Submitted By: Paul James Roberts, Northumbria University
As we recommend for Apache 2.2, we recommend using mod_auth_xradius Documentation for mod_auth_xradius can be found in the README file and here. As you will see, we made some changes to the source code to reflect changes in the Apache API. At this time, mod_auth_radius has not been updated.
Here's how it will work, when the user clicks on a two-factor protected link, they will be prompted for a username and password. The user generates the one-time passcode on their WiKID token and enters it into the password prompt. Apache will route the username and one-time password to the WiKID server via mod_auth_xradius. If the username and one-time password match what WiKID expects, the server will tell Apache to grant access. First, we add Apache to the WiKID Strong Authentication Server as a network client, then add radius to Apache.
Our configuration:
- Ubuntu 14.04 LTS
- Apache 2.4.12
- Mod_auth_xradius
- WiKID Enterprise Server
With a WiKID Enterprise Server installed for your domain and relevant users.
Start by adding a new Radius network client to the WiKID server for your web server:
- Log into WiKID server web interface (http://yourwikidserver/WiKIDAdmin).
- Select Network Clients tab.
- Click on Create New Network Client.
- Fill in the requested information: For the IP Address, use the web server IP address; For Protocol, select Radius; Hit the Add button, and on the next page, enter a shared secret; Do not enter anything into the Return Attribute box.
- From the terminal or via ssh, run 'wikidctl restart' to load the network client into the built-in WiKID radius server
That is it for the WiKID server.
Now to get Apache ready for two-factor authentication. We need to get and install mod_auth_xradius for Apache 2.4.
First, we need to install apache2-dev so we can compile mod_auth_xradius:
# sudo apt-get install apache2-dev
# wget http://www.outoforder.cc/downloads/mod_auth_xradius/mod_auth_xradius-0.4.6.tar.bz2
# tar -xjvf mod_auth_xradius-0.4.6.tar.bz2
# cd mod_auth_xradius-0.4.6
Apache made changes to the API from v2.2 to 2.4.
# sudo nano /src/xradius_cache.c
Find the two instance of ‘unixd_config’ and replace ‘ap_unixd_config’.
The above changes need to be made in order to compile.
# ./configure --with-apxs=/sbin/apxs
# sudo make
# sudo make install
Check the location of the module and move it to the ‘mods-available’ directory in Apache.
# sudo cp /usr/lib/apache2/modules/mod_auth_xradius.so /etc/apache2/mods-available
The module will need to be enabled for use.
#cd /etc/apache2
#sudo nano mods-enabled/mod_auth_xradius.load
Add the following:
LoadModule auth_xradius_module /etc/apache2/mods-available/mod_auth_xradius.so
AuthXRadiusCache dbm /var/authxcache
Check out the xradius docs for other options. It is important to cache the authentication results. If you don't, every http request will generate an authentication request every attempt to validate the one-time passcode except the first attempt will fail. We have cached these results in the file authxcache in the /var/ directory, this needs creating and correct file permissions.
#sudo nano /var/authxcache
#sudo chown :www-data /var/authxcache
#sudo chmod 755 /var/authxcache
When Apache2 updates, it has been known to change the reset the apache2.conf file. Therefore we recommend including the below code in your relevant configuration file held in /sites-avaiable/
<Directory "/var/www/html/radius">
AuthType Basic
AuthBasicProvider xradius
AuthName "Please enter your username and WiKID one-time passcode for entry to this site."
AuthXRadiusAddServer "wikid_server_address:1812" "wikidserver_shared_secret"
AuthXRadiusTimeout 7
AuthXRadiusRetries 2
require valid-user
</Directory>
The directory location will be that of the directory you want to configure. You will want to change wikid_server_address to the IP address of the WiKID server and wikidserver_shared_secret to the shared secret you configured above in the WiKID server.
Finally, your Apache server will need restarting.
#sudo service apache2 restart