[SOLVED] RADIUS error in Apache (mod_auth_xradius, SVN, Mantis: authentication caching)
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
RADIUS error in Apache (mod_auth_xradius, SVN, Mantis: authentication caching)
I'm trying to configure RADIUS in Apache. The server can properly connect to the RADIUS server, as tested using radlogin. I have the module loaded, the AddRadiusAuth and the AddRadiusCookieValid lines in httpd.conf, and all the auth lines (type, provider, etc...) in the Directory section config. Apache starts fine, with no errors. When I go to any file in that directory (even just a little test.html file I made), the prompt properly comes up for the password, with the right authname. No matter what I type in, though, I get a 500 error. There's nothing relevant in /var/log/httpd/error_log.
If anyone has any ideas where else I can look for a clue, or anything I can try to get this working, I'd highly appreciate it!
Weirdly, this was working for a while, and has now stopped. The RADIUS authentication box is coming up, but when I put in the info it just always returns a password mismatch. When I put the info into radlogin it returns good (same server, same port, same shared secret, etc...). So still looking for help, if anyone knows what I can try next. Thanks!
Hmmm....I didn't build the module in the first place - not sure at all how to go about rebuilding it. There's a huge time crunch on this, so I'm still hoping there's a way to sort this without doing that, but I guess I may have to.
Thanks for the idea, even if I hope I don't have to use it. :-)
Not seeing anything there about debug at all - searching the whole site for debug even just seems to return hits that are talking about the RADIUS server (which we're not using FreeRADIUS for), not the client module.
Looking through their site more, though, it looks like we might not be able to use this module after all. They have a thing talking about one-time passwords, and apparently they can't handle it if the secured page is down a level from the root and/or calls more than one element. That's a requirement, and I know it worked on the old server with xradius, so I may have to switch back. :-(
Sorry, I pointed to the site for instructions as you were wondering how to get the module recompiled. The debug info should be inside the client module code itself.
Ah - hadn't looked in the code itself, just the page. Thanks!
Originally Posted by unSpawn
The client module code contains comments about a workaround for that too IIRC.
Unfortunately, the workaround is "point to a specific page first so it loads the cookie properly, then go where you want". I don't think this will work for Subversion, with the people using TortoiseSVN, Visual Studio, etc...to check code in and out. Or if it does, it would be a lot of added steps from what they're used to and they'd hate me.
As an update, I switched to mod_auth_xradius (which uses a local cache file or memcache server) for caching instead of cookies like mod_auth_radius, and the PHP aop (Mantis in this case) works perfectly now. Still trying to get the other instance of Apache to work with this and subversion. I have them configured identically, but the svn instance isn't writing to the cache for some reason...
A bit more info, from another post I made elsewhere:
I'm trying to use xradius on two different Apache 2.2 instances on the same server (RHEL 6.2). The authentication itself works for both, but on InstanceB it's not caching the authentication at all. They both have the same caching config in httpd.conf:
InstanceA is working perfectly, but B is definitely not correctly using the cache at all - any refresh, link click, anything prompts for re-auth. If I look in their respective cache directories, InstanceA shows two files - xradius_cache.dir and xradius_cache.pag . However, the InstanceB dir only has a single file, xradius_cache, and it's more than 10x the size of the ones in InstanceA.
As mentioned, the config is the same, but the instances are running slightly different versions of Apache - InstanceA is running 2.2.15, and B is running 2.2.19. Note it's the newer one that's not working. I'm wondering are there any settings or other modules this is dependent on to work? They do both have the cache and disk_cache modules loaded...
Okay, this time I think I did actually get it solved. :-) From a summary I wrote elsewhere:
Finally got the RADIUS authentication working - figured I'd put some info here in case anyone else is trying to do this in future.
As far as I can tell, there are three RADIUS modules for Apache. There's the one that is actually part of Apache (I can't recall the exact name), but it doesn't appear to support one time passwords. This left mod_auth_radius (from FreeRadius), and mod_auth_xradius. The former uses cookie-based authentication caching, which I could not get to work at *all* consistently with SVN (or with Mantis, which is the other app we're running this with). THis is because they both generally make multiple requests in very short order, and the cookie handling doesn't usually work fast enough to make it work. They even acknowledge that on the FreeRadius page, and suggest a workaround of basically an authentication portal page, which isn't really workable for SVN. The latter was really the only option, then.
The trick with mod_auth_xradius is that it's quite old, and I couldn't find any active lists or forums to get any guidance. I implemented it as per the instructions, and this worked on our Mantis install of Apache, but not the UberSVN one. Again, the issue was with the authentication caching. I was using the easier of the two methods, a dbm file-based cache. However, something about the UberSVN compilation of Apache (I'm guessing the default dbm libraries, as those are set at compile-time) was meaning that the dbm file was getting written in a different format than the xradius module could understand. (This appears to be quite consistent with what I've read, which is that there are two main branches of dbm libraries, that create different file types, and they're not compatible unless you've got some kind of emulation mode in place.)
Therefore, I had to go with the other form of caching, and create a memcached server and import the special apr_memcache libraries from the people that made the radius module, recompile, etc... This seems to finally have gotten things sorted. Whee! I really hope this is potentially useful to someone else someday, with as much effort as I put into it.