HOWTO Use RADIUS With SGD 4.41 and 4.50

This article describes how to install, configure, and use RADIUS authentication with the following versions of SGD:

  • Version 4.41
  • Version 4.50

See this Secure Global Desktop HOWTO for instructions on how to use RADIUS authentication with SGD version 4.40.

In this article, the mod_auth_radius Apache module from freeradius.org is used to integrate RADIUS with SGD at the web server authentication level. The module acts as a plug-in for the SGD web server, enabling authentication of SGD users to be carried out by a RADIUS server.

Other levels of integration, such as using Pluggable Authentication Modules (PAM) are not covered in this article.

This Sun Learning Exchange video demonstrates the user experience when RADIUS is used to authenticate SGD users.

Configuring SGD to use RADIUS authentication involves the following steps:

Install the Apache Module on the SGD Web Server

Installing the mod_auth_radius Apache module on the SGD web server involves the following steps:

Obtain the Source Code for the Apache Module

  1. Download the latest version of the module.
    The mod_auth_radius module is available from the the freeradius.org web site.
    The examples in this article use version 1.5.8 of the module. Do not use earlier versions of the module, as there are known issues with cookies when using the Firefox browser.
  2. Extract the module source code into a temporary directory on the SGD host.

    $ cp mod_auth_radius-1.5.8.tar /tempdir
    $ cd /tempdir
    $ tar xvf mod_auth_radius-1.5.8.tar

Prepare the Build Environment on the SGD Host

Before you install the mod_auth_radius Apache module on the SGD web server, prepare the build environment on the SGD host, as follows:

  1. Ensure that openSSL headers are available.
    These are usually available in a package called opensssl-devel.
  2. Ensure that the gcc4 compiler is available on the SGD host.
    The build process might fail if this compiler is not present. A workaround is to modify the value of CFG_CC used in the apxs command. Alternatively, you can create a symbolic link to the current compiler. For example:

    ln -s /usr/bin/gcc /usr/bin/gcc4
    ls -l /usr/bin/gcc4
    lrwxrwxrwx 1 root root 3 2009-05-13 11:29 /usr/bin/gcc4 -> gcc

Install the Apache Module on SGD 4.41

  1. Use the Apache apxs command to compile and install the module.

    # cd /opt/tarantella/webserver/apache/{version}/bin
    # ./apxs -i -a -c /tempdir/mod-auth-radius-1.5.8/mod_auth_radius-2.0.c

    The mod_auth_radius module is installed in the /modules directory of the SGD web server. A directive enabling the module is added automatically to the httpd.conf file for the SGD web server.

Install the Apache Module on SGD 4.50

When installing the Apache module on SGD 4.50, you must apply some patch files to fix Apache module compilation issues with this version of SGD.

  1. Obtain the patch files.
    The patch files are attached to this wiki page. Click this link to download the files.
    You need the following files:
    • A build directory tar file for your SGD platform. Files are available for each of the supported SGD installation platforms:
      • apache_build_i3so.tar for Solaris on x86 platforms
      • apache_build_spso.tar for Solaris on SPARC technology platforms
      • apache_build_i3li.tar for Linux platforms
    • The apache_fix_placeholders.sh script.
  2. Untar the patch files.

    # cp 4.50_patch_files.tar /tempdir
    # cd /tempdir
    # tar xvf 4.50_patch_files.tar
    # cd 4.50_patch_files/

  3. Untar the build directory tar file for your SGD platform in the SGD web server installation directory.
    For example, on Linux platforms:

    # cp apache_build_i3li.tar /opt/tarantella/webserver/apache/{version}/
    # cd /opt/tarantella/webserver/apache/{version}/
    # tar xvf apache_build_i3li.tar

    A build/ directory is created under the current directory.

  4. Run the apache_fix_placeholders.sh script.

    # cd /tempdir/4.50_patch_files
    # tar xvf apache_fix_placeholders.tar
    # ./apache_fix_placeholders.sh sgdinstalldir

    where sgdinstalldir is the SGD installation directory. This argument is not required if SGD is installed in the default /opt/tarantella location.
    The script returns OK if successful.

  5. Use the Apache apxs command to compile and install the module.

    # cd /opt/tarantella/webserver/apache/{version}/bin
    # ./apxs -i -a -c /tempdir/mod-auth-radius-1.5.8/mod_auth_radius-2.0.c

    The mod_auth_radius module is installed in the /modules directory of the SGD web server. A directive enabling the module is added automatically to the httpd.conf file for the SGD web server.

Configure the SGD Web Server for RADIUS Authentication

Configuring the SGD web server for RADIUS authentication involves the following steps:

Modify the httpd.conf File

  1. Modify the SGD web server httpd.conf file to use RADIUS authentication.
    At the end of the httpd.conf file, add the following Include file directive:

    Include conf/extra/httpd-radius.conf

    In the /opt/tarantella/webserver/apache/{version}/conf/extra directory, create a file called httpd-radius.conf.
    Add the following directives to the httpd-radius.conf file, where radiusserver is the name of the RADIUS server, and the shared secret used by the RADIUS server and the SGD server is testing123. RADIUS authentication is enabled for the /radius and /sgd directories on the SGD web server.
    The AuthRadiusCookieValid directive sets the lifetime of the RADIUS cookie. This must be set to a suitable value, to ensure that the cookie does not expire during the SGD user session. In this example, the cookie lifetime is set to 120 minutes. 

    ## RADIUS configuration for SGD
# If we're using mod_auth_radius, then add it's specific
# configuration options.

<IfModule radius_auth_module>

#
# AddRadiusAuth server[:port] <shared-secret> [ timeout [ : retries ]]
#
# Use RADIUS server on radiusserver, RADIUS port is 1812, secret is 'testing123',
# time out after 5 seconds, and retry 3 times.

AddRadiusAuth radiusserver:1812 testing123 5:3

#
# AuthRadiusBindAddress <hostname/ip-address>
#
# Bind client (local) socket to this local IP address.
# The server will then see RADIUS client requests will come from
# the given IP address.
# By default, the module does not bind to any particular address,
# and the operating system chooses the address to use.
#

#
# AddRadiusCookieValid <minutes-for-which-cookie-is-valid>
# The special value of 0 (zero) means the cookie is valid forever.
#

AddRadiusCookieValid 120
</IfModule>

# Third party authentication
# Use RADIUS authentication for the locations below

SetEnvIf Request_URI "\.(class|cab|jar|gif|der)$" sgd_noauth_ok

<Location /radius >
   Order Allow,Deny
  AuthType Basic
  AuthName "RADIUS Test Page"
  AuthBasicAuthoritative off
  AuthRadiusAuthoritative on
  AuthRadiusCookieValid 120
  AuthRadiusActive On
  AuthUserFile /dev/null
  Require valid-user
  Satisfy any
</Location>

<Location /sgd >
   Order Allow,Deny
   Allow from env=sgd_noauth_ok
   AuthType Basic
   AuthName "RADIUS Authentication for SGD"
   AuthBasicAuthoritative off
   AuthRadiusAuthoritative on
   AuthRadiusCookieValid 120
   AuthRadiusActive On
   AuthUserFile /dev/null
   Require valid-user
   Satisfy any
</Location>

    A sample httpd-radius.conf file is included with this wiki page.

Use a Test Page to Check RADIUS Authentication

Using a test page enables you to check that the mod_auth_radius Apache module is installed and configured correctly to work with the RADIUS server. Do this before attempting to integrate the module with SGD.

  1. Create a new folder in the /htdocs folder of the SGD web server.

    # mkdir /opt/tarantella/webserver/apache/{version}/htdocs/radius/

  2. Create the test page.
    Create the following HTML file, opt/tarantella/webserver/apache/{version}/htdocs/radius/index.html: 
    <HTML>
<HEAD>
<TITLE> Test Page for RADIUS authentication </TITLE>
</HEAD>
<BODY>
<P> RADIUS authentication is successful.</P>
</BODY>
</HTML>

    A sample test page file is included with this wiki page.

  3. Restart the SGD web server.

    # tarantella restart webserver

  4. View the test page.
    Restart your browser and go to sgdserver/radius, where sgdserver is the name of the SGD server.
    The RADIUS authentication dialog is shown.

    Enter your RADIUS credentials and click OK.
    Following successful authentication against the RADIUS server, the test page you created is shown. This indicates that the mod_auth_radius Apache module is working correctly with the RADIUS server.

Enable Third-Party Authentication for SGD

To use RADIUS authentication for SGD logins, you must configure SGD to use third-party authentication. This involves the following steps:

Configure Tomcat to Trust RADIUS Authentication

  1. Edit the server.xml file.
    On each array member, edit the /opt/tarantella/webserver/tomcat/{version}/conf/server.xml file. Add a tomcatAuthentication="false" attribute to the <Connector> element in this file.
    For SGD version 4.41: 
    <!-- Define a Coyote/JK2 AJP 1.3 Connector on port 8009 -->

<Connector port="8009" minProcessors="5" maxProcessors="75"

           enableLookups="true" redirectPort="8443"

           acceptCount="10" debug="0" connectionTimeout="0"

           useURIValidationHack="false" tomcatAuthentication="false"

           protocolHandlerClassName="org.apache.jk.server.JkCoyoteHandler"/>


    For SGD version 4.50:

    <!-- Define an AJP 1.3 Connector on port 8009 -->

<Connector port="8009" protocol="AJP/1.3"

 redirectPort="8443" tomcatAuthentication="false" />
  2. Restart the SGD web server.

    # tarantella restart webserver

Enable Third-Party Authentication for SGD

  1. In the SGD Administration Console, display the Secure Global Desktop Authentication Configuration Wizard. Go to the Global Settings -> Secure Global Desktop Authentication tab and click the Change Secure Global Desktop Authentication button.
  2. On the Third-Party/System Authentication step, select the Third-Party Authentication check box.
  3. On the Third-Party Authentication - User Identity and Profile step, select the check box for one or more search methods for finding the user identity.
  4. On the Review Selections step, check the authentication configuration and click Finish.

See the following links for for more details about configuring SGD to use third-party authentication:

(Optional) Allow Administrators to Log In Using Third-Party Authentication

By default, for security reasons, SGD Administrators are not allowed to log in using third-party authentication. The SGD login page is always shown for these users, even if they have been authenticated by the SGD web server. To allow SGD Administrators to log in using third-party authentication, run the following command:

# tarantella config edit --tarantella-config-login-thirdparty-allowadmins 1

This means that SGD Administrators are not prompted for a second username and password combination when they log in to SGD.

Log In to SGD Using RADIUS Authentication

Check that SGD users can log in using RADIUS authentication, as follows:

  1. Restart your browser.
  2. Log in to SGD.
    Go to sgdserver/sgd, where sgdserver is the name of the SGD server.
    The RADIUS authentication dialog is shown.

    Enter your RADIUS credentials and click OK.
    If authentication against the RADIUS server is successful, you are logged in to SGD and the SGD webtop is displayed. The SGD login page is not shown.

(Optional) Using One-Time Passwords

If you are using a one-time password (OTP) or a two-factor authentication mechanism such as SecurID, modify the httpd.conf file for the SGD web server as shown in the code sample in this section.
The following changes are required for OTP:

  • Do not set a password retries value. With OTP, passwords cannot be resubmitted on failure.
  • Specify the AuthBasicProvider directive, to prevent cached passwords from being resubmitted.
## RADIUS configuration for SGD using OTP
# If we're using mod_auth_radius, then add it's specific
# configuration options.

<IfModule radius_auth_module>

#
# AddRadiusAuth server[:port] <shared-secret> [ timeout [ : retries ]]
#
# Use RADIUS server on radiusserver, RADIUS port is 1812, secret is 'testing123',
# time out after 5 seconds, and do not retry passwords on failure.

AddRadiusAuth radiusserver:1812 testing123 5

#
# AuthRadiusBindAddress <hostname/ip-address>
#
# Bind client (local) socket to this local IP address.
# The server will then see RADIUS client requests will come from
# the given IP address.
# By default, the module does not bind to any particular address,
# and the operating system chooses the address to use.
#

#
# AddRadiusCookieValid <minutes-for-which-cookie-is-valid>
# The special value of 0 (zero) means the cookie is valid forever.
#

AddRadiusCookieValid 120
</IfModule>

# Third party authentication
# Use RADIUS authentication for the locations below

SetEnvIf Request_URI "\.(class|cab|jar|gif|der)$" sgd_noauth_ok

<Location /radius >
   Order Allow,Deny
  AuthType Basic
  AuthName "RADIUS Test Page"
  AuthBasicAuthoritative off
  AuthRadiusAuthoritative on
  AuthBasicProvider radius
  AuthRadiusCookieValid 120
  AuthRadiusActive On
  AuthUserFile /dev/null
  Require valid-user
  Satisfy any
</Location>

<Location /sgd >
   Order Allow,Deny
   Allow from env=sgd_noauth_ok
   AuthType Basic
   AuthName "RADIUS Authentication for SGD"
   AuthBasicAuthoritative off
   AuthRadiusAuthoritative on
   AuthBasicProvider radius
   AuthRadiusCookieValid 120
   AuthRadiusActive On
   AuthUserFile /dev/null
   Require valid-user
   Satisfy any
</Location>

A sample httpd-radius.conf file for OTP is included with this wiki page.

New PIN Mode

New PIN mode is when users are required to change their PIN (personal identification number). For Internet Explorer browser users, the user experience when changing their PIN might be poor.
This is because Internet Explorer only allows the user three login attempts before failing the connection and reporting an error. Entering a new PIN typically requires four transactions. However, the PIN change is usually completed successfully.
Internet Explorer users should restart their browser after changing their PIN.
Another issue is that the browser (both Internet Explorer and Firefox) displays a generic login box used for webserver authentication without any indication that a new PIN must be entered. All in all, mod_auth_radius is not a particularly good solution if OTP support is required.

Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.

Sign up or Log in to add a comment or watch this page.


The individuals who post here are part of the extended Sun Microsystems community and they might not be employed or in any way formally affiliated with Sun Microsystems. The opinions expressed here are their own, are not necessarily reviewed in advance by anyone but the individual authors, and neither Sun nor any other party necessarily agrees with them.

Copyright 1994-2009 Sun Microsystems, Inc.
Powered by Atlassian Confluence Sun Guidelines on Public Discourse Privacy Policy Terms of Use Trademarks Site Map Employment Investor Relations Contact