Apache With RADIUS – Two Or More RADIUS Servers

Posted by Lisa Patel /

March 16, 2012

We recently added support for RADIUS to Mini Maxwell. This allows Mini Maxwell to be controlled by HTTPS.

We first used the relatively well known mod_auth_radius module for the Apache web server.

However we hit a snag – mod_auth_radius can handle only one RADIUS server. It has no way to define a fallback RADIUS server that will be used if the primary one is non-responsive.

We found an alternative – mod_auth_xradius.

However, the current version, v.0.4.6 is fairly old and needs some patches to give it the ability to accommodate multiple RADIUS servers.

We found some useful material at http://www.howtoforge.com/apache_radius_two_factor_authentication. However the patch shown there had some white-space issues which caused the patch process to fail.

So below is a version of the patch that we use – it is essentially identical to the original patch but with clean white-space.

  1. Pull the patch shown below into a file, let’s call it patch-file.txt
  2. Fetch the distribution file: http://www.outoforder.cc/downloads/mod_auth_xradius/mod_auth_xradius-0.4.6.tar.bz2:
    wget http://www.outoforder.cc/downloads/mod_auth_xradius/mod_auth_xradius-0.4.6.tar.bz2
  3. Unpack it:
    tar xjf mod_auth_xradius-0.4.6.tar.bz2
  4. Go into the top level directory:
    cd mod_auth_xradius-0.4.6
  5. Apply the patch:
    patch -p0 patchfile.txt
  6. You should get a success message that may look like this:
    patching file src/mod_auth_xradius.c
  7. Now you need to build the module and install it using the instructions shown at http://www.outoforder.cc/projects/httpd/mod_auth_xradius/docs/
  8. We’ve included a chunk of our Apache configuration file to show how we configure this module.
    Note the AuthBasicProvider xradius line.
--- src/mod_auth_xradius.c.orig    2012-03-15 14:19:25.000000000 -0700
+++ src/mod_auth_xradius.c  2012-03-15 14:23:20.000000000 -0700
@@ -125,15 +125,15 @@
     rctx = xrad_auth_open();

     /* Loop through the array of RADIUS Servers, adding them to the rctx object */
-    sr = (xrad_server_info *) dc->servers->elts;
     for (i = 0; i servers->nelts; ++i) {        
-        rc = xrad_add_server(rctx, sr[i].hostname, sr[i].port, sr[i].secret,
+        sr = &(((xrad_server_info*)dc->servers->elts)[i]);
+        rc = xrad_add_server(rctx, sr->hostname, sr->port, sr->secret,
                              dc->timeout, dc->maxtries);

         if (rc != 0) {
             ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
                           "xradius: Failed to add server '%s:%d': (%d) %s",
-                          sr[i].hostname, sr[i].port, rc, xrad_strerror(rctx));
+                          sr->hostname, sr->port, rc, xrad_strerror(rctx));
             goto run_cleanup;
         }        
     }
@@ -294,7 +294,7 @@
     /* To properly use the Pools, this array is allocated from the here, instead of
         inside the directory configuration creation function. */
     if (dc->servers == NULL) {
-        dc->servers = apr_array_make(parms->pool, 4, sizeof(xrad_server_info*));
+        dc->servers = apr_array_make(parms->pool, 4, sizeof(xrad_server_info));
     }

     sr = apr_array_push(dc->servers);
## This Loads mod_auth_xradius into Apache
LoadModule auth_xradius_module /usr/lib/apache/mod_auth_xradius.so

# AuthXRadiusCache none -
AuthXRadiusCache dbm "/var/cache/auth_xradius_cache"
AuthXRadiusCacheTimeout 300

# See http:http://www.outoforder.cc/projects/httpd/mod_auth_xradius/docs/
AuthName "RADIUS authentication for something or other"
AuthType Basic
AuthXRadiusAddServer "10.0.0.10:1812" "2secrets"
AuthXRadiusAddServer "10.0.0.11:1812" "secret1"
AuthXRadiusTimeout 5
AuthXRadiusRetries 3
AuthBasicProvider xradius
Require valid-user

Previous Post Next Post