FolkeHacks - mod_auth_radius NAS-Identifier Enhancement

mod_auth_radius NAS-Identifier Enhancement

This is a hack for the mod_auth_radius authentication module for apache 1.3 and 2.0 from www.freeradius.org/mod_auth_radius/

With mod_auth_radius you can do BasicAuthentication using a Radius-Server.

mod_auth_radius sends as NAS-Identifier just the hostname of the virtual-host of the accessed website, but if you have different secured websites within one virtual-host and if you want to check on your radius-server which of the websites has been accessed, you probably need my patch.

mod_auth_radius NAS-Identifier Enhancement gives you the possibility to set the NAS-Identifier on a per-directory base (.htaccess or <Location ...>).

Version v2 / Security fix
mod_auth_radius uses cookies for caching the authentication.
That cookie is an md5sum of username, password, hostname and some other strings but has _not_ contained the NAS-Identifier.
So after successful authentication with a valid cookie that browser was able to access other directories on the same VirtualHost even if radius-server would not grant access that user to the second directory (identified by NAS-identifier).

v2 includes the NAS-identifier in the cookie.

Note for Apache 2 users
mod_auth_radius with apache 2 has some problems with reauthenticating.
Also the Cookie-Caching isn't very smooth.

Apache 2 users sould use mod_auth_xradius instead.
It caches on server using dbm or memcache.

mod_auth_xradius also has no NAS-Identifier support.
But i also have a patch for it: Goto my mod_auth_xradius NAS-Identifier hack

# cat mod_auth_radius[-2.0].nasnamev2.diff | patch -p0
# apxs[2] -i [-a] -c mod_auth_radius[-2.0].c # with -a (activate) 'LoadModule' is written to httpd.conf
The parameter AuthRadiusNasName is new and has to be set! Otherwise an internal-server-error is generated
A sample config looks like:

AddRadiusAuth 1234567 5:1
AddRadiusCookieValid 60
AuthType Basic
AuthName "SQL-Admin"
AuthAuthoritative off
AuthRadiusAuthoritative on
AuthRadiusCookieValid 60
AuthRadiusActive On
require valid-user
AuthRadiusNasName "anystringwhichissenttoradiusserver"

Patch for mod_auth_radius-1.5.7/apache-1.3.X: mod_auth_radius.nasnamev2.diff
Patch for mod_auth_radius-1.5.7/apache-2.0.X: mod_auth_radius-2.0.nasnamev2.diff

Back to FolkeHacks


© 1999-2024 by Folke Ashberg | <>