Hi all,
I'm having a problem with the Apache::AuthenRadius module using the
Cistron RADIUSD server. Basically I'd like to allow our users to log in
to certain web pages (e.g., stats on their usage etc.) and the simplest
way to do this seems to be to use the local RADIUS server. The problem
is that I've configured the RADIUS server (being used by a Cisco AS5300
RAS) not to allow access to customers who have fibre connections or
mailbox accounts etc. (since obviously we don't want people dialing up
with these).
The solution seemed to be to allow RADIUS to let all users in but only
if the server the request came in from was the web server and not the
Cisco. I did this by adding a DEFAULT entry at the end of the
/etc/raddb/users file which was basically the same as the previous
default ones before it, except it did not include a 'Group = 'foo'"
section and instead included a 'NAS-IP-Address = a.b.c.d':
DEFAULT Auth-Type = System, NAS-IP-Address = 203.153.224.20
Service-Type = Framed-User,
Framed-Protocol = PPP
Framed-IP-Address = 203.153.225.100+,
My httpd.conf also has:
PerlSetVar Auth_Radius_host 203.153.224.20
PerlSetVar Auth_Radius_port 1812
PerlSetVar Auth_Radius_secret xxxx
PerlSetVar Auth_Radius_timeout 5
I also made sure that the web server's IP address was set up in the
/etc/raddb/clients and naslist files. When I test this via the radtest
utility on the web server, it accepts the user if the password is
correct:
Mon Mar 20 15:18:41 2000: Auth: Login OK: [astral] (from nas eagle/S0)
(from /var/log/radius.log)
however, when I try it through the web page it gives "Authentication
failed":
Mon Mar 20 15:19:18 2000: Auth: Invalid user: [astral] (from nas
eagle/S0)
(/var/log/radius.log)
[Mon Mar 20 15:33:19 2000] [error] access to /stats failed for
203.153.224.20, reason: Apache::AuthenRadius failed for user astral
(/var/log/apache/error.log)
If I change the user ("astral" in this case) into a group which is
permitted dial-up access then it works AND if I put in a wrong password
then it gives me a message of "Login incorrect" (i.e., a different
message to above). When I take away the entry which allows access from
the web server's IP address, radtest gives access denied so, from my
limited understanding of RADIUS, this configuration would seem to be
correct -- but either way Apache::AuthenRadius won't let me in! If
anyone has any ideas then I would appreciate them very much.
Another (probably unrelated) problem I'm having is trying to setup
authentication using just a simple text file through pages on the same
server (although a different virtual host). I've set up the following
in httpd.conf:
<VirtualHost 203.153.224.20>
ServerName staff.amnet.net.au
ServerAlias www.staff.amnet.net.au
DocumentRoot /var/local/staff-www
ServerAdmin webmaster@amnet.net.au
ErrorLog /var/log/apache/error.log
TransferLog /var/log/apache/access.log
<Directory /var/local/staff-www>
AllowOverride AuthConfig
</Directory>
</VirtualHost>
And the following .htaccess file:
AuthType Basic
AuthName staff
AuthUserFile /var/local/internal-passwd
require valid user
However, Apache still seems to be trying to use RADIUS to authenticate
since I get an "Invalid user" message in my radius.log file and a
similar failure message in Apache's error logs. Any ideas on what I
might be doing wrong here with either of these issues (particularly the
first one) would be much appreciated.
Regards,
--
Christian Payne
Systems Administrator
Amnet Internet Services
I'm having a problem with the Apache::AuthenRadius module using the
Cistron RADIUSD server. Basically I'd like to allow our users to log in
to certain web pages (e.g., stats on their usage etc.) and the simplest
way to do this seems to be to use the local RADIUS server. The problem
is that I've configured the RADIUS server (being used by a Cisco AS5300
RAS) not to allow access to customers who have fibre connections or
mailbox accounts etc. (since obviously we don't want people dialing up
with these).
The solution seemed to be to allow RADIUS to let all users in but only
if the server the request came in from was the web server and not the
Cisco. I did this by adding a DEFAULT entry at the end of the
/etc/raddb/users file which was basically the same as the previous
default ones before it, except it did not include a 'Group = 'foo'"
section and instead included a 'NAS-IP-Address = a.b.c.d':
DEFAULT Auth-Type = System, NAS-IP-Address = 203.153.224.20
Service-Type = Framed-User,
Framed-Protocol = PPP
Framed-IP-Address = 203.153.225.100+,
My httpd.conf also has:
PerlSetVar Auth_Radius_host 203.153.224.20
PerlSetVar Auth_Radius_port 1812
PerlSetVar Auth_Radius_secret xxxx
PerlSetVar Auth_Radius_timeout 5
I also made sure that the web server's IP address was set up in the
/etc/raddb/clients and naslist files. When I test this via the radtest
utility on the web server, it accepts the user if the password is
correct:
Mon Mar 20 15:18:41 2000: Auth: Login OK: [astral] (from nas eagle/S0)
(from /var/log/radius.log)
however, when I try it through the web page it gives "Authentication
failed":
Mon Mar 20 15:19:18 2000: Auth: Invalid user: [astral] (from nas
eagle/S0)
(/var/log/radius.log)
[Mon Mar 20 15:33:19 2000] [error] access to /stats failed for
203.153.224.20, reason: Apache::AuthenRadius failed for user astral
(/var/log/apache/error.log)
If I change the user ("astral" in this case) into a group which is
permitted dial-up access then it works AND if I put in a wrong password
then it gives me a message of "Login incorrect" (i.e., a different
message to above). When I take away the entry which allows access from
the web server's IP address, radtest gives access denied so, from my
limited understanding of RADIUS, this configuration would seem to be
correct -- but either way Apache::AuthenRadius won't let me in! If
anyone has any ideas then I would appreciate them very much.
Another (probably unrelated) problem I'm having is trying to setup
authentication using just a simple text file through pages on the same
server (although a different virtual host). I've set up the following
in httpd.conf:
<VirtualHost 203.153.224.20>
ServerName staff.amnet.net.au
ServerAlias www.staff.amnet.net.au
DocumentRoot /var/local/staff-www
ServerAdmin webmaster@amnet.net.au
ErrorLog /var/log/apache/error.log
TransferLog /var/log/apache/access.log
<Directory /var/local/staff-www>
AllowOverride AuthConfig
</Directory>
</VirtualHost>
And the following .htaccess file:
AuthType Basic
AuthName staff
AuthUserFile /var/local/internal-passwd
require valid user
However, Apache still seems to be trying to use RADIUS to authenticate
since I get an "Invalid user" message in my radius.log file and a
similar failure message in Apache's error logs. Any ideas on what I
might be doing wrong here with either of these issues (particularly the
first one) would be much appreciated.
Regards,
--
Christian Payne
Systems Administrator
Amnet Internet Services