mod_auth_radius NAS-Identifier Enhancement
This is a hack for the mod_auth_radius authentication module for apache 1.3 and 2.0 from
www.freeradius.org/mod_auth_radius/
With mod_auth_radius you can do BasicAuthentication using a Radius-Server.
mod_auth_radius sends as NAS-Identifier just the hostname of the virtual-host of the accessed website,
but if you have different secured websites within one virtual-host and if you want to check on your radius-server
which of the websites has been accessed, you probably need my patch.
mod_auth_radius NAS-Identifier Enhancement gives you the possibility to set the NAS-Identifier on a per-directory base (.htaccess or <Location ...>).
Version v2 / Security fix
mod_auth_radius uses cookies for caching the authentication.
That cookie is an md5sum of username, password, hostname and some other strings but has _not_ contained the NAS-Identifier.
So after successful authentication with a valid cookie that browser was able to access other directories on the same VirtualHost even if
radius-server would not grant access that user to the second directory (identified by NAS-identifier).
v2 includes the NAS-identifier in the cookie.
Note for Apache 2 users
mod_auth_radius with apache 2 has some problems with reauthenticating.
Also the Cookie-Caching isn't very smooth.
Apache 2 users sould use mod_auth_xradius instead.
It caches on server using dbm or memcache.
mod_auth_xradius also has no NAS-Identifier support.
But i also have a patch for it:
Goto my mod_auth_xradius NAS-Identifier hack
Installation:
# cat mod_auth_radius[-2.0].nasnamev2.diff | patch -p0
# apxs[2] -i [-a] -c mod_auth_radius[-2.0].c # with -a (activate) 'LoadModule' is written to httpd.conf
Usage:
The parameter
AuthRadiusNasName is new
and has to be set! Otherwise an internal-server-error is generated
A sample config looks like:
httpd.conf:
AddRadiusAuth 192.168.10.1:1645 1234567 5:1
AddRadiusCookieValid 60
.htaccess:
AuthType Basic
AuthName "SQL-Admin"
AuthAuthoritative off
AuthRadiusAuthoritative on
AuthRadiusCookieValid 60
AuthRadiusActive On
require valid-user
AuthRadiusNasName "anystringwhichissenttoradiusserver"
Download:
Patch for mod_auth_radius-1.5.7/apache-1.3.X:
mod_auth_radius.nasnamev2.diff
Patch for mod_auth_radius-1.5.7/apache-2.0.X:
mod_auth_radius-2.0.nasnamev2.diff