How To Configure Apache To Use Radius For Two-Factor Authentication On Ubuntu 12.04
Jumat, 25 Mei 2012
0
komentar
http://www.howtoforge.com/how-to-configure-apache-to-use-radius-for-two-factor-authentication-on-ubuntu-12.04
It is also recommended that you consider using mutual https authentication for web applications that are worthy of two-factor authentication. Strong mutual authentication means that the targeted website is authenticated to the user in some cryptographically secure manner, thwarting most man-in-the-middle attacks.
The WiKID open-source software token performs mutual authentication by retrieving a hash of the website's SSL certificate from the WiKID server and comparing a hash of the downloaded SSL certificate. If the two match, the token will launch the default browser to the target site for the user. If they don't match an error will be displayed, much like SSH. To configure mutual authentication for web applications, see this tutorial.
Our configuration was as follows:
So, start by adding a new Radius network client to the WiKID server for your web server:
Now to get Apache ready for two-factor authentication. I started from a fresh Ubuntu 12.04 install so I had to install both apache and mod_auth_radius.
Create a directory that will be protected by two-factor authentication. In this case, /secure. Enter this into your sites-available/default:
That should be all you need. You can use a .htaccess file, but that is frowned upon. The Location method is deemed more secure.
It is also recommended that you consider using mutual https authentication for web applications that are worthy of two-factor authentication. Strong mutual authentication means that the targeted website is authenticated to the user in some cryptographically secure manner, thwarting most man-in-the-middle attacks.
The WiKID open-source software token performs mutual authentication by retrieving a hash of the website's SSL certificate from the WiKID server and comparing a hash of the downloaded SSL certificate. If the two match, the token will launch the default browser to the target site for the user. If they don't match an error will be displayed, much like SSH. To configure mutual authentication for web applications, see this tutorial.
Our configuration was as follows:
- Ubuntu 12.04
- Apache 2.2.22
- libapache2-mod-auth-radius 1.5.8-1
- For two-factor authentication, we were using WiKID, in this case, the commercial version. For complete installation instructions, please visit: http://www.wikidsystems.com/support/wikid-support-center/installation-how-tos
So, start by adding a new Radius network client to the WiKID server for your web server:
- Log into WiKID server web interface (http://yourwikidserver/WiKIDAdmin).
- Select Network Clients tab.
- Click on Create New Network Client.
- Fill in the requested information.
- For the IP Address, use the web server IP address.
- For Protocol, select Radius.
- Hit the Add button, and on the next page, enter a shared secret.
- Do not enter anything into the Return Attribute box.
- From the terminal or via ssh, run 'stop' and then 'start' to load the network client into the built-in WiKID radius server.
Now to get Apache ready for two-factor authentication. I started from a fresh Ubuntu 12.04 install so I had to install both apache and mod_auth_radius.
$ sudo apt-get install apache2 libapache2-mod-auth-radius
Ubuntu now has Apache's configuration files separated by virtual hosts. For this example, I edited /etc/apache2/sites-available/default.
Create a directory that will be protected by two-factor authentication. In this case, /secure. Enter this into your sites-available/default:
Note radius_auth_module. To validate that the module is loaded use this command:
AddRadiusAuth 10.100.0.109:1812 apache_secret 5:3
AddRadiusCookieValid 5
AuthType Basic
AuthName "WiKID two-factor authentication for default site"
AuthBasicProvider radius
AuthRadiusCookieValid 5
AuthRadiusActive On
require valid-user
sudo apachectl -M | grep radius
You will want to change wikid_server_address to the IP address of the WiKID server and wikidserver_shared_secret to the shared secret you configured above in the WiKID server. Note that the the AddRadiusAuth line ends with 5 and not 5:3. The 3 in the later setting is for the number of times to attempt a password use. For one-time passwords, we only want them tried once, therefore we leave it empty. The 5 is for a 5 second time out. The AuthRadiusCookieValid directive is set for 60 minutes. That should be all you need. You can use a .htaccess file, but that is frowned upon. The Location method is deemed more secure.
Links
- WiKID Strong Authentication - Two-Factor Authentication
- Mod-auth-radius - mod-auth-radius
- Apache - The Apache Webserver
Related Tutorials
TERIMA KASIH ATAS KUNJUNGAN SAUDARA
Judul: How To Configure Apache To Use Radius For Two-Factor Authentication On Ubuntu 12.04
Ditulis oleh Unknown
Rating Blog 5 dari 5
Semoga artikel ini bermanfaat bagi saudara. Jika ingin mengutip, baik itu sebagian atau keseluruhan dari isi artikel ini harap menyertakan link dofollow ke http://androidjapane.blogspot.com/2012/05/how-to-configure-apache-to-use-radius.html. Terima kasih sudah singgah membaca artikel ini.Ditulis oleh Unknown
Rating Blog 5 dari 5
Categories:
0 komentar:
Posting Komentar