{"id":20329585,"url":"https://github.com/freeradius/mod_auth_radius","last_synced_at":"2025-04-11T20:52:08.777Z","repository":{"id":514892,"uuid":"142823","full_name":"FreeRADIUS/mod_auth_radius","owner":"FreeRADIUS","description":"The FreeRADIUS Apache module for RADIUS authentication","archived":false,"fork":false,"pushed_at":"2021-05-04T12:22:20.000Z","size":136,"stargazers_count":36,"open_issues_count":8,"forks_count":28,"subscribers_count":14,"default_branch":"master","last_synced_at":"2025-03-25T16:55:21.842Z","etag":null,"topics":["apache","client","radius"],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/FreeRADIUS.png","metadata":{"files":{"readme":"README.asciidoc","changelog":"ChangeLog","contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2009-03-04T12:40:56.000Z","updated_at":"2023-10-30T23:11:54.000Z","dependencies_parsed_at":"2022-07-07T18:21:02.715Z","dependency_job_id":null,"html_url":"https://github.com/FreeRADIUS/mod_auth_radius","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/FreeRADIUS%2Fmod_auth_radius","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/FreeRADIUS%2Fmod_auth_radius/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/FreeRADIUS%2Fmod_auth_radius/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/FreeRADIUS%2Fmod_auth_radius/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/FreeRADIUS","download_url":"https://codeload.github.com/FreeRADIUS/mod_auth_radius/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248480516,"owners_count":21110936,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["apache","client","radius"],"created_at":"2024-11-14T20:11:58.879Z","updated_at":"2025-04-11T20:52:08.750Z","avatar_url":"https://github.com/FreeRADIUS.png","language":"C","funding_links":[],"categories":[],"sub_categories":[],"readme":"mod_auth_radius\n===============\n\n0. Branch state\n---------------\n\nimage:https://travis-ci.org/FreeRADIUS/mod_auth_radius.svg?branch=master[\"Build Status\", link=\"https://travis-ci.org/FreeRADIUS/mod_auth_radius\"]\n\n1. Introduction\n---------------\n\nEveryone wants strong authentication over the web.  For us, this means\nRADIUS.\n\nUsing static passwords \u0026 RADIUS authentication over HTTP is a BAD\nIDEA.  Everyone can sniff the passwords, as they're sent over the net\nin the clear.  We suggest using HTTPS.  RADIUS web authentication is a\nREALLY BAD IDEA if you use the same RADIUS server for web and NAS\n(dial-up) or firewall users.  Then ANYONE can pretend to be you, and\nbreak through your firewall with minimal effort.\n\nPLEASE use a different RADIUS server for web authentication and\ndial-up or firewall users!  If you must use the same server, go for\none-time passwords.  They're ever so much more secure.\n\nAlso, do NOT have your RADIUS server visible to the external world.\nDoing so makes all kinds of attacks possible.\n\n\n2. Configuration\n----------------\n\nSee the example 'httpd.conf' in this directory for a detailed example\nof the configuration directives.\n\nYou must have at least one authentication method as authoritative.  If\nthey all return \"DECLINED\", you get a \"server configuration error\"\nmessage.\n\nAddRadiusAuth configures the RADIUS server name (and optional port).\nYou must also specify the shared secret, and tell the RADIUS server\nthat the web host machine is a valid RADIUS client.  The optional\n\u003cseconds\u003e field specifies how long Apache waits before giving up, and\ndeciding that the RADIUS server is down.  It then returns a \"DENIED\"\nerror.\n\nIf you want, you can specify how long the returned cookies are valid.\nThe time is in minutes, with the magic value of '0' meaning forever.\n\n\nThe per-dir configuration Cookie Valid time does NOT over-ride the\nserver configuration.  mod_auth_radius choose the most restrictive of\nthe two to use.  This way, a site administrator can say all cookies\nare valid forever, and then make some directories a bit more secure,\nby forcing re-authentication every hour.\n\nIf you want logging, use the standard Apache access log.  A log\nmessage is generated ONLY when a user has authenticated, and their\nname \u0026 file accessed is put in the log file.\n\nThe per-dir AddRadiusCallingStationID configuration option will\nforce the calling station ID string (only static strings) and\ninclude it in authentication requests, if used. If not used, the\ndefault behavior, using the client's remote IP address will be\napplied.\n\n3. How it works\n---------------\n\nThe browser requests a page: http://www.example.com/index.html\n\nApache notes that the directory is access controlled, and sends a\n\"Authorization Required\".\n\nThe browser asks for a username \u0026 password, which it then sends to\nApache, along with a request for the page again.\n\nApache calls mod_auth_radius, which notes that there is no RADIUS\ncookie in the request.\n\nmod_auth_radius packages up the username/password into a RADIUS\nrequest, and sends it to the RADIUS server.\n\nThe RADIUS server does its magic, and decides yes/no for\nauthentication.\n\nIf no, mod_auth_radius returns DENIED.\n\nIf yes, mod_auth_radius returns a cookie containing MD5'd\npublic+private information.\n\nThe web browser uses this cookie on all subsequent requests, and\nmod_auth_radius verifies the cookie is valid, and doesn't contact the\nRADIUS server again.\n\n\n4. Some warnings\n----------------\n\nThis works fine for static passwords (i.e. \"user\", \"password\"), but\nneeds a bit more attention for one-time passwords.  All of the\nbrowsers I've tested don't use the cookie immediately if you're\naccessing a directory as:\n\nhttp://www.example.com/\n\nWhat's hidden here is that the following files are checked for:\n\n- http://www.example.com/\n- http://www.example.com/home.html\n- http://www.example.com/home.cgi\n- http://www.example.com/index.cgi\n- http://www.example.com/index.html\n\netc., all in sequence.  This module does a 'stat', and returns \"NOT\nFOUND\" when anyone tries to access a file which doesn't exist.\nHowever, it WILL authenticate for a file which does exists, but the\nbrowser may not use the returned cookie when accessing a different\npage.\n\nThe way to fix this is to point the browser at a specific page. i.e.\n\nhttp://www.example.com/\n\nWhich points to the page 'index.html' (or similar).  That file\nshould contain text which says \"connect to our _secure_ site\", where\n_secure_ is a link to a specific *page*, not a *directory*.  e.g.\n\nhttp://www.example.com/secure/index.html\n\nIf you do not add in 'index.html' in the link, it won't work\nproperly.\n\nThis method ensures that users are only authenticated once for the\nsecure pages, and not multiple times.\n\nPeople using static passwords don't need to do this, but if they\ndon't, they'll notice that their RADIUS server is getting 1-4 hits for\nevery web authentication request.\n\n\nSome browsers (I.E.) have a problem with sending cookies on initial\nrequests. If you have a file index.html which includes img/foo.gif in\nthe same directory.  The user authenticates, reads index.html (with\nthe cookie in the request header), BUT on reading the gifs, the cookie\nis NOT included.\n\nThis problem can be avoided by EITHER putting the gifs in the same\ndirectory as the index.html file, or putting moving the entire tree\ndown a node, and having a NEW index.html which points to\n./moved/index.html This is ridiculously ugly, but it seems to work.\n\n\n5. About the cookies\n--------------------\n\nThe cookies are valid for a specified time, or until the browser\ndies.  mod_auth_radius will forcibly try to expire cookies that it\nthinks are too old.  If your browser doesn't expire the cookie, you'll\nsee an authorization required message over and over.  You must then\nexit the browser, and re-load the web page.\n\n\n6. Challenge-Response support\n-----------------------------\n\nThis module also supports the full RADIUS challenge-response\nmechanism.  From the user's perspective, on authenticatation, type in\nusername \u0026 garbage (or NUL) password.  Click \u003cOK\u003e, and you'll get an\nauthentication failure.  This is fine, as mod_auth_radius has secretly\nset a cookie, and modified the Basic-Authentication-Realm.\n\nWhen the authentication fails, click \u003cOK\u003e to continue, and you'll\nget another username/password authentication window.  This time,\nhowever, you'll see your username displayed, along with the RADIUS\nReply-Message at the top of the authentication window.  This message\nusually includes a challenge.\n\nType in your username, and put the response to the challenge in the\npassword field.  Click \u003cOK\u003e again, and you should be authenticated.\n\nThe secret is that cookies are being magically set back and forth,\nand these cookies include the RADIUS state variable.\n\nThe challenge-response works on Netscape 3.x and 4.x, HotJava, but\nNOT on Internet Explorer.  I.E. does not appear to follow the relevant\nRFCs properly.\n\n\n7. Other\n--------\n\nAny questions or comments can be sent to the FreeRADIUS users list\nhttp://freeradius.org/list/index.html. \n\n\nAuthor:  Alan DeKok \u003caland@freeradius.org\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffreeradius%2Fmod_auth_radius","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ffreeradius%2Fmod_auth_radius","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffreeradius%2Fmod_auth_radius/lists"}