Apache With RADIUS – Two or More RADIUS Servers

 

March 16, 2012

We recently added support for RADIUS to Mini Maxwell. This allows Mini Maxwell to be controlled by HTTPS.

We first used the relatively well known mod_auth_radius module for the Apache web server.

However we hit a snag – mod_auth_radius can handle only one RADIUS server.  It has no way to define a fallback RADIUS server that will be used if the primary one is non-responsive.

We found an alternative – mod_auth_xradius.

However, the current version, v.0.4.6 is fairly old and needs some patches to give it the ability to accommodate multiple RADIUS servers.

We found some useful material at http://www.howtoforge.com/apache_radius_two_factor_authentication.  However the patch shown there had some white-space issues which caused the patch process to fail.

So below is a version of the patch that we use – it is essentially identical to the original patch but with clean white-space.

  1. Pull the patch shown below into a file, let’s call it patch-file.txt
  2. Fetch the distribution file: http://www.outoforder.cc/downloads/mod_auth_xradius/mod_auth_xradius-0.4.6.tar.bz2:
       wget http://www.outoforder.cc/downloads/mod_auth_xradius/mod_auth_xradius-0.4.6.tar.bz2
  3. Unpack it:
       tar xjf mod_auth_xradius-0.4.6.tar.bz2
  4. Go into the top level directory:
       cd mod_auth_xradius-0.4.6
  5. Apply the patch:
       patch -p0 patchfile.txt
  6. You should get a success message that may look like this:
       patching file src/mod_auth_xradius.c
  7. Now you need to build the module and install it using the instructions shown at http://www.outoforder.cc/projects/httpd/mod_auth_xradius/docs/
  8. We’ve included a chunk of our Apache configuration file to show how we configure this module.
    Note the AuthBasicProvider xradius line.
--- src/mod_auth_xradius.c.orig	2012-03-15 14:19:25.000000000 -0700
+++ src/mod_auth_xradius.c	2012-03-15 14:23:20.000000000 -0700
@@ -125,15 +125,15 @@
     rctx = xrad_auth_open();
 
     /* Loop through the array of RADIUS Servers, adding them to the rctx object */
-    sr = (xrad_server_info *) dc->servers->elts;
     for (i = 0; i < dc->servers->nelts; ++i) {        
-        rc = xrad_add_server(rctx, sr[i].hostname, sr[i].port, sr[i].secret,
+        sr = &(((xrad_server_info*)dc->servers->elts)[i]);
+        rc = xrad_add_server(rctx, sr->hostname, sr->port, sr->secret,
                              dc->timeout, dc->maxtries);
         
         if (rc != 0) {
             ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
                           "xradius: Failed to add server '%s:%d': (%d) %s",
-                          sr[i].hostname, sr[i].port, rc, xrad_strerror(rctx));
+                          sr->hostname, sr->port, rc, xrad_strerror(rctx));
             goto run_cleanup;
         }        
     }
@@ -294,7 +294,7 @@
     /* To properly use the Pools, this array is allocated from the here, instead of
         inside the directory configuration creation function. */
     if (dc->servers == NULL) {
-        dc->servers = apr_array_make(parms->pool, 4, sizeof(xrad_server_info*));
+        dc->servers = apr_array_make(parms->pool, 4, sizeof(xrad_server_info));
     }
     
     sr = apr_array_push(dc->servers);
## This Loads mod_auth_xradius into Apache
LoadModule auth_xradius_module /usr/lib/apache/mod_auth_xradius.so
<IfModule mod_auth_xradius.c>
# AuthXRadiusCache none -
AuthXRadiusCache dbm "/var/cache/auth_xradius_cache"
AuthXRadiusCacheTimeout 300
<Location />
# See http:http://www.outoforder.cc/projects/httpd/mod_auth_xradius/docs/
AuthName "RADIUS authentication for something or other"
AuthType Basic
AuthXRadiusAddServer "10.0.0.10:1812" "2secrets"
AuthXRadiusAddServer "10.0.0.11:1812" "secret1"
AuthXRadiusTimeout 5
AuthXRadiusRetries 3
AuthBasicProvider xradius
Require valid-user
</Location>
</IfModule>