Personal tools
You are here: Home support WiKID Documentation Center Integration How-tos How to Add Two-Factor Authentication to Apache

How to Add Two-Factor Authentication to Apache

This How-to applies to: WiKID Strong Authentication Server Enterprise Edition
This How-to is intended for: System Administrator, Developer-Integrator

Do you want to protect certain web-sites or virtual directories with two-factor authentication? This level of security is pretty simple with Apache, mod_auth_radius and WiKID Strong Authentication.

This document describes how to add two-factor authentication to Apache 2.x using mod_auth_radius. N.B.: mod_auth_radius has not been updated to use Apaches new authentication APIs. If you are using a more recent version of apache, please see this document

Our configuration was as follows:

  • Fedora Core 5
  • Apache 2.2.2-10
  • mod_auth_radius Updated: We recommend using mod_auth_xradius for anyone having issues with mod_auth_radius. We will update the rest of the document later ;).
  • And, of course, for two-factor authentication, we were using WiKID, in this case, the commercial Enterprise version.

N.B.:Apache > 2.1 requires AuthBasicProvider. Use the AuthBasicProvider "xradius" directive.


Here's how it will work, when the user clicks on a two-factor protected link, they will be prompted for a username and password. The user generates the one-time passcode on their WiKID token and enters it into the password prompt. Apache will route the username and one-time password to the WiKID server via pam_auth_radius. If the username and one-time password match what WiKID expects, the server will tell Apache to grant access. First, we add Apache to the WiKID Strong Authentication Server as a network client, then add radius to Apache. I assume you already have a WiKID domain and users setup.

So, start by adding a new Radius network client to the WiKID server for your web server:

  • Log into WiKID server web interface (http://yourwikidserver/WiKIDAdim).
  • Select Network Clients tab.
  • Click on Create New Network Client"

  • Fill in the requested information.
    • For the IP Address, use the web server IP address
    • For Protocol, select Radius
    • Hit the Add button, and on the next page, enter a shared secret
    • Do not enter anything into the Return Attribute box
  • From the terminal or via ssh, run 'stop' and then 'start' to load the network client into the built-in WiKID radius server
That is it for the WiKID server.

Now to get Apache ready for two-factor authentication. We need to get and install mod_auth_radius for Apache 2.x:

# wget http://www.freeradius.org/mod_auth_radius/mod_auth_radius-2.0.c
# apxs -i -a -c mod_auth_radius-2.0.c
This should automatically add 
LoadModule radius_auth_module libexec/apache2/mod_auth_radius-2.0.so
To your httpd.conf file.

Now you need to add two things to your httpd.conf manually. First a

   # AddRadiusAuth server[:port]  [ timeout [ : retries ]]
   AddRadiusAuth servername:1812 sharedsecret 5

   # AuthRadiusBindAddress 
   # Bind client (local) socket to this local IP address.
   # The server will then see RADIUS client requests will come from
   # the given IP address.
   #
   # By default, the module does not bind to any particular address,
   # and the operating system chooses the address to use.
   #
   # AddRadiusCookieValid 
   # the special value of 0 (zero) means the cookie is valid forever.
   AddRadiusCookieValid 60
You will want to change servername to the IP address of the WiKID server and sharedsecret to the shared secret you configured above. 
  
   AuthType Basic
   AuthName "Web-Based Radius Authentication"
   AuthBasicProvider "radius"
   #AuthAuthoritative off
   AuthRadiusAuthoritative on
   AuthRadiusCookieValid 1
   AuthRadiusActive On
   require valid-user
You can enter the same information into a .htaccess file, or a directory directive if you like, depending on where the information you want protected by two-factor authentication is. We used the location directive to put a virtual directory behind two-factor authentication.

The WiKID Strong Authentication System is a very reasonably priced two-factor authentication solution. We invite you to learn more about our technology and architecture and to download and test the Enterprise version.

Better to use the xradius module ...

Posted by http://markhowells.pip.verisignlabs.com/ at Feb 09, 2009 10:33 AM
All of the above is very good, but the sad fact is that it really doesn't work for a lot of (most) setups. The problem is that in order to prevent multiple auth requests to the radius server (which obviously fails in an OTP environment) the mod_auth_radius module uses cookies to cache the radius authentication. This approach seems to be fundamentally flawed as it depends on the browser to be correctly engineered regarding the passing of said cookie to the server. Unfortunately all 3 browsers (Firefox, Chrome, IE) in use at our site get it wrong under certain/many circumstances resulting in either multiple accesses to the wikid server or multiple requests to the user for authentication (up to four in a row). The mod_auth_radius module docs discuss these problems but the workarounds are awkward and don't work in the general case. For non OTP (where you're only trying to reduce the load on the radius server) it doesn't really matter.

The xradius module is not without its problems - it's not generally supported by the linux distro's so you have to d/l and compile it yourself. Also the build process is broken and requires manual intervention (at least on Ubuntu distros). However, once installed (using memcached NOT dbm) it seems to work as advertised.

None of the above is anything to do with the WiKID server which is just responding to requests...