LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   RADIUS error in Apache (mod_auth_xradius, SVN, Mantis: authentication caching) (http://www.linuxquestions.org/questions/linux-security-4/radius-error-in-apache-mod_auth_xradius-svn-mantis-authentication-caching-4175424484/)

Teleute 08-28-2012 06:27 PM

RADIUS error in Apache (mod_auth_xradius, SVN, Mantis: authentication caching)
 
I'm trying to configure RADIUS in Apache. The server can properly connect to the RADIUS server, as tested using radlogin. I have the module loaded, the AddRadiusAuth and the AddRadiusCookieValid lines in httpd.conf, and all the auth lines (type, provider, etc...) in the Directory section config. Apache starts fine, with no errors. When I go to any file in that directory (even just a little test.html file I made), the prompt properly comes up for the password, with the right authname. No matter what I type in, though, I get a 500 error. There's nothing relevant in /var/log/httpd/error_log.

If anyone has any ideas where else I can look for a clue, or anything I can try to get this working, I'd highly appreciate it!

Teleute 08-29-2012 12:50 PM

Whoops...I apparently missed a major clue. It was a long day. :-/

Anyway, I had the AddRadiusAuth and Cookie lines in httpd, but since I was doing this over ssl I apparently needed them in the ssl.conf file instead (in the virtual_host section, IIRC).

Teleute 08-29-2012 05:16 PM

Weirdly, this was working for a while, and has now stopped. The RADIUS authentication box is coming up, but when I put in the info it just always returns a password mismatch. When I put the info into radlogin it returns good (same server, same port, same shared secret, etc...). So still looking for help, if anyone knows what I can try next. Thanks!

unSpawn 08-29-2012 07:19 PM

How about rebuilding mod_auth_radius with DEBUG_RADIUS enabled?

Teleute 08-29-2012 07:30 PM

Hmmm....I didn't build the module in the first place - not sure at all how to go about rebuilding it. There's a huge time crunch on this, so I'm still hoping there's a way to sort this without doing that, but I guess I may have to.

Thanks for the idea, even if I hope I don't have to use it. :-)

unSpawn 08-29-2012 08:39 PM

See http://freeradius.org/mod_auth_radius/ ?

Teleute 08-30-2012 12:26 AM

Not seeing anything there about debug at all - searching the whole site for debug even just seems to return hits that are talking about the RADIUS server (which we're not using FreeRADIUS for), not the client module.

Looking through their site more, though, it looks like we might not be able to use this module after all. They have a thing talking about one-time passwords, and apparently they can't handle it if the secured page is down a level from the root and/or calls more than one element. That's a requirement, and I know it worked on the old server with xradius, so I may have to switch back. :-(

unSpawn 08-30-2012 07:31 AM

Quote:

Originally Posted by Teleute (Post 4767943)
Not seeing anything there about debug at all (..) not the client module.

Sorry, I pointed to the site for instructions as you were wondering how to get the module recompiled. The debug info should be inside the client module code itself.


Quote:

Originally Posted by Teleute (Post 4767943)
apparently they can't handle it if the secured page is down a level from the root and/or calls more than one element.

The client module code contains comments about a workaround for that too IIRC.

Teleute 08-30-2012 11:15 AM

Quote:

Originally Posted by unSpawn (Post 4768204)
Sorry, I pointed to the site for instructions as you were wondering how to get the module recompiled. The debug info should be inside the client module code itself.

Ah - hadn't looked in the code itself, just the page. Thanks!

Quote:

Originally Posted by unSpawn (Post 4768204)
The client module code contains comments about a workaround for that too IIRC.

Unfortunately, the workaround is "point to a specific page first so it loads the cookie properly, then go where you want". I don't think this will work for Subversion, with the people using TortoiseSVN, Visual Studio, etc...to check code in and out. Or if it does, it would be a lot of added steps from what they're used to and they'd hate me.

Teleute 08-30-2012 01:25 PM

As an update, I switched to mod_auth_xradius (which uses a local cache file or memcache server) for caching instead of cookies like mod_auth_radius, and the PHP aop (Mantis in this case) works perfectly now. Still trying to get the other instance of Apache to work with this and subversion. I have them configured identically, but the svn instance isn't writing to the cache for some reason...

Teleute 08-30-2012 04:50 PM

A bit more info, from another post I made elsewhere:

I'm trying to use xradius on two different Apache 2.2 instances on the same server (RHEL 6.2). The authentication itself works for both, but on InstanceB it's not caching the authentication at all. They both have the same caching config in httpd.conf:

AuthXRadiusCache dbm /var/cache/<InstanceAorB>/xradius_cache
AuthXRadiusCacheTimeout 3600

InstanceA is working perfectly, but B is definitely not correctly using the cache at all - any refresh, link click, anything prompts for re-auth. If I look in their respective cache directories, InstanceA shows two files - xradius_cache.dir and xradius_cache.pag . However, the InstanceB dir only has a single file, xradius_cache, and it's more than 10x the size of the ones in InstanceA.

As mentioned, the config is the same, but the instances are running slightly different versions of Apache - InstanceA is running 2.2.15, and B is running 2.2.19. Note it's the newer one that's not working. I'm wondering are there any settings or other modules this is dependent on to work? They do both have the cache and disk_cache modules loaded...

Teleute 08-31-2012 05:55 PM

Okay, this time I think I did actually get it solved. :-) From a summary I wrote elsewhere:

Finally got the RADIUS authentication working - figured I'd put some info here in case anyone else is trying to do this in future.

As far as I can tell, there are three RADIUS modules for Apache. There's the one that is actually part of Apache (I can't recall the exact name), but it doesn't appear to support one time passwords. This left mod_auth_radius (from FreeRadius), and mod_auth_xradius. The former uses cookie-based authentication caching, which I could not get to work at *all* consistently with SVN (or with Mantis, which is the other app we're running this with). THis is because they both generally make multiple requests in very short order, and the cookie handling doesn't usually work fast enough to make it work. They even acknowledge that on the FreeRadius page, and suggest a workaround of basically an authentication portal page, which isn't really workable for SVN. The latter was really the only option, then.

The trick with mod_auth_xradius is that it's quite old, and I couldn't find any active lists or forums to get any guidance. I implemented it as per the instructions, and this worked on our Mantis install of Apache, but not the UberSVN one. Again, the issue was with the authentication caching. I was using the easier of the two methods, a dbm file-based cache. However, something about the UberSVN compilation of Apache (I'm guessing the default dbm libraries, as those are set at compile-time) was meaning that the dbm file was getting written in a different format than the xradius module could understand. (This appears to be quite consistent with what I've read, which is that there are two main branches of dbm libraries, that create different file types, and they're not compatible unless you've got some kind of emulation mode in place.)

Therefore, I had to go with the other form of caching, and create a memcached server and import the special apr_memcache libraries from the people that made the radius module, recompile, etc... This seems to finally have gotten things sorted. Whee! I really hope this is potentially useful to someone else someday, with as much effort as I put into it.

unSpawn 09-01-2012 08:06 AM

Thanks for posting your solution, much appreciated. I've updated the thread title and tags so others may find this thread more easily.


All times are GMT -5. The time now is 10:17 PM.