Introduction
This article describes how to add/configure the Apache module mod_auth_radius (courtesy freeradius.org) to an SGD Apache server to provide RADIUS-based authentication services for SGD.
Note that this article applies to SGD version 4.40.917; just as importantly, this applies to the Apache server version 1.3.36 which is included with SGD. Future versions of SGD will include an Apache version 2.x server; there is a different version of mod_auth_radius for Apache 2.x, so if you're using Apache 2.x, be sure to use the appropriate version of mod_auth_radius.
See this Secure Global Desktop HOWTO for instructions on how to use RADIUS authentication with SGD versions 4.41 and 4.50.
Step 1. Obtain and install, (if necessary) CVS
CVS is necessary to retrieve the most current version of mod_auth_radius - note that the version offered for download from the www.freeradius.org web page is actually out-of-date. Using CVS ensures you have the most current version.
# ftp ftp.sunfreeware.com get /pub/freeware/intel/10/cvs-1.11.22-sol10-x86-local.gz quit # pkgadd -d cvs-1.11.22-sol10-x86-local
Step 2. Retrieve and Build mod_auth_radius
Note that you need a minimal 'build' system installed; on Solaris, the SUNWhea package is also required.
# PATH=/usr/local/bin:$PATH
# cvs -d :pserver:anoncvs@cvs.freeradius.org:/source login
CVS password: anoncvs
# cvs -d :pserver:anoncvs@cvs.freeradius.org:/source checkout
mod_auth_radius
# cd mod_auth_radius
# cp mod_auth_radius.c /opt/tarantella/webserver/apache/{version}
# cd /opt/tarantella/webserver/apache/{version}
# bin/apxs -i -a -c mod_auth_radius.c
Note: A common problem with this step is that the default 'C' compiler in apxs is set to 'egcc'. If you get a response like:
# egcc -g -DSOLARIS2=2100 -DMOD_SSL=208127 -DUSE_HSREGEX -DEAPI -DUSE_EXPAT -I../lib/expat-lite -fPIC -DSHARED_MODULE -I/opt/tarantella/webserver/apache/1.3.36_mod_ssl-2.8.27_openssl-0.9.8d_jk1.2.15_u1/include -c mod_auth_radius.c
apxs:Break: Command failed with rc=72057594037927935
Then egcc isn't installed, or isn't in your search path. For most installations, you'll probably want to change the value of CFG_CC in apxs to use the appropriate compiler on your system, such as 'gcc' or 'cc'.
Step 3. Configure Apache for RADIUS Authentication
In the following, you'll have to set the value for "AddRadiusAuth" to point to your RADIUS server:port and shared secret.
cd /opt/tarantella/webserver/apache/{version}/conf
edit httpd.conf:
Add to the end:
Alias /sgd "/opt/tarantella/webserver/tomcat/5.0.28_axis1.2final_jk1.2.8/webapps/sgd"
#
# AddRadiusAuth server:port <shared-secret> [ timeout [ : retries ]]
#
# Use localhost, the old RADIUS port, secret 'testing123',
# time out after 5 seconds, and retry 3 times.
AddRadiusAuth radiusserver:1812 testing123 5:3
#
# AuthRadiusBindAddress <hostname/ip-address>
#
# Bind client (local) socket to this local IP address.
# The server will then see RADIUS client requests will come from
# the given IP address.
# By default, the module does not bind to any particular address,
# and the operating system chooses the address to use.
# AddRadiusCookieValid <minutes-for-which-cookie-is-valid>
#the special value of 0 (zero) means the cookie is valid forever.
AddRadiusCookieValid 5
</IfModule>
<LocationMatch /radius >
Order Allow,Deny
AuthType Basic
AuthName "RADIUS Authentication"
AuthAuthoritative off
AuthRadiusAuthoritative on
AuthRadiusCookieValid 5
AuthRadiusActive On
Require valid-user
Satisfy any
</LocationMatch>
SetEnvIf Request_URI "\.(cab|jar|gif|der|class)$" sgd_noauth_ok
<LocationMatch /sgd >
Order Allow,Deny
Allow from env=sgd_noauth_ok
AuthType Basic
AuthName "RADIUS Authentication"
AuthAuthoritative off
AuthRadiusAuthoritative on
AuthRadiusCookieValid 5
AuthRadiusActive On
Require valid-user
Satisfy any
</LocationMatch>
# mkdir /opt/tarantella/webserver/apache/{version}/htdocs/radius/
Create the file:
/opt/tarantella/webserver/apache/{version}/htdocs/radius/index.html with the following contents:
<HTML>
<HEAD>
<TITLE> Test Page for RADIUS authentication </TITLE>
</HEAD>
<BODY>
<B> You have reached the test page for RADIUS authentication.
</BODY>
</HTML>
Step 4. Test RADIUS Authentication
Restart the webserver with:
# tarantella webserver restart
Now using a web browser, browse to "//sgdserver/radius"
You should be prompted for your RADIUS credentials, and if successful, should see a web page that reads "You have reached the test page for RADIUS authentication."
Restart your web browser, and browse to "//sgdserver/sgd"
You'll again be prompted for your RADIUS credentials, and upon success, will see the SGD login page.
For some, that's all they want to achieve; they don't wish to use webserver authentication, which, in short will accept the webserver's authentication sucess (in this case, RADIUS), to log the user into SGD.
The following applies to enabling webserver authentication in SGD.
Step 5. Configure Tomcat to Trust Webserver Authentication
On each array member, edit the file:
/opt/tarantella/webserver/tomcat/{version}/conf/server.xml
Add a tomcatAuthentication="false"attribute to the (<Connector>) element as follows:
<!-- Define a Coyote/JK2 AJP 1.3 Connector on port 8009 --> <Connector port="8009" minProcessors="5" maxProcessors="75" enableLookups="true" redirectPort="8443" acceptCount="10" debug="0" connectionTimeout="0" useURIValidationHack="false" tomcatAuthentication="false" protocolHandlerClassName="org.apache.jk.server.JkCoyoteHandler"/>
The webserver must be restarted after making these changes.
Step 6. Configure SGD to Allow Webserver Authentication
Using the administration console, enable "Third-Party authentication":
On the Global Settings ยป Secure Global Desktop Authentication tab, click the "Change Secure Global Desktop Authentication" button.
Click "Next", and then "check" the box for "Third-Party Authentication."
From this point on, you'll have to configure your "User Identity and Profile" settings in accordance with your installation and requirements. For more on this configuration step, see "Configuring Webserver Authentication" and "Third Party Authentication."
Step 7. Allow Administrators to Login via Webserver Authentications (optional)
By default, for security reasons, Secure Global Desktop Administrators can't log in to the browser-based webtop with web server authentication. The standard login page always displays for these users even if they have been authenticated by the web server. To change this behavior, run the following command:
# tarantella config edit --tarantella-config-login-thirdparty-allowadmins 1
Without this, after authenticating via webauth, the user will be prompted for a second username and password combination.
Comments (1)
Dec 17, 2008
Rob_Z says:
Hi. I tried to use the mod_auth_radius with SSGD 4.41 (which comes with Apache ...Hi.
I tried to use the mod_auth_radius with SSGD 4.41 (which comes with Apache 2.0) but unsuccessfully; I've been able to get mod_auth_xradius (please notice the "x" before "radius" - it's a different package) to work with SSGD 4.41 under both Linux and Solaris.
I hope to find the time to publish an article here in the future but if you need some help please feel free to email r.zini@strhold.it and I'll try to help.