# the given IP address.## By default, the module does not bind to any particular address,# and the operating system chooses the address to use.# ## AddRadiusCookieValid minutes-for-which-cookie-is-valid## the special value of 0 (zero) means the cookie is valid forever.#AddRadiusCookieValid 5/IfModule /var/www/html/.htaccess file is unchanged A sample per-directory access-control configuration, to be used# as a '.htacces' file.# ## Use basic password authentication.# AuthType Digest won't work with RADIUS authentication.#AuthType Basic ## Tell the user the realm to which they're authenticating.# This string should be configured for your site.#AuthName "RADIUS authentication for localhost" ## don't use 'mod_auth'.# You might want to disable other authentication types here.# You can get a similar effect by commenting out the# 'AddModule mod_auth_*' lines, previously in httpd.conf#AuthAuthoritative off ## Use mod_auth_radius for all authentication, and make the responses# from it authoritative.#AuthRadiusAuthoritative on ## Make a local variation of AddRadiusCookieValid. The server will choose# the MINIMUM of the two values.## AuthRadiusCookieValid minutes-for-which-cookie-is-valid#AuthRadiusCookieValid 5 ## Set the use of RADIUS authentication at this Location"## Locally set the RADIUS authentication active.## If there is a directory which you do NOT want to have RADIUS# authentication for, then use a Directory directive, and# set "AuthRadiusActive Off"#AuthRadiusActive On ## require that mod_auth_radius return a valid user, otherwise# access is denied.#require valid-user The error logs do not record what the problem is. Any ideas? Frank Reiss - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: RedHat - Fedora - mod_auth_radius and Apache
Redhat already has the RPM Built in the fedore core iso's From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank ReissSent: Monday, December 12, 2005 12:19 PMTo: freeradius-users@lists.freeradius.orgSubject: RedHat - Fedora - mod_auth_radius and Apache Hi, I need some help I am trying to setup FreeRadius on a Red Hate Fedora 4system running Apache 2.0.54. I can not build the module for the source I have found at FreeRadius for Apache 2. Does any one have some tips no building the module mod_auth_radius.so for red hat systems? Frank ReissImpeva Labs, Inc.Phone: 1-850-872-7099 COMPANY CONFIDENTIAL NOTICEThis electronic mail transmission and any accompanying documents containinformation belonging to the sender which may be company confidential and legallyprivileged. If you are not the intended recipient, any disclosure, copying,distribution or action taken in reliance on the message is strictlyprohibited. If you have received this message in error, please delete it.Thank You --No virus found in this incoming message.Checked by AVG Free Edition.Version: 7.1.371 / Virus Database: 267.13.13/197 - Release Date: 12/9/2005 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: mod_auth_radius values
Hi, I have written a php script that lists the request and response headers, the result of which is below: Request Headers Accept: */* Accept-Language: en-gb Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: xx Connection: Keep-Alive Authorization: Basic bHNreVJlZ2o6ZnSpZGF5Mw== Cookie: foo=bar Response Headers Set-Cookie: RADIUS=51f673efff8c5h235410d95289666de85305b928; path=/; X-Powered-By: PHP/4.4.0 After the cookie is set the 'Set-Cookie' header appears in the Request Header as 'Cookie: foo=bar; RADIUS=51f673efff8c5h235410d95289666de85305b928;'. (I have modified the values above slightly incase I am inadvertently sending a username/password to the list ;) Ive read through mod_auth_radius-2.0.c and it appears the cookie is a MD5 hash of the users information. So, is it possible to get the information from the cookie? Gareth. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: 18 August 2005 16:25 To: FreeRadius users mailing list Subject: Re: mod_auth_radius values Ayres G.J. [EMAIL PROTECTED] wrote: I am developing a web system that authenticates users to a web site through free radius using the mod_auth_radius module for apache. It all works fine, but I would like to get the username of the user that has authenticated for use on pages once they have authenticated. It's in the HTTP headers. The username password are sent in every request. I am not sure how to go about this. I guess that the values are set in a cookie or in the HTTP Headers by mod_auth_radius? Does anyone know a way I could retrieve the values, either through HTML or PHP? Not HTML. Maybe PHP, if it allows you to get HTTP headers. See the module source code for where the headers are, and the PHP docs for how to get at them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mod_auth_radius values
Ayres G.J. [EMAIL PROTECTED] wrote: Ive read through mod_auth_radius-2.0.c and it appears the cookie is a MD5 hash of the users information. So, is it possible to get the information from the cookie? No. The username/password IS in the header. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mod_auth_radius values
Hello all, I am developing a web system that authenticates users to a web site through free radius using the mod_auth_radius module for apache. It all works fine, but I would like to get the username of the user that has authenticated for use on pages once they have authenticated. I am not sure how to go about this. I guess that the values are set in a cookie or in the HTTP Headers by mod_auth_radius? Does anyone know a way I could retrieve the values, either through HTML or PHP? Thanks, Gareth. - - - - - - - - - - - - - - - - Gareth Ayres Wireless Network Officer Library Information Services University of Wales Swansea, Singleton Park, Wales, UK SA2 8PP e-mail: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mod_auth_radius values
Ayres G.J. [EMAIL PROTECTED] wrote: I am developing a web system that authenticates users to a web site through free radius using the mod_auth_radius module for apache. It all works fine, but I would like to get the username of the user that has authenticated for use on pages once they have authenticated. It's in the HTTP headers. The username password are sent in every request. I am not sure how to go about this. I guess that the values are set in a cookie or in the HTTP Headers by mod_auth_radius? Does anyone know a way I could retrieve the values, either through HTML or PHP? Not HTML. Maybe PHP, if it allows you to get HTTP headers. See the module source code for where the headers are, and the PHP docs for how to get at them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mod_auth_radius values
Try the environment variable REMOTE_USER
#!/usr/bin/perl
print Content-type: text/html\n\n;
foreach $key (keys %ENV) {
print $key -- $ENV{$key}br;
}
Ken
Alan DeKok wrote:
Ayres G.J. [EMAIL PROTECTED] wrote:
I am developing a web system that authenticates users to a web site
through free radius using the mod_auth_radius module for apache. It all
works fine, but I would like to get the username of the user that has
authenticated for use on pages once they have authenticated.
It's in the HTTP headers. The username password are sent in every
request.
I am not sure how to go about this. I guess that the values are set in a
cookie or in the HTTP Headers by mod_auth_radius? Does anyone know a way I
could retrieve the values, either through HTML or PHP?
Not HTML. Maybe PHP, if it allows you to get HTTP headers. See the
module source code for where the headers are, and the PHP docs for how
to get at them.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mod_auth_radius values
or even easier, if apache is setup for SSI, you can just plunk this into your web page where you want the authenticated username: !--#echo var=REMOTE_USER-- Ken Alan DeKok wrote: Ayres G.J. [EMAIL PROTECTED] wrote: I am developing a web system that authenticates users to a web site through free radius using the mod_auth_radius module for apache. It all works fine, but I would like to get the username of the user that has authenticated for use on pages once they have authenticated. It's in the HTTP headers. The username password are sent in every request. I am not sure how to go about this. I guess that the values are set in a cookie or in the HTTP Headers by mod_auth_radius? Does anyone know a way I could retrieve the values, either through HTML or PHP? Not HTML. Maybe PHP, if it allows you to get HTTP headers. See the module source code for where the headers are, and the PHP docs for how to get at them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FW: Trouble with HTTPS and mod_auth_radius
Is there a mod_auth_radius list I can direct this question to? Thanks, Jason -Original Message- From: Zawacki Jason D Contr AFRL/IFOS Sent: Monday, June 06, 2005 11:43 AM To: 'freeradius-users@lists.freeradius.org' Subject: Trouble with HTTPS and mod_auth_radius Hey folks, I'm having trouble getting my configuration to work with SSL enabled in apache 1.3.33 using mod_auth_radius (mod_auth_radius.c,v 1.15 2003/03/24 19:16:15). This same setup works fine when SSL is not enabled. If I go to the page I've configured for radius auth, I get an Internal Server Error. I've shut off all other authentications for this location (NTLM) and the mod_auth module is not being activated. Even so, the apache error log indicates that it is looking for a user file as if I were using mod_auth. Here is my setup: ... LoadModule radius_auth_module libexec/mod_auth_radius.so ... #AddModule mod_auth.c ... AddModule mod_auth_radius.c ... AddRadiusAuth X.X.X.X:1812 XX AddRadiusCookieValid5 ... Location /test-radius AllowOverride None order allow,deny allow from all AuthName RRS Radius test AuthType Basic NTLMAuthoritative off NTLMAuth off NTLMBasicAuth off AuthRadiusAuthoritative on AuthRadiusActive on require valid-user /Location Like I said, the same setup works fine for a non-SSL URL, which puzzles me greatly. I'm using this box to test several authentication schemes including ldap, ntlm, and kerberos and none of demonstrated the same behavior. Any help is greatly appreciated. Jason - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FW: Trouble with HTTPS and mod_auth_radius
That would be great.. I tried to work with mod_auth_radius and couldn't get it to go a while back and really wanted have a site that was only available to Authenticated users. (just my 2 cents) I was trying it out on macs running apache..(That could have been the problem) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Thursday, June 09, 2005 3:56 PM To: FreeRadius users mailing list Subject: Re: FW: Trouble with HTTPS and mod_auth_radius Zawacki Jason D Contr AFRL/IFOS [EMAIL PROTECTED] wrote: Is there a mod_auth_radius list I can direct this question to? Not really. This list is good enough. Like I said, the same setup works fine for a non-SSL URL, which puzzles me greatly. I'm using this box to test several authentication schemes including ldap, ntlm, and kerberos and none of demonstrated the same behavior. I'd love to know why. When I wrote mod_auth_radius, there was little documentation about the internals of Apache. So the module may not do the right thing. At this point, it may be worth re-writing the module to follow the outline of one which does work, and just change ntlm to radius, for example. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.323 / Virus Database: 267.6.6 - Release Date: 6/8/2005 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Trouble with HTTPS and mod_auth_radius
Hey folks, I'm having trouble getting my configuration to work with SSL enabled in apache 1.3.33 using mod_auth_radius (mod_auth_radius.c,v 1.15 2003/03/24 19:16:15). This same setup works fine when SSL is not enabled. If I go to the page I've configured for radius auth, I get an Internal Server Error. I've shut off all other authentications for this location (NTLM) and the mod_auth module is not being activated. Even so, the apache error log indicates that it is looking for a user file as if I were using mod_auth. Here is my setup: ... LoadModule radius_auth_module libexec/mod_auth_radius.so ... #AddModule mod_auth.c ... AddModule mod_auth_radius.c ... AddRadiusAuth X.X.X.X:1812 XX AddRadiusCookieValid5 ... Location /test-radius AllowOverride None order allow,deny allow from all AuthName RRS Radius test AuthType Basic NTLMAuthoritative off NTLMAuth off NTLMBasicAuth off AuthRadiusAuthoritative on AuthRadiusActive on require valid-user /Location Like I said, the same setup works fine for a non-SSL URL, which puzzles me greatly. I'm using this box to test several authentication schemes including ldap, ntlm, and kerberos and none of demonstrated the same behavior. Any help is greatly appreciated. Jason - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Mod_auth_radius v1.4.2 problem
Hello all. I've been having a very strange problem with mod_auth_radius. I have it configured like so: IfModule mod_auth_radius.c AddRadiusAuthx.x.x.x password AddRadiusCookieValid 5 /IfModule Location /test-radiusAllowOverride Noneorder allow,denyallow from all AuthName "RRS Radius test"AuthType BasicAuthAuthoritative offKrbAuthoritative offAuthRadiusAuthoritative onAuthRadiusCookieValid 60require valid-user/Location The above part is in both non-ssl and ssl configurations. The weird part is this works fine when using HTTP. HTTPS breaks, and gives this error: [Fri Apr 29 12:02:10 2005] [crit] [client X.X.X.X] configuration error: couldn't check user. No user file?: /test-radius/auth.cgi Allother authentication methods on this box have worked fine for bothHTTP and HTTPS: LDAP, Kerberos, NTLM. apache 1.3.33 Thanks for any help, Jason
Mod_auth_radius
Anyone get mod_aut_Radius runing on Fedora Core 3 without recompliling Apache.. Seeing as they don't send you the source compile info... Their the apxs install won't work? Thanx Cris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to authenticate user who browse the internet with mod_auth_radius
Hi all, Currently i manage to authenticate user who login a localhost's web server.It is possible to authenticate user who want to browse the inernet, using mod_auth_radius? Can it be done? Do you Yahoo!? Yahoo! Mail - now with 250MB free storage. Learn more.
Re: How to authenticate user who browse the internet with mod_auth_radius
Please send PLAIN TEXT mails! http://www.freeradius.org/mod_auth_radius/ - Original Message - From: chiam kuosiang To: freeradius-users@lists.freeradius.org Sent: Friday, February 18, 2005 6:51 PM Subject: How to authenticate user who browse the internet with mod_auth_radius Hi all, Currently i manage to authenticate user who login a localhost's web server. It is possible to authenticate user who want to browse the inernet, using mod_auth_radius? Can it be done? Do you Yahoo!? Yahoo! Mail - now with 250MB free storage. Learn more. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: mod_auth_radius
I'm sorry for this stupid question. I'm using VM-Ware and the source file was in a shared folder. I moved it and it works. Loïc -Message d'origine- De : TRANSLER Loic Envoyé : mercredi 2 février 2005 16:44 À : freeradius-users@lists.freeradius.org Objet : mod_auth_radius Hi, I'm not sure I'm supposed to post about mod_auth_radius here. Sorry if I'm not. My apache (2.0) server is installed with rpm's. DSO's are enabled. So, I use apxs. When I launch the command apxs2 -i -a -c mod_auth_radius-2.0.c, the result is : /usr/lib/apache2/build/libtool --silent --mode=compile gcc -prefer-pic -O2 -fomit-frame-pointer -pipe -march=i586 -mcpu=pentiumpro -fno-omit-frame- pointer -DAP_HAVE_DESIGNATED_INITIALIZER -DLINUX=2 -D_REENTRANT - D_XOPEN_SOURCE=500 -D_BSD_SOURCE -D_SVID_SOURCE -D_GNU_SOURCE -O2 -fomit- frame-pointer -pipe -march=i586 -mcpu=pentiumpro -fno-omit-frame-pointer - pthread -DRECORD_FORWARD -I/usr/include/apache2 -I/usr/include/apache2 -I/usr/include/apache2 -c -o mod_auth_radius-2.0.lo mod_auth_radius- 2.0.c touch mod_auth_radius-2.0.slo mod_auth_radius-2.0.c:560: warning: initialization from incompatible pointer type ln: création d'un lien symbolique `mod_auth_radius-2.0.lo' vers `mod_auth_radius-2.0.o': Operation not permitted apxs:Error: Command failed with rc=65536 Versions: Linux Mandrake 10.0 Official Apache 2.0.48-6 Mod_auth_radius 1.5.7 Freeradius 1.0.1 Can anyone help me? Loïc. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mod_auth_radius
Hi, I'm not sure I'm supposed to post about mod_auth_radius here. Sorry if I'm not. My apache (2.0) server is installed with rpm's. DSO's are enabled. So, I use apxs. When I launch the command apxs2 -i -a -c mod_auth_radius-2.0.c, the result is : /usr/lib/apache2/build/libtool --silent --mode=compile gcc -prefer-pic -O2 -fomit-frame-pointer -pipe -march=i586 -mcpu=pentiumpro -fno-omit-frame-pointer -DAP_HAVE_DESIGNATED_INITIALIZER -DLINUX=2 -D_REENTRANT -D_XOPEN_SOURCE=500 -D_BSD_SOURCE -D_SVID_SOURCE -D_GNU_SOURCE -O2 -fomit-frame-pointer -pipe -march=i586 -mcpu=pentiumpro -fno-omit-frame-pointer -pthread -DRECORD_FORWARD -I/usr/include/apache2 -I/usr/include/apache2 -I/usr/include/apache2 -c -o mod_auth_radius-2.0.lo mod_auth_radius-2.0.c touch mod_auth_radius-2.0.slo mod_auth_radius-2.0.c:560: warning: initialization from incompatible pointer type ln: création d'un lien symbolique `mod_auth_radius-2.0.lo' vers `mod_auth_radius-2.0.o': Operation not permitted apxs:Error: Command failed with rc=65536 Versions: Linux Mandrake 10.0 Official Apache 2.0.48-6 Mod_auth_radius 1.5.7 Freeradius 1.0.1 Can anyone help me? Loïc. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
need help! mod_auth_radius module crash under EAPI
Hi all, [EMAIL PROTECTED] root]# cd /usr/local/apache/bin[EMAIL PROTECTED] bin]# ./apachectl start[Tue Feb 1 23:43:39 2005] [warn] Loaded DSO libexec/mod_auth_radius.so uses plain Apache 1.3 API, this module might crash under EAPI! (please recompile it with -DEAPI)./apachectl start: httpd started Consequently,i cant login the dialup admin. from new user, Siang Do you Yahoo!? Yahoo! Search presents - Jib Jab's 'Second Term'
mod_auth_radius vulnerability
The following URL says there's a vulnerability in mod_auth_radius: http://www.net-security.org/vuln.php?id=3997 Is this true? If so, has a new version been released? [BTW: why does mod_auth_radius 1.5.7 source code refer to itself as 1.5.4 in comments? Is it really 1.5.7 or 1.5.4?] - Morty - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mod_auth_radius vulnerability
Mordechai T. Abzug [EMAIL PROTECTED] wrote: The following URL says there's a vulnerability in mod_auth_radius: http://www.net-security.org/vuln.php?id=3997 Is this true? If so, has a new version been released? Most of it is true, part is B.S. An attacker CANNOT spoof replies from the RADIUS server to exploit this vulnerability. The risk of this problem is extremely low. [BTW: why does mod_auth_radius 1.5.7 source code refer to itself as 1.5.4 in comments? Is it really 1.5.7 or 1.5.4?] Lack of due diligence. It's 1.5.7. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: mod_auth_radius with apache and Tomcat
Hmm, Tomcat presents a different issue for authentication. I have RADIUS working with Apache 2.0, but I have not setup Tomcat. I think you will need to address Tomcat authentication separately since it runs as a separate service. From: Liz Osborne [EMAIL PROTECTED] Reply-To: freeradius-users@lists.freeradius.org To: 'freeradius-users@lists.freeradius.org' freeradius-users@lists.freeradius.org Subject: mod_auth_radius with apache and Tomcat Date: Thu, 20 Jan 2005 14:54:33 - Has anybody succeeded in using mod_auth_radius with apache and Tomcat? We are having problems authenticating URLs which are forwarded from apache to Tomcat. The authentication seems to work sometimes, but the web server returns a 404 error, saying the URL is not present on the server. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mod_auth_radius with apache and Tomcat
Has anybody succeeded in using mod_auth_radius with apache and Tomcat? We are having problems authenticating URLs which are forwarded from apache to Tomcat. The authentication seems to work sometimes, but the web server returns a 404 error, saying the URL is not present on the server. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Apache and mod_auth_radius
Ok, I found an old article referring to this problem http://lists.freeradius.org/archives/freeradius-users/2004/11/msg00096.html Now I have a different issue. I am getting couldn't check access. No group file in the HTTPD logs - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Apache2 and mod_auth_radius-WORKING
Got it figured out. I found a typo in the httpd.conf and noted the README
states to point your browser to the http://{site}/{directory}/{filename}
Working with one-time passwords.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Apache2 with mod_auth_radius
I have reviewed the documentation for Apache2 and mod_auth_radius and have couple of questions 1. I am wondering why the mod_auth_radius wants to have AddModule mod_auth_radius.c ? I thought Apache2 no longer uses the AddModule. Would I change the IfModule to mod_auth_radius.so? 2. I am getting an Internal Error 500 when going to a secure directory using .htaccess. Error logs report configuration error: couldn't check user. No user file ?: /customer. I attempted to remove the .htaccess file and include the .htaccess info in the Location /customer section under the IfModule, but tht did not enforce authentication. Any sugestions? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mod_auth_radius, Apache 2.0 reverse proxy, challenge-response issues
Hello- I've manged to get mod_auth_radius working with Apache 2.0 and a remote CryptoCard Server. Unfortunately, the CryptoCard is in Challenge-Response mode and the owner can't/won't change to Quicklog. No biggy, as the user just gets the first prompt, then the challenge-response prompt. The problem is, for every object that Apache is pulling from the backend server (reverse proxying), the user is being prompted. Is there a way to avoid the multiple prompts, yet retain RADIUS authentication? TIA - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mod_auth_radius-2.0 difficulty
I bet if you set up a sniffer trace or use snoop, you probably would see your Apache2 wasn't even talking to the RADIUS server. I just got it all worked out on Solaris 8 and Mac OS X 10.3 after several days of similar head-scratching. Here's what I had to do to make Apache 2.0.52 use mod_auth_radius-2.0: In httpd.conf, DO NOTHING except using the LoadModule directive to initialize mod_auth_radius-2.0. In ssl.conf, put the mod_auth_radius directives there. *** begin abridged ssl.conf *** [the usual ssl stuff] IfDefine SSL [more usual ssl stuff] VirtualHost _default_:80 /VirtualHost VirtualHost _default_:443 [more usual ssl stuff] *** only works for me when IfModule is placed here *** IfModule mod_auth_radius-2.0.c AddRadiusAuth localhost:1645 testing123 5:3 AddRadiusCookieValid 5 /IfModule Location /search.html AuthName RADIUS SSL AuthType Basic AuthAuthoritative off AuthRadiusAuthoritative on AuthRadiusCookieValid 5 AuthRadiusActive On require valid-user /Location [more usual ssl stuff] /VirtualHost /IfDefine *** end abridged ssl.conf *** I tried placing IfModule mod_auth_radius-2.0.c in all sorts of other places plausible in httpd.conf and ssl.conf. Apache2 simply did not talk to the RADIUS server (and kept returning 500 internal server error) except using the placement I posted above. Y. J. Zhang Hello all, I have used mod_auth_radius with apache 1.x.x with no problems. We recently started upgrading the apache servers to 2.0. I downloaded the mod_auth_radius-2.0.c from http://www.freeradius.org/mod_auth_radius/ . It is version 1.5.7. The module compiled correctly with apxs.Ê I configured this module similar to how I configured the old one for apache 1.3.x. When I go to the diredtory I want to control, I get a login box. When I type in my login name and password, I get Internal Server Error. The logs say: configuration error: couldn't check user. No user file?: /wijsp Is there a way to increase the log level for this?Ê I have: LoadModule radius_auth_module modules/mod_auth_radius-2.0.so right after auth_module in the httpd.conf. I have: IfModule mod_auth_radius-2.0.c AddRadiusAuth auth1.mail.vanderbilt.edu:1645 XXX 5 AddRadiusCookieValid 720 /IfModule at the very end of the httpd.conf file. Obviously, XXX is our radius secret. Within the virtual host in the ssl.conf file (we use ssl), I have: Alias /wijsp /export/apps/webi/uat/65/nodes/corvette/mycluster/APACHE SSL FOR TOMCAT/MasterWebServer-129.59.10.49_1443/wijsp Directory /export/apps/webi/uat/65/nodes/corvette/mycluster/APACHE SSL FOR TOMCAT/MasterWebServer-129.59.10.49_1443/wijsp Options FollowSymLinks AllowOverride All SSLRequireSSL AuthType Basic AuthName Webi 6.5 AuthAuthoritative off AuthRadiusAuthoritative on AuthRadiusCookieValid 5 AuthRadiusActive On require valid-user /Directory I have been trying to get this to work all day, and I am being pressured by the powers that be to get this working soon. Does anyone have any tips, hints, directions that can help me? If I have grossly misinterpreted the documentation, please let me know that as well. I do appreciate any help you can give. Thanks, Jennifer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mod_auth_radius-2.0 difficulty
Hello all, I have used mod_auth_radius with apache 1.x.x with no problems. We recently started upgrading the apache servers to 2.0. I downloaded the mod_auth_radius-2.0.c from http://www.freeradius.org/mod_auth_radius/ . It is version 1.5.7. The module compiled correctly with apxs. I configured this module similar to how I configured the old one for apache 1.3.x. When I go to the diredtory I want to control, I get a login box. When I type in my login name and password, I get Internal Server Error. The logs say: configuration error: couldn't check user. No user file?: /wijsp Is there a way to increase the log level for this? I have: LoadModule radius_auth_module modules/mod_auth_radius-2.0.so right after auth_module in the httpd.conf. I have: IfModule mod_auth_radius-2.0.c AddRadiusAuth auth1.mail.vanderbilt.edu:1645 XXX 5 AddRadiusCookieValid 720 /IfModule at the very end of the httpd.conf file. Obviously, XXX is our radius secret. Within the virtual host in the ssl.conf file (we use ssl), I have: Alias /wijsp /export/apps/webi/uat/65/nodes/corvette/mycluster/APACHE SSL FOR TOMCAT/MasterWebServer-129.59.10.49_1443/wijsp Directory /export/apps/webi/uat/65/nodes/corvette/mycluster/APACHE SSL FOR TOMCAT/MasterWebServer-129.59.10.49_1443/wijsp Options FollowSymLinks AllowOverride All SSLRequireSSL AuthType Basic AuthName Webi 6.5 AuthAuthoritative off AuthRadiusAuthoritative on AuthRadiusCookieValid 5 AuthRadiusActive On require valid-user /Directory I have been trying to get this to work all day, and I am being pressured by the powers that be to get this working soon. Does anyone have any tips, hints, directions that can help me? If I have grossly misinterpreted the documentation, please let me know that as well. I do appreciate any help you can give. Thanks, Jennifer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
about mod_auth_radius on APACHE
hi all, Anybody can give me an html/php example for apache server which can be used as a radius client to do WEB authentication? I'm not familiar with web programing. Thanks. Regards. Yyc And the vision that was planted in my brain. Still remains with the Sound of Silence. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: about mod_auth_radius on APACHE
http://uk.php.net/manual/en/features.http-auth.php josh. --On Tuesday, October 19, 2004 18:28:30 +0800 Yyc [EMAIL PROTECTED] wrote: hi all, Anybody can give me an html/php example for apache server which can be used as a radius client to do WEB authentication? I'm not familiar with web programing. Thanks. Regards. Yyc And the vision that was planted in my brain. Still remains with the Sound of Silence. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- --- Josh Howlett, Networking Digital Communications, Information Systems Computing, University of Bristol, U.K. 'phone: 0117 928 7850 email: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mod_auth_radius and ms-chapv2
Hello, I would like to set up freeradius, and mod_auth_radius on linux to authenticate users via ias (radius server). My problem is the ias administrator said the authentication method is pap and not ms-chapv2. How can I set up mod_auth_radius to use ms-chapv2? Is it possibile? Thanks... Janos Makadi - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mod_auth_radius and ms-chapv2
No. josh. --On Monday, October 11, 2004 14:25:15 +0200 Makadi Janos [EMAIL PROTECTED] wrote: Hello, I would like to set up freeradius, and mod_auth_radius on linux to authenticate users via ias (radius server). My problem is the ias administrator said the authentication method is pap and not ms-chapv2. How can I set up mod_auth_radius to use ms-chapv2? Is it possibile? Thanks... Janos Makadi - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- --- Josh Howlett, Networking Digital Communications, Information Systems Computing, University of Bristol, U.K. 'phone: 0117 928 7850 email: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mod_auth_radius and ms-chapv2
Josh Howlett wrote: No. josh. --On Monday, October 11, 2004 14:25:15 +0200 Makadi Janos [EMAIL PROTECTED] wrote: Hello, I would like to set up freeradius, and mod_auth_radius on linux to authenticate users via ias (radius server). My problem is the ias administrator said the authentication method is pap and not ms-chapv2. How can I set up mod_auth_radius to use ms-chapv2? Is it possibile? Thanks... Janos Makadi THX Janos Makadi - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Looking for commercial support for mod_auth_radius in Canada
Hello freeradius-users, Sorry for non-technical quick question. My employer needs to find a reliable company that can support mod_auth_radius in our apache 1.3 proxy environment. We are located in Toronto. -- Best regards, Gaziz Nugmanov - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Looking for commercial support for mod_auth_radius in Canada
Hi, Is it a contract position? Which OS are you running on? Thanks. Kafui Amedzekor. --- Gaziz Nugmanov [EMAIL PROTECTED] wrote: Hello freeradius-users, Sorry for non-technical quick question. My employer needs to find a reliable company that can support mod_auth_radius in our apache 1.3 proxy environment. We are located in Toronto. -- Best regards, Gaziz Nugmanov - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: mod_auth_radius with OTP
no, the settings on the webserver are right (AddRadiusCookieValid 5), also i am shure that my browser settings correct, because i disable the automatic cookie handling. every time the browser ask me what do with a cookie. any other ideas? -Ursprüngliche Nachricht- Von: Alan DeKok [mailto:[EMAIL PROTECTED] Gesendet: Freitag, 17. September 2004 17:31 An: [EMAIL PROTECTED] Betreff: Re: mod_auth_radius with OTP Stephan Pfeiffer [EMAIL PROTECTED] wrote: is it possible to cache the authentication status? It's done by default, in the cookie. atm the mod_auth_radius module ask on every webserver-request the radius-server. That is not the default configuration. Maybe the browser is blocking cookies. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mod_auth_radius with OTP
hi, is it possible to cache the authentication status? atm the mod_auth_radius module ask on every webserver-request the radius-server. this is no problem by static passwords, but i have one-time-passwords that was generated by a token. the result is that the first data from a webserver request is shown (e.g. some text) but the rest of site not (e.g pictures etc). some solutions? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mod_auth_radius with OTP
Stephan Pfeiffer [EMAIL PROTECTED] wrote: is it possible to cache the authentication status? It's done by default, in the cookie. atm the mod_auth_radius module ask on every webserver-request the radius-server. That is not the default configuration. Maybe the browser is blocking cookies. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: WG: mod_auth_radius: error - no user file?
thx for fast response! I have copy exact the same as written here: http://www.freeradius.org/mod_auth_radius/httpd.conf but the problem still exist. -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Auftrag von Alan DeKok Gesendet: Mittwoch, 25. August 2004 16:25 An: [EMAIL PROTECTED] Betreff: Re: WG: mod_auth_radius: error - no user file? Stephan Pfeiffer [EMAIL PROTECTED] wrote: If i connect now to the server it asked me for user and passwort, but after press enter i get the default error page. The apache2 log writes: configuration error: couldn't check user. no user file?: /index.shtml You haven't told Apache *when* to use the module. Keep reading the documentation that comes with the module. It includes examples of controlling directory access, by using the modules directives. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: WG: mod_auth_radius: error - no user file?
Stephan Pfeiffer [EMAIL PROTECTED] wrote: I have copy exact the same as written here: = http://www.freeradius.org/mod_auth_radius/httpd.conf but the problem still exist. Perhaps you should try reading the documentation and configuration files, rather than copying them verbatim. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
WG: mod_auth_radius: error - no user file?
[EMAIL PROTECTED], i´ve download and compile the mod_auth_radius-2.0.c how is described here http://www.freeradius.org/mod_auth_radius/ with apxs -i -a -c mod_auth_radius.c. All finished and the httpd.conf has my entries: LoadModule radius_auth_module modules/mod_auth_radius-2.0.so .. IfModule mod_auth_radius.c AddRadiusAuth m.y.i.p:1812 testsecret 5:3 /IfModule . and apachectl configtest put all ok. If i connect now to the server it asked me for user and passwort, but after press enter i get the default error page. The apache2 log writes: configuration error: couldn´t check user. no user file?: /index.shtml and on the radius server i can´t see any request. whats wrong? Info: * apache 2.0.50 * last mot_auth_radius module * debian 3.0 with kernel 2.2.20 regards... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WG: mod_auth_radius: error - no user file?
Stephan Pfeiffer [EMAIL PROTECTED] wrote: If i connect now to the server it asked me for user and passwort, but after press enter i get the default error page. The apache2 log writes: configuration error: couldn't check user. no user file?: /index.shtml You haven't told Apache *when* to use the module. Keep reading the documentation that comes with the module. It includes examples of controlling directory access, by using the modules directives. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mod_auth_radius and ACE/Server
Hello, I´m having problem when I use the Apache authentication module mod_auth_radius with Freeradis and ACE/Server I´m using Freeradius as a Proxy Radius to the ACE/Server. When I try to authenticate in the Apache Server it execute several requests of user and password in the Proxy Radius causing PASSCODE REUSE ATTACK detect in the ACE/Server. How can execute only one request to the Proxy Freeradius Thanks for help. Luciano - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mod_auth_radius and ACE/Server
Rangel, Luciano [EMAIL PROTECTED] wrote: I'm using Freeradius as a Proxy Radius to the ACE/Server. When I try to authenticate in the Apache Server it execute several requests of user and password in the Proxy Radius causing PASSCODE REUSE ATTACK detect in the ACE/Server. How can execute only one request to the Proxy Freeradius Read the documentation which comes with mod_auth_radius, and the comments at the start of the C file. It describes when the module sends multiple requests, why, and how to fix it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mod_auth_radius-2.0+Apache2.0
On Mon, 2004-05-17 at 11:29, Andreas wrote: Hello, Im using SuSE Linux 9.1, FreeRadius 0.9.3 with the module mod_auth_radius-2.0 and Apache2.0. I would like to use Radius for web authentication. At first I tested the Apache 1.3 with the Radius module mod_auth_radius. I used the configuration as per description on http://www.freeradius.org/mod_auth_radius. Everything works great! But now I would like to use Apache 2.0 and the Radius module mod_auth_radius-2.0. After installation and configuration I checked the interaction between the Radius-server and the Radius-module from the Apache 2.0 with the tool ethereal. The access to the secured web area is answered by the login prompt. After entering the right user and password the Radius-module made a Access Request(1) and the Radius-server made a Access Accept (2). In actual fact I would say that the interaction is ok, or isnt it? But the browser gives me an error message back: Error 500. Does this error come form a wrong configuration from the httpd.conf file? Is the configuration from the apache 1.3 httpd.conf file equal to the configuration file from the apache 2.0 except the entry from AddModule .../mod_auth_radius.o? May somebody help me and give me some instructions?? Thank you in advance! Greetings Andreas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Did I miss the response to this? I am also looking for mod_auth_radius in Apache 2.0. Ted - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mod_auth_radius-2.0+Apache2.0
Hello, I´m using SuSE Linux 9.1, FreeRadius 0.9.3 with the module mod_auth_radius-2.0 and Apache2.0. I would like to use Radius for web authentication. At first I tested the Apache 1.3 with the Radius module mod_auth_radius. I used the configuration as per description on http://www.freeradius.org/mod_auth_radius. Everything works great! But now I would like to use Apache 2.0 and the Radius module mod_auth_radius-2.0. After installation and configuration I checked the interaction between the Radius-server and the Radius-module from the Apache 2.0 with the tool ethereal. The access to the secured web area is answered by the login prompt. After entering the right user and password the Radius-module made a Access Request(1) and the Radius-server made a Access Accept (2). In actual fact I would say that the interaction is ok, or isn´t it? But the browser gives me an error message back: Error 500. Does this error come form a wrong configuration from the httpd.conf file? Is the configuration from the apache 1.3 httpd.conf file equal to the configuration file from the apache 2.0 except the entry from AddModule .../mod_auth_radius.o? May somebody help me and give me some instructions?? Thank you in advance! Greetings Andreas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Some hints to mod_auth_radius-2.0
We want to implement one-time password based web-server authentication
against our Radius server. Mod_auth_radius seems to be quite nice
apache(2) module for this purpose.
Unfortunately there was some weaknesses:
1) one-time password authentication and initial directory access
(problem described in README Some warnings). Annoying!
2) manual logout - at first I didn't see any good solution to give user
an ability to logout and relogin (if she/he want to) without restarting
the browser.
3) absolute time for ticket (cookie) timeout - parameter
AddRadiusCookieValid allows only n minute access to web-browser after
login, no matter how often you access the web-server. I would prefer an
idle timeout - when web-server haven't accessed n minute, then ticket
would timeouts
I think that I have found solutions to all these problems. What does
think the freeradius community about these ones?
1) Initially accessing the directory (e.g. https://server.com/) is
possible by using apache rewrite module:
RewriteRule ^/$ /index.php
Of cource this rule match only for root-directory, but it's better than
nothing (users insert to the browser's url-bar only hostname, generally)
2) manual logout methot is following:
- quering url https://server.com/logout.php, the cookie in browser would
deleted.
?php
# /logout.php
setcookie(RADIUS,,0,/);
echo(Logged out);
?
- in apache conf set a line:
ErrorDocument 401 /error/HTTP_UNAUTHORIZED.php
(of cource /error/* is not in restricted area)
?php
# /error/HTTP_UNAUTHORIZED.php
Header(WWW-Authenticate: Basic realm=\Radius\);
header('HTTP/1.0 401 Unauthorized');
echo(Authorization required!);
exit;
?
This methot doesn't require browser restart. Trying to access restricted
area, browser will ask username and password again.
3) Now the most complicated problem: how to implement idle timeout
I dared to change the module code in a way, that parameter
AddRadiusCookieValid means a idle timeout (in minute). Algoritm for
timeout check is:
if ( last_access_time + idle_timeout current_access_time ) {
return EXPIRED;
} else {
update_cookie(Radius,current_access_time)
return OK;
}
there are my patch for this:
--- mod_auth_radius-2.0.c.orig 2004-01-27 20:06:25.0 +0200
+++ mod_auth_radius-2.0.c 2004-01-28 09:25:05.0 +0200
@@ -705,6 +705,9 @@
valid_cookie(request_rec *r, const char *cookie, const char *passwd)
{
time_t expires, now;
+ server_rec *s = r-server;
+ radius_server_config_rec *scr = (radius_server_config_rec *)
+ap_get_module_config (s-module_config, radius_auth_module);
if (strlen(cookie) (16 + 4)*2) { /* MD5 is 16 bytes, and expiry
date is 4*/
return FALSE; /* invalid */
@@ -713,14 +716,16 @@
sscanf(cookie[32], %8lx, expires);
now = time(NULL);
- if (expires now) { /* valid only for a short window of time */
+ if ( ( expires + ( scr-timeout * 60 ) ) now) { /* valid only
for a short window of time */
return FALSE; /* invalid: expired */
}
/* Is the returned cookie identical to one made from our secret? */
- if (strcmp(cookie, make_cookie(r, expires, passwd, NULL)) == 0)
+ if (strcmp(cookie, make_cookie(r, expires, passwd, NULL)) == 0) {
+add_cookie(r, r-headers_out, make_cookie(r, now, passwd, NULL), now);
return TRUE;
-
+ }
+
return FALSE;/* cookie doesn't match:
re-validate */
}
/* Add a cookie to an outgoing request */
/* - End of patch -- */
Any comments are very welcome.
Tanel
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mod_auth_radius question
Is there a way to force a realm per .htaccess file using mod_auth_radius? R. -- ___ Recursion: see recursion +--+ | Richard Lucassen, Utrecht| | Public key and email address:| | http://www.lucassen.org/mail-pubkey.html | +--+ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mod_auth_radius logout?
Can I implement somehow a logout mechanism to mod_auth_radius? Just deleting cookie is not a solution, because after that there are any possibility to login again. Only error-pages occure. Tanel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem: apache mod_auth_radius
Alan DeKok wrote: Alan DeKok [EMAIL PROTECTED] wrote: This is explained in the README which comes with the server. I meant apache module. How could I miss this section from README?! Thanks! Tanel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem: apache mod_auth_radius
I'd like to restrict whole my www-server (apache2) resources by radius. Everything is OK restricting subdirectory of www-server (http://myhost.com/info/), but things are worse restricting root-dir of www-server (http://myhost.com). 1) entering http://myhost.com (apache ask for usernamepassword, entering these), I got an error-page (Authentication required!) 2) entering then http://myhost.com/index.html (no usernamepassword asked), I got the same error-page But when I start vice versa: 1) entering http://myhost.com/index.html (apache ask for usernamepassword, entering these), I got the valid page (index.html) 2) entering then http://myhost.com (no usernamepassword asked), everything is OK, again. Index.html are displayed As I said, restricting subdirectory (http://myhost.com/test/) everything is OK. So problem occure when I restrict root-direcory and root-directory (without exact page, e.g. index.html) are asked. I use: - last mod_auth_radius-2.0.c (from freeradius page) - Redhat9.0 and apache2 httpd.conf: LoadModule radius_auth_module modules/mod_auth_radius-2.0.so IfModule mod_auth_radius-2.0.c AddRadiusAuth myradius.com mysecret AddRadiusCookieValid 5 /IfModule Directory /var/www/html Options Indexes FollowSymLinks AllowOverride All /Directory - /var/www/html/.htaccess: AuthType Basic AuthName Radius AuthAuthoritative Off AuthRadiusAuthoritative On AuthRadiusActive On require valid-user Does somebody knows solution to thiskind of problem? Tanel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
