This document describes how to add two-factor authentication to Apache 2.x using mod_auth_radius. N.B.: mod_auth_radius has not been updated to use Apaches new authentication APIs. If you are using a more recent version of apache, please see this document
Our configuration was as follows:
- Fedora Core 5
- Apache 2.2.2-10
- mod_auth_radius Updated: We recommend using for anyone having issues with mod_auth_radius. We will update the rest of the document later ;).
- And, of course, for two-factor authentication, we were using WiKID, in this case, the commercial Enterprise version.
N.B.:Apache > 2.1 requires AuthBasicProvider. Use the AuthBasicProvider "xradius" directive.Here's how it will work, when the user clicks on a two-factor protected link, they will be prompted for a username and password. The user generates the one-time passcode on their WiKID token and enters it into the password prompt. Apache will route the username and one-time password to the WiKID server via pam_auth_radius. If the username and one-time password match what WiKID expects, the server will tell Apache to grant access. First, we add Apache to the WiKID Strong Authentication Server as a network client, then add radius to Apache. I assume you already have a WiKID domain and users setup.
So, start by adding a new Radius network client to the WiKID server for your web server:
- Log into WiKID server web interface (http://yourwikidserver/WiKIDAdim).
- Select Network Clients tab.
- Click on Create New Network Client"
- Fill in the requested information.
- For the IP Address, use the web server IP address
- For Protocol, select Radius
- Hit the Add button, and on the next page, enter a shared secret
- Do not enter anything into the Return Attribute box
- From the terminal or via ssh, run 'stop' and then 'start' to load the network client into the built-in WiKID radius server
Now to get Apache ready for two-factor authentication. We need to get and install mod_auth_radius for Apache 2.x:
# wget http://www.freeradius.org/mod_auth_radius/mod_auth_radius-2.0.c # apxs -i -a -c mod_auth_radius-2.0.cThis should automatically add
LoadModule radius_auth_module libexec/apache2/mod_auth_radius-2.0.soTo your httpd.conf file.
Now you need to add two things to your httpd.conf manually. First a
# AddRadiusAuth server[:port] [ timeout [ : retries ]] AddRadiusAuth servername:1812 sharedsecret 5 # AuthRadiusBindAddress # Bind client (local) socket to this local IP address. # The server will then see RADIUS client requests will come from # the given IP address. # # By default, the module does not bind to any particular address, # and the operating system chooses the address to use. # # AddRadiusCookieValid # the special value of 0 (zero) means the cookie is valid forever. AddRadiusCookieValid 60You will want to change servername to the IP address of the WiKID server and sharedsecret to the shared secret you configured above.
<Location /theLocation> AuthType Basic AuthName "Web-Based Radius Authentication" AuthBasicProvider "radius" #AuthAuthoritative off AuthRadiusAuthoritative on AuthRadiusCookieValid 1 AuthRadiusActive On require valid-user </Location>You can enter the same information into a .htaccess file, or a directory directive if you like, depending on where the information you want protected by two-factor authentication is. We used the location directive to put a virtual directory behind two-factor authentication.
The WiKID Strong Authentication System is a very reasonably priced two-factor authentication solution. We invite you to learn more about our technology and architecture and to download and test the Enterprise version.