LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 08-28-2012, 06:27 PM   #1
Teleute
Member
 
Registered: Mar 2005
Posts: 62

Rep: Reputation: 16
RADIUS error in Apache (mod_auth_xradius, SVN, Mantis: authentication caching)


I'm trying to configure RADIUS in Apache. The server can properly connect to the RADIUS server, as tested using radlogin. I have the module loaded, the AddRadiusAuth and the AddRadiusCookieValid lines in httpd.conf, and all the auth lines (type, provider, etc...) in the Directory section config. Apache starts fine, with no errors. When I go to any file in that directory (even just a little test.html file I made), the prompt properly comes up for the password, with the right authname. No matter what I type in, though, I get a 500 error. There's nothing relevant in /var/log/httpd/error_log.

If anyone has any ideas where else I can look for a clue, or anything I can try to get this working, I'd highly appreciate it!
 
Old 08-29-2012, 12:50 PM   #2
Teleute
Member
 
Registered: Mar 2005
Posts: 62

Original Poster
Rep: Reputation: 16
Whoops...I apparently missed a major clue. It was a long day. :-/

Anyway, I had the AddRadiusAuth and Cookie lines in httpd, but since I was doing this over ssl I apparently needed them in the ssl.conf file instead (in the virtual_host section, IIRC).
 
1 members found this post helpful.
Old 08-29-2012, 05:16 PM   #3
Teleute
Member
 
Registered: Mar 2005
Posts: 62

Original Poster
Rep: Reputation: 16
Weirdly, this was working for a while, and has now stopped. The RADIUS authentication box is coming up, but when I put in the info it just always returns a password mismatch. When I put the info into radlogin it returns good (same server, same port, same shared secret, etc...). So still looking for help, if anyone knows what I can try next. Thanks!
 
Old 08-29-2012, 07:19 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,744
Blog Entries: 54

Rep: Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973
How about rebuilding mod_auth_radius with DEBUG_RADIUS enabled?
 
Old 08-29-2012, 07:30 PM   #5
Teleute
Member
 
Registered: Mar 2005
Posts: 62

Original Poster
Rep: Reputation: 16
Hmmm....I didn't build the module in the first place - not sure at all how to go about rebuilding it. There's a huge time crunch on this, so I'm still hoping there's a way to sort this without doing that, but I guess I may have to.

Thanks for the idea, even if I hope I don't have to use it. :-)
 
Old 08-29-2012, 08:39 PM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,744
Blog Entries: 54

Rep: Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973
See http://freeradius.org/mod_auth_radius/ ?
 
Old 08-30-2012, 12:26 AM   #7
Teleute
Member
 
Registered: Mar 2005
Posts: 62

Original Poster
Rep: Reputation: 16
Not seeing anything there about debug at all - searching the whole site for debug even just seems to return hits that are talking about the RADIUS server (which we're not using FreeRADIUS for), not the client module.

Looking through their site more, though, it looks like we might not be able to use this module after all. They have a thing talking about one-time passwords, and apparently they can't handle it if the secured page is down a level from the root and/or calls more than one element. That's a requirement, and I know it worked on the old server with xradius, so I may have to switch back. :-(
 
Old 08-30-2012, 07:31 AM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,744
Blog Entries: 54

Rep: Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973
Quote:
Originally Posted by Teleute View Post
Not seeing anything there about debug at all (..) not the client module.
Sorry, I pointed to the site for instructions as you were wondering how to get the module recompiled. The debug info should be inside the client module code itself.


Quote:
Originally Posted by Teleute View Post
apparently they can't handle it if the secured page is down a level from the root and/or calls more than one element.
The client module code contains comments about a workaround for that too IIRC.
 
Old 08-30-2012, 11:15 AM   #9
Teleute
Member
 
Registered: Mar 2005
Posts: 62

Original Poster
Rep: Reputation: 16
Quote:
Originally Posted by unSpawn View Post
Sorry, I pointed to the site for instructions as you were wondering how to get the module recompiled. The debug info should be inside the client module code itself.
Ah - hadn't looked in the code itself, just the page. Thanks!

Quote:
Originally Posted by unSpawn View Post
The client module code contains comments about a workaround for that too IIRC.
Unfortunately, the workaround is "point to a specific page first so it loads the cookie properly, then go where you want". I don't think this will work for Subversion, with the people using TortoiseSVN, Visual Studio, etc...to check code in and out. Or if it does, it would be a lot of added steps from what they're used to and they'd hate me.
 
Old 08-30-2012, 01:25 PM   #10
Teleute
Member
 
Registered: Mar 2005
Posts: 62

Original Poster
Rep: Reputation: 16
As an update, I switched to mod_auth_xradius (which uses a local cache file or memcache server) for caching instead of cookies like mod_auth_radius, and the PHP aop (Mantis in this case) works perfectly now. Still trying to get the other instance of Apache to work with this and subversion. I have them configured identically, but the svn instance isn't writing to the cache for some reason...
 
Old 08-30-2012, 04:50 PM   #11
Teleute
Member
 
Registered: Mar 2005
Posts: 62

Original Poster
Rep: Reputation: 16
A bit more info, from another post I made elsewhere:

I'm trying to use xradius on two different Apache 2.2 instances on the same server (RHEL 6.2). The authentication itself works for both, but on InstanceB it's not caching the authentication at all. They both have the same caching config in httpd.conf:

AuthXRadiusCache dbm /var/cache/<InstanceAorB>/xradius_cache
AuthXRadiusCacheTimeout 3600

InstanceA is working perfectly, but B is definitely not correctly using the cache at all - any refresh, link click, anything prompts for re-auth. If I look in their respective cache directories, InstanceA shows two files - xradius_cache.dir and xradius_cache.pag . However, the InstanceB dir only has a single file, xradius_cache, and it's more than 10x the size of the ones in InstanceA.

As mentioned, the config is the same, but the instances are running slightly different versions of Apache - InstanceA is running 2.2.15, and B is running 2.2.19. Note it's the newer one that's not working. I'm wondering are there any settings or other modules this is dependent on to work? They do both have the cache and disk_cache modules loaded...
 
Old 08-31-2012, 05:55 PM   #12
Teleute
Member
 
Registered: Mar 2005
Posts: 62

Original Poster
Rep: Reputation: 16
Okay, this time I think I did actually get it solved. :-) From a summary I wrote elsewhere:

Finally got the RADIUS authentication working - figured I'd put some info here in case anyone else is trying to do this in future.

As far as I can tell, there are three RADIUS modules for Apache. There's the one that is actually part of Apache (I can't recall the exact name), but it doesn't appear to support one time passwords. This left mod_auth_radius (from FreeRadius), and mod_auth_xradius. The former uses cookie-based authentication caching, which I could not get to work at *all* consistently with SVN (or with Mantis, which is the other app we're running this with). THis is because they both generally make multiple requests in very short order, and the cookie handling doesn't usually work fast enough to make it work. They even acknowledge that on the FreeRadius page, and suggest a workaround of basically an authentication portal page, which isn't really workable for SVN. The latter was really the only option, then.

The trick with mod_auth_xradius is that it's quite old, and I couldn't find any active lists or forums to get any guidance. I implemented it as per the instructions, and this worked on our Mantis install of Apache, but not the UberSVN one. Again, the issue was with the authentication caching. I was using the easier of the two methods, a dbm file-based cache. However, something about the UberSVN compilation of Apache (I'm guessing the default dbm libraries, as those are set at compile-time) was meaning that the dbm file was getting written in a different format than the xradius module could understand. (This appears to be quite consistent with what I've read, which is that there are two main branches of dbm libraries, that create different file types, and they're not compatible unless you've got some kind of emulation mode in place.)

Therefore, I had to go with the other form of caching, and create a memcached server and import the special apr_memcache libraries from the people that made the radius module, recompile, etc... This seems to finally have gotten things sorted. Whee! I really hope this is potentially useful to someone else someday, with as much effort as I put into it.
 
Old 09-01-2012, 08:06 AM   #13
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,744
Blog Entries: 54

Rep: Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973
Thanks for posting your solution, much appreciated. I've updated the thread title and tags so others may find this thread more easily.
 
  


Reply

Tags
apache, authentication caching, mantis, mod_auth_radius, mod_auth_xradius, radius, svn


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: How To Configure Apache To Use Radius For Two-Factor Authentication On Ubuntu 12.04 LXer Syndicated Linux News 0 05-21-2012 08:42 PM
Apache + NIS +SVN authentication xcoldfyrex Linux - Software 1 10-06-2010 05:45 AM
anon svn read-only over apache: '.svn/entries': No such file hedpe Linux - Software 2 04-29-2009 06:31 AM
Apache 2.2.4 mod_auth_xradius issue Amuro-Ray2020 Linux - Server 1 08-07-2007 10:25 PM
Apache 2.X/httpd with RADIUS authentication Amuro-Ray2020 Linux - Server 0 07-25-2007 04:41 PM


All times are GMT -5. The time now is 08:48 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration